Windows Analysis Report
1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe

Overview

General Information

Sample name: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe
(renamed file extension from old to exe)
Original sample name: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.old
Analysis ID: 1466878
MD5: cc4dd46308ebb24e27b340426f05056c
SHA1: 2e6339d284b125fd9872dd35ea2cbb8e926857c2
SHA256: 15a7081b1f16351979220fbf17d2f79579d216aac7a988d888b02706ddb1cf20
Infos:

Detection

ScreenConnect Tool
Score: 54
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Compliance

Score: 33
Range: 0 - 100

Signatures

.NET source code references suspicious native API functions
AI detected suspicious sample
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to hide user accounts
Enables network access during safeboot for specific services
Query firmware table information (likely to detect VMs)
Reads the Security eventlog
Reads the System eventlog
AV process strings found (often used to terminate AV products)
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Detected potential crypto function
Drops PE files
Drops certificate files (DER)
EXE planting / hijacking vulnerabilities found
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
JA3 SSL client fingerprint seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
May use bcdedit to modify the Windows boot settings
Modifies existing windows services
PE file contains an invalid checksum
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Dfsvc.EXE Network Connection To Uncommon Ports
Stores large binary data to the registry
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected ScreenConnect Tool

Classification

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 92.6% probability
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Code function: 1_2_006E1260 LocalAlloc,LocalAlloc,GetModuleFileNameW,CreateFileW,SetFilePointer,SetFilePointer,ReadFile,ReadFile,LocalAlloc,SetFilePointer,ReadFile,CertOpenSystemStoreA,LocalFree,CryptQueryObject,CryptMsgGetParam,LocalAlloc,CryptMsgGetParam,CertCreateCertificateContext,CertAddCertificateContextToStore,CertFreeCertificateContext,LocalFree,LocalFree,CryptMsgClose,LoadLibraryA,GetProcAddress,Sleep,CertDeleteCertificateFromStore,CertDeleteCertificateFromStore,CertCloseStore,CloseHandle,LocalFree,LocalFree, 1_2_006E1260
EXE planting / hijacking vulnerabilities found
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe EXE: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre...exe_25b0fbb6ef7eb094_0018.0001_none_97cb9f2a42c4956b\ScreenConnect.WindowsFileManager.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe EXE: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre...exe_25b0fbb6ef7eb094_0018.0001_none_97cb9f2a42c4956b\ScreenConnect.WindowsBackstageShell.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe EXE: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre...exe_25b0fbb6ef7eb094_0018.0001_none_97cb9f2a42c4956b\ScreenConnect.ClientService.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe EXE: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..ient_4b14c015c87c1ad8_0018.0001_none_b47bd9d9e77379ec\ScreenConnect.WindowsClient.exe Jump to behavior

Compliance
barindex
EXE planting / hijacking vulnerabilities found
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe EXE: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre...exe_25b0fbb6ef7eb094_0018.0001_none_97cb9f2a42c4956b\ScreenConnect.WindowsFileManager.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe EXE: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre...exe_25b0fbb6ef7eb094_0018.0001_none_97cb9f2a42c4956b\ScreenConnect.WindowsBackstageShell.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe EXE: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre...exe_25b0fbb6ef7eb094_0018.0001_none_97cb9f2a42c4956b\ScreenConnect.ClientService.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe EXE: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..ient_4b14c015c87c1ad8_0018.0001_none_b47bd9d9e77379ec\ScreenConnect.WindowsClient.exe Jump to behavior
Uses 32bit PE files
Source: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Static PE information: certificate valid
Source: unknown HTTPS traffic detected: 145.40.109.218:443 -> 192.168.2.7:49704 version: TLS 1.2
Source: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: dfsvc.exe, 00000002.00000002.2172747682.00000247804C2000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.000002478007F000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000011.00000002.1774279771.0000000002A72000.00000002.00000001.01000000.0000000E.sdmp, ScreenConnect.WindowsClient.exe, 00000013.00000002.2502083565.0000000002981000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000013.00000002.2498483755.0000000000C80000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.ClientService.dll.2.dr, ScreenConnect.ClientService.dll0.2.dr
Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000011.00000000.1770100840.0000000000BDD000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr
Source: Binary string: mscorlib.pdb source: ScreenConnect.ClientService.exe, 00000012.00000002.2519577245.00000000050F7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: ScreenConnect.ClientService.exe, 00000012.00000002.2519577245.00000000050F0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: dfsvc.exe, 00000002.00000002.2172747682.000002478075E000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.00000247802F6000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.000002478048E000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000010.00000002.1790988509.000000001B862000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Windows.dll0.2.dr, ScreenConnect.Windows.dll.2.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb/[ source: dfsvc.exe, 00000002.00000002.2172747682.000002478075E000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.00000247802F6000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.000002478048E000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000010.00000002.1790988509.000000001B862000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Windows.dll0.2.dr, ScreenConnect.Windows.dll.2.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000010.00000000.1761418707.0000000000432000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsClient.exe.2.dr
Source: Binary string: C:\Users\jmorgan\Source\ScreenConnectWork\Misc\Bootstrapper\Release\ClickOnceRunner.pdb source: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe
Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: dfsvc.exe, 00000002.00000002.2172747682.00000247804C2000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780088000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000010.00000002.1775855882.0000000000DB2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.ClientService.exe, 00000012.00000002.2519577245.00000000050F0000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.Client.dll.2.dr, ScreenConnect.Client.dll0.2.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdbU! source: dfsvc.exe, 00000002.00000002.2172747682.00000247804C2000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.000002478007F000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000011.00000002.1774279771.0000000002A72000.00000002.00000001.01000000.0000000E.sdmp, ScreenConnect.WindowsClient.exe, 00000013.00000002.2502083565.0000000002981000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000013.00000002.2498483755.0000000000C80000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.ClientService.dll.2.dr, ScreenConnect.ClientService.dll0.2.dr
Source: Binary string: System.pdb source: ScreenConnect.ClientService.exe, 00000012.00000002.2519577245.00000000050F0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: dfsvc.exe, 00000002.00000002.2172747682.00000247804C2000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.000002478008C000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000011.00000002.1774607067.0000000004FA2000.00000002.00000001.01000000.0000000F.sdmp, ScreenConnect.Core.dll0.2.dr, ScreenConnect.Core.dll.2.dr
Source: Binary string: e089\System.pdb source: ScreenConnect.ClientService.exe, 00000012.00000002.2498245531.0000000000967000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Code function: 1_2_006E4855 FindFirstFileExA, 1_2_006E4855
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe File opened: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe File opened: C:\Users\user\AppData\Local\Apps\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe File opened: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe:Zone.Identifier Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe File opened: C:\Users\user\AppData\Local\Apps\2.0\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior

Networking
barindex
Enables network access during safeboot for specific services
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Registry value created: NULL Service
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /Bin/ScreenConnect.Client.application?h=instance-ss6pex-relay.screenconnect.com&p=443&k=BgIAAACkAABSU0ExAAgAAAEAAQBdjPB2q8wjCfbSeYamY%2F1I8rI%2FJv32GQaD4DfyMmJGNmo%2F%2FRNg83nebcxkKC9J9fnvQipaIXrQUsxpppQnPKZ7juxo8OMg%2FgQWhvcJ843vxr8g3Su6i%2BOQ19Uh%2B6nNu4Mvd5N1Gn7gmJQP8LmLFqcM4XdqaWncXy3DTwTAm6za8sn0Nrpx%2FR7Jc98i2Kg%2Bl%2FjkHFH9my9cD1Qp8bY32WV4Poh8SZJEDL3RX7M1gNCxhAy6Of%2Bu4Ov%2F99l3%2BbDBAOICkjlLTBAUBYzj9YiB5Zym8VEMCtI%2B7OFy%2Bv0PXxtCiizxlfv251D4ovL7mdH2HWE5l%2FwdqfUZx0u617T5JnSJ&s=e409b2f5-1e44-4489-a8a4-30f0588f10c9&i=Ily&e=Support&y=Guest&r= HTTP/1.1Host: bcl.screenconnect.comAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /Bin/ScreenConnect.Client.manifest HTTP/1.1Host: bcl.screenconnect.comAccept-Encoding: gzip
Source: global traffic HTTP traffic detected: GET /Bin/ScreenConnect.ClientService.exe HTTP/1.1Host: bcl.screenconnect.comAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe HTTP/1.1Host: bcl.screenconnect.comAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe.config HTTP/1.1Host: bcl.screenconnect.comAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe.config HTTP/1.1Host: bcl.screenconnect.comAccept-Encoding: gzip
Source: global traffic HTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe.config HTTP/1.1Host: bcl.screenconnect.comAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe HTTP/1.1Host: bcl.screenconnect.comAccept-Encoding: gzip
Source: global traffic HTTP traffic detected: GET /Bin/ScreenConnect.Windows.dll HTTP/1.1Host: bcl.screenconnect.comAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /Bin/ScreenConnect.Core.dll HTTP/1.1Host: bcl.screenconnect.comAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /Bin/ScreenConnect.Client.dll HTTP/1.1Host: bcl.screenconnect.comAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /Bin/ScreenConnect.ClientService.dll HTTP/1.1Host: bcl.screenconnect.comAccept-Encoding: gzip
Source: global traffic HTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe HTTP/1.1Host: bcl.screenconnect.comAccept-Encoding: gzipConnection: Keep-Alive
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /Bin/ScreenConnect.Client.application?h=instance-ss6pex-relay.screenconnect.com&p=443&k=BgIAAACkAABSU0ExAAgAAAEAAQBdjPB2q8wjCfbSeYamY%2F1I8rI%2FJv32GQaD4DfyMmJGNmo%2F%2FRNg83nebcxkKC9J9fnvQipaIXrQUsxpppQnPKZ7juxo8OMg%2FgQWhvcJ843vxr8g3Su6i%2BOQ19Uh%2B6nNu4Mvd5N1Gn7gmJQP8LmLFqcM4XdqaWncXy3DTwTAm6za8sn0Nrpx%2FR7Jc98i2Kg%2Bl%2FjkHFH9my9cD1Qp8bY32WV4Poh8SZJEDL3RX7M1gNCxhAy6Of%2Bu4Ov%2F99l3%2BbDBAOICkjlLTBAUBYzj9YiB5Zym8VEMCtI%2B7OFy%2Bv0PXxtCiizxlfv251D4ovL7mdH2HWE5l%2FwdqfUZx0u617T5JnSJ&s=e409b2f5-1e44-4489-a8a4-30f0588f10c9&i=Ily&e=Support&y=Guest&r= HTTP/1.1Host: bcl.screenconnect.comAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /Bin/ScreenConnect.Client.manifest HTTP/1.1Host: bcl.screenconnect.comAccept-Encoding: gzip
Source: global traffic HTTP traffic detected: GET /Bin/ScreenConnect.ClientService.exe HTTP/1.1Host: bcl.screenconnect.comAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe HTTP/1.1Host: bcl.screenconnect.comAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe.config HTTP/1.1Host: bcl.screenconnect.comAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe.config HTTP/1.1Host: bcl.screenconnect.comAccept-Encoding: gzip
Source: global traffic HTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe.config HTTP/1.1Host: bcl.screenconnect.comAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe HTTP/1.1Host: bcl.screenconnect.comAccept-Encoding: gzip
Source: global traffic HTTP traffic detected: GET /Bin/ScreenConnect.Windows.dll HTTP/1.1Host: bcl.screenconnect.comAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /Bin/ScreenConnect.Core.dll HTTP/1.1Host: bcl.screenconnect.comAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /Bin/ScreenConnect.Client.dll HTTP/1.1Host: bcl.screenconnect.comAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /Bin/ScreenConnect.ClientService.dll HTTP/1.1Host: bcl.screenconnect.comAccept-Encoding: gzip
Source: global traffic HTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe HTTP/1.1Host: bcl.screenconnect.comAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: time.windows.com
Source: global traffic DNS traffic detected: DNS query: bcl.screenconnect.com
Source: global traffic DNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa
Source: global traffic DNS traffic detected: DNS query: instance-ss6pex-relay.screenconnect.com
Source: dfsvc.exe, 00000002.00000002.2172747682.0000024780801000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780776000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.00000247806A5000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.00000247807CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://bcl.screenconnect.com
Source: dfsvc.exe, 00000002.00000002.2172747682.0000024780772000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780801000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780246000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780762000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780256000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780776000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.00000247804C2000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780084000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.000002478048E000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: dfsvc.exe, 00000002.00000002.2180528481.00000247EE8ED000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780772000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780246000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780762000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780256000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2182417647.00000247F027F000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2183043457.00000247F0340000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780084000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2182449302.00000247F0299000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: dfsvc.exe, 00000002.00000002.2172747682.0000024780772000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780246000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780762000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780256000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780084000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2184216603.00000247F2337000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: F2E248BEDDBB2D85122423C41028BFD4.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
Source: dfsvc.exe, 00000002.00000002.2172747682.0000024780772000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780801000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780246000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780762000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780256000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780776000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.00000247804C2000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2182449302.00000247F0284000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2183043457.00000247F0340000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780084000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.000002478048E000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: svchost.exe, 00000007.00000002.2503381908.000002875CE6B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.ver)
Source: dfsvc.exe, 00000002.00000002.2172747682.0000024780772000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780801000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780246000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780762000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780256000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780776000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.00000247804C2000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780084000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.000002478048E000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: dfsvc.exe, 00000002.00000002.2172747682.0000024780772000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780246000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780762000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780256000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2182417647.00000247F027F000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2183043457.00000247F0340000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780084000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2182449302.00000247F0299000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: dfsvc.exe, 00000002.00000002.2183316556.00000247F038B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlhttp://crl4.digicert.co
Source: dfsvc.exe, 00000002.00000002.2172747682.0000024780772000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780246000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780762000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780256000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780084000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2184216603.00000247F2337000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: dfsvc.exe, 00000002.00000002.2172747682.0000024780084000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRoot
Source: ScreenConnect.WindowsFileManager.exe0.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: dfsvc.exe, 00000002.00000002.2172747682.0000024780772000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780246000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780762000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780256000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2182417647.00000247F027F000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2183043457.00000247F0340000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780084000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2182449302.00000247F0299000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: dfsvc.exe, 00000002.00000002.2181786651.00000247F01DF000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2182449302.00000247F0299000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.2.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD41570.2.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: dfsvc.exe, 00000002.00000002.2180157276.00000247EE84E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en;
Source: qmgr.db.7.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.7.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.7.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.7.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.7.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.7.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.7.dr String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: ScreenConnect.ClientService.exe, 00000012.00000002.2498245531.0000000000998000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://instance-ss6pex-relay.screenconnect.com:443/
Source: ScreenConnect.ClientService.exe, 00000012.00000002.2498245531.0000000000998000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://instance-ss6pex-relay.screenconnect.com:443/%
Source: ScreenConnect.ClientService.exe, 00000012.00000002.2498245531.0000000000998000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://instance-ss6pex-relay.screenconnect.com:443/9
Source: ScreenConnect.ClientService.exe, 00000012.00000002.2498245531.0000000000998000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://instance-ss6pex-relay.screenconnect.com:443/G
Source: ScreenConnect.ClientService.exe, 00000012.00000002.2498245531.0000000000998000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://instance-ss6pex-relay.screenconnect.com:443/a
Source: ScreenConnect.ClientService.exe, 00000012.00000002.2503200628.00000000016EA000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000012.00000002.2503200628.0000000001556000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000012.00000002.2503200628.0000000001635000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000012.00000002.2503200628.00000000018E6000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000012.00000002.2503200628.00000000017C0000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000012.00000002.2503200628.000000000150B000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000012.00000002.2503200628.0000000001809000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000012.00000002.2503200628.00000000015C0000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000012.00000002.2503200628.000000000167F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://instance-ss6pex-relay.screenconnect.com:443/d
Source: ScreenConnect.ClientService.exe, 00000012.00000002.2498245531.0000000000998000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://instance-ss6pex-relay.screenconnect.com:443/s
Source: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe String found in binary or memory: http://ocsp.comodoca.com0
Source: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe String found in binary or memory: http://ocsp.comodoca.com0$
Source: 8EC9B1D0ABBD7F98B401D425828828CE_BE4413523710330F97BEE5D4A544C42B0.2.dr String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rh
Source: C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F1410.2.dr String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxX
Source: dfsvc.exe, 00000002.00000002.2180528481.00000247EE8ED000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780772000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780246000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780762000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780256000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2182417647.00000247F027F000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2183043457.00000247F0340000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780084000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2182449302.00000247F0299000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr String found in binary or memory: http://ocsp.digicert.com0
Source: dfsvc.exe, 00000002.00000002.2172747682.0000024780772000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780801000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780246000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780762000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780256000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780776000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.00000247804C2000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2182449302.00000247F0284000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2183043457.00000247F0340000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780084000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.000002478048E000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: dfsvc.exe, 00000002.00000002.2172747682.0000024780772000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780801000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780246000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780762000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780256000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780776000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.00000247804C2000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780084000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.000002478048E000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: dfsvc.exe, 00000002.00000002.2172747682.0000024780772000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780246000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780762000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780256000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780084000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2184216603.00000247F2337000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: dfsvc.exe, 00000002.00000002.2180528481.00000247EE8F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.cr
Source: dfsvc.exe, 00000002.00000002.2181786651.00000247F01D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crlp
Source: dfsvc.exe, 00000002.00000002.2182162516.00000247F023F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.microso
Source: dfsvc.exe, 00000002.00000002.2172747682.000002478001A000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000012.00000002.2503200628.0000000001488000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: dfsvc.exe, 00000002.00000002.2172747682.0000024780801000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780776000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.00000247806A5000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.00000247807CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://server-nixc4ced126-web.screenconnect.com
Source: svchost.exe, 0000000B.00000002.2499280528.000002BAFFC87000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2498018632.000002BA80702000.00000004.00000020.00020000.00000000.sdmp, regid.1991-06.com.microsoft_Windows-10-Pro.swidtag.11.dr String found in binary or memory: http://standards.iso.org/iso/19770/-2/2009/schema.xsd
Source: svchost.exe, 00000003.00000002.1446595264.000001EA88C13000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: dfsvc.exe, 00000002.00000002.2180528481.00000247EE8ED000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780772000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780246000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780762000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780256000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2182417647.00000247F027F000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2183043457.00000247F0340000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780084000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2182449302.00000247F0299000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: dfsvc.exe, 00000002.00000002.2172747682.0000024780548000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.000002478050C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.w3.o
Source: dfsvc.exe, 00000002.00000002.2172747682.00000247802FA000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.000002478056B000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.000002478039E000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780548000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.w3.or
Source: dfsvc.exe, 00000002.00000002.2172747682.0000024780090000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.xrml.org/schema/2001/11/xrml2core
Source: dfsvc.exe, 00000002.00000002.2172747682.0000024780090000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.xrml.org/schema/2001/11/xrml2coreS
Source: svchost.exe, 00000003.00000002.1446712644.000001EA88C58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1446131345.000001EA88C57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: dfsvc.exe, 00000002.00000002.2172747682.000002478039E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bcl.ptD
Source: dfsvc.exe, 00000002.00000002.2172747682.0000024780801000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780776000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.00000247806A5000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.00000247807CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bcl.screenconnX
Source: dfsvc.exe, 00000002.00000002.2172747682.0000024780776000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bcl.screenconnXr
Source: dfsvc.exe, 00000002.00000002.2172747682.00000247807CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bcl.screenconnXz
Source: dfsvc.exe, 00000002.00000002.2172747682.0000024780602000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bcl.screenconne
Source: dfsvc.exe, 00000002.00000002.2172747682.0000024780801000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780776000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.00000247806A5000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.00000247807CB000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780602000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.000002478025A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.000002478048E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bcl.screenconnect.com
Source: dfsvc.exe, 00000002.00000002.2172747682.000002478039E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bcl.screenconnect.com/Bin/
Source: dfsvc.exe, 00000002.00000002.2181786651.00000247F01DF000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.000002478039E000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2183043457.00000247F0340000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780602000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000010.00000002.1775450361.0000000000B79000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000010.00000002.1776077188.000000000292F000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000010.00000002.1776077188.0000000002921000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000010.00000002.1775774609.0000000000B9B000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000010.00000002.1775450361.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.Client.application
Source: ScreenConnect.WindowsClient.exe, 00000010.00000002.1776077188.0000000002921000.00000004.00000800.00020000.00000000.sdmp, B3V01X1N.log.2.dr String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.Client.application#ScreenConnect.WindowsClient.appli
Source: dfsvc.exe, 00000002.00000002.2180464466.00000247EE8A6000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000010.00000002.1775774609.0000000000B9B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.Client.application%%
Source: ScreenConnect.WindowsClient.exe, 00000010.00000002.1775450361.0000000000AB9000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000010.00000002.1776077188.0000000002921000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000010.00000002.1775450361.0000000000AB0000.00000004.00000020.00020000.00000000.sdmp, B3V01X1N.log.2.dr String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.Client.application?h=instance-ss6pex-relay.screencon
Source: dfsvc.exe, 00000002.00000002.2183043457.00000247F0340000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.Client.applicationG
Source: ScreenConnect.WindowsClient.exe, 00000010.00000002.1776077188.000000000292F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.Client.applicationX
Source: dfsvc.exe, 00000002.00000002.2183043457.00000247F0340000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.Client.applicationataK9f
Source: dfsvc.exe, 00000002.00000002.2180157276.00000247EE84E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.Client.applicationig%
Source: dfsvc.exe, 00000002.00000002.2183043457.00000247F0340000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000010.00000002.1775450361.0000000000B79000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.Client.applicationst
Source: ScreenConnect.WindowsClient.exe, 00000010.00000002.1775450361.0000000000B79000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.Client.applicationstt
Source: dfsvc.exe, 00000002.00000002.2182449302.00000247F02AD000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.00000247801F8000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.00000247806A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.Client.dll
Source: ScreenConnect.WindowsClient.exe, 00000010.00000002.1776077188.000000000292F000.00000004.00000800.00020000.00000000.sdmp, B3V01X1N.log.2.dr String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.Client.manifest
Source: dfsvc.exe, 00000002.00000002.2181786651.00000247F01DF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.Client.manifest?
Source: dfsvc.exe, 00000002.00000002.2181786651.00000247F01DF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.Client.manifestfm
Source: dfsvc.exe, 00000002.00000002.2172747682.00000247806A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.ClientServ
Source: dfsvc.exe, 00000002.00000002.2181786651.00000247F01DF000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.00000247801F8000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.00000247806A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.ClientService.dll
Source: dfsvc.exe, 00000002.00000002.2172747682.00000247806A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.ClientService.exe
Source: dfsvc.exe, 00000002.00000002.2181786651.00000247F01DF000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.00000247801F8000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.00000247806A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.Core.dll
Source: dfsvc.exe, 00000002.00000002.2181786651.00000247F01DF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.Core.dllJ
Source: dfsvc.exe, 00000002.00000002.2172747682.0000024780801000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.Wi
Source: dfsvc.exe, 00000002.00000002.2172747682.0000024780801000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2182449302.00000247F02AD000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.00000247801F8000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.00000247806A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.Windows.dll
Source: dfsvc.exe, 00000002.00000002.2172747682.0000024780776000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsBackstageShX
Source: dfsvc.exe, 00000002.00000002.2172747682.0000024780776000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.00000247806A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsBackstageShell.exe
Source: dfsvc.exe, 00000002.00000002.2172747682.00000247807CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsBackstageShell.exe.
Source: dfsvc.exe, 00000002.00000002.2172747682.00000247807CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsBackstageShell.exe.config
Source: dfsvc.exe, 00000002.00000002.2178743753.00000247EC4C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsBackstageShell.exe.configesourceHandler
Source: dfsvc.exe, 00000002.00000002.2183043457.00000247F0340000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsBackstageShell.exem
Source: dfsvc.exe, 00000002.00000002.2183043457.00000247F0340000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsBackstageShell.exes
Source: dfsvc.exe, 00000002.00000002.2172747682.000002478048E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsClient.exe
Source: dfsvc.exe, 00000002.00000002.2172747682.00000247807CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsClient.exe.P
Source: dfsvc.exe, 00000002.00000002.2172747682.00000247807CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsClient.exe.config
Source: dfsvc.exe, 00000002.00000002.2172747682.00000247807CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsFileMan8
Source: dfsvc.exe, 00000002.00000002.2172747682.00000247807CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsFileManager.exe
Source: dfsvc.exe, 00000002.00000002.2172747682.00000247807CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsFileManager.exe.config
Source: dfsvc.exe, 00000002.00000002.2183043457.00000247F0340000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsFileManager.exeA
Source: dfsvc.exe, 00000002.00000002.2172747682.0000024780776000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsFileManager.exex
Source: dfsvc.exe, 00000002.00000002.2172747682.000002478039E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bcl.screenconnect.com/Bin/h
Source: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe, 00000001.00000002.1340535064.00000000013AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bcl.screenconnect.com:443/Bin/ScreenConnect.Clie
Source: B3V01X1N.log.2.dr String found in binary or memory: https://bcl.screenconnect.com:443/Bin/ScreenConnect.Client.application?h=instance-ss6pex-relay.scree
Source: dfsvc.exe, 00000002.00000002.2172747682.00000247806A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bcl.screenconnect.comptD
Source: svchost.exe, 00000003.00000002.1446712644.000001EA88C58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1446131345.000001EA88C57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000003.00000003.1446043971.000001EA88C5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1446758000.000001EA88C63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1445850657.000001EA88C62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1446111279.000001EA88C41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1446841312.000001EA88C70000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1445741704.000001EA88C6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1446670300.000001EA88C42000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000003.00000002.1446841312.000001EA88C70000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1445741704.000001EA88C6E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000003.00000002.1446712644.000001EA88C58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1446131345.000001EA88C57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000003.00000003.1445808184.000001EA88C67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1446779533.000001EA88C68000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000003.00000002.1446841312.000001EA88C70000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1445741704.000001EA88C6E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000003.00000002.1446712644.000001EA88C58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1446131345.000001EA88C57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000003.00000003.1446043971.000001EA88C5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1446758000.000001EA88C63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1445850657.000001EA88C62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1446620868.000001EA88C2B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000003.00000002.1446712644.000001EA88C58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1446131345.000001EA88C57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000003.00000003.1445808184.000001EA88C67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1446779533.000001EA88C68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1446620868.000001EA88C2B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000003.00000002.1446712644.000001EA88C58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1446131345.000001EA88C57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000003.00000002.1446712644.000001EA88C58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1446131345.000001EA88C57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000003.00000002.1446712644.000001EA88C58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1446131345.000001EA88C57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000003.00000002.1446758000.000001EA88C63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1445850657.000001EA88C62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1446620868.000001EA88C2B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000003.00000003.1446111279.000001EA88C41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1446670300.000001EA88C42000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000003.00000002.1446712644.000001EA88C58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1446131345.000001EA88C57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000003.00000002.1446758000.000001EA88C63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1445850657.000001EA88C62000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000003.00000003.1446149804.000001EA88C31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000003.00000002.1446670300.000001EA88C42000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000003.00000002.1446758000.000001EA88C63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1445850657.000001EA88C62000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000003.00000003.1446111279.000001EA88C41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1446670300.000001EA88C42000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
Source: svchost.exe, 00000003.00000003.1446131345.000001EA88C57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000003.00000002.1446712644.000001EA88C58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1446131345.000001EA88C57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000003.00000003.1445808184.000001EA88C67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1446779533.000001EA88C68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1446620868.000001EA88C2B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: ScreenConnect.Core.dll.2.dr String found in binary or memory: https://feedback.screenconnect.com/Feedback.axd
Source: edb.log.7.dr String found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 00000007.00000003.1345152933.000002875CCF0000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.7.dr, edb.log.7.dr String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: qmgr.db.7.dr String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe1C:
Source: svchost.exe, 00000003.00000003.1446111279.000001EA88C41000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000003.00000003.1446084158.000001EA88C49000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1446111279.000001EA88C41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1446670300.000001EA88C42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1446149804.000001EA88C31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000003.00000003.1446149804.000001EA88C31000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1446131345.000001EA88C57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000003.00000002.1446620868.000001EA88C2B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000003.00000002.1446712644.000001EA88C58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1446131345.000001EA88C57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000003.00000002.1446712644.000001EA88C58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1446131345.000001EA88C57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51669
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51667
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51668
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51662
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51660
Source: unknown Network traffic detected: HTTP traffic on port 51658 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51665
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51666
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51663
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51664
Source: unknown Network traffic detected: HTTP traffic on port 51667 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 51663 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51665 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51669 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51658
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51659
Source: unknown Network traffic detected: HTTP traffic on port 51653 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51657
Source: unknown Network traffic detected: HTTP traffic on port 51657 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51653
Source: unknown Network traffic detected: HTTP traffic on port 51659 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51662 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 51660 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51664 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51666 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51668 -> 443
Source: unknown HTTPS traffic detected: 145.40.109.218:443 -> 192.168.2.7:49704 version: TLS 1.2
Drops certificate files (DER)
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4 Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_BE4413523710330F97BEE5D4A544C42B Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands
barindex
Reads the Security eventlog
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnect
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnect
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnect
Reads the System eventlog
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\ScreenConnect
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\ScreenConnect
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Creates files inside the system directory
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Code function: 1_2_006EA285 1_2_006EA285
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Code function: 2_2_00007FFAACCD5E28 2_2_00007FFAACCD5E28
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Code function: 2_2_00007FFAACCBAF4F 2_2_00007FFAACCBAF4F
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Code function: 2_2_00007FFAACCCD510 2_2_00007FFAACCCD510
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Code function: 2_2_00007FFAACCC2768 2_2_00007FFAACCC2768
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Code function: 2_2_00007FFAACCC33B1 2_2_00007FFAACCC33B1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Code function: 2_2_00007FFAACCC97A8 2_2_00007FFAACCC97A8
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Code function: 2_2_00007FFAACCD3101 2_2_00007FFAACCD3101
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Code function: 2_2_00007FFAACCB6138 2_2_00007FFAACCB6138
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Code function: 2_2_00007FFAACCB1211 2_2_00007FFAACCB1211
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Code function: 2_2_00007FFAACCBF441 2_2_00007FFAACCBF441
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Code function: 16_2_00007FFAACCB73C0 16_2_00007FFAACCB73C0
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Code function: 16_2_00007FFAACCB0CFA 16_2_00007FFAACCB0CFA
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Code function: 16_2_00007FFAACCB0F50 16_2_00007FFAACCB0F50
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Code function: 16_2_00007FFAACCB6150 16_2_00007FFAACCB6150
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Code function: 16_2_00007FFAACCB1AD3 16_2_00007FFAACCB1AD3
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Code function: 16_2_00007FFAACCB1AF8 16_2_00007FFAACCB1AF8
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Code function: 16_2_00007FFAACCB0C73 16_2_00007FFAACCB0C73
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Code function: 19_2_00007FFAACCC703D 19_2_00007FFAACCC703D
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Code function: 19_2_00007FFAACCD238D 19_2_00007FFAACCD238D
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Code function: 19_2_00007FFAACFD6571 19_2_00007FFAACFD6571
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Code function: 19_2_00007FFAACFE2FED 19_2_00007FFAACFE2FED
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Code function: 19_2_00007FFAACFD6DC2 19_2_00007FFAACFD6DC2
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Code function: 19_2_00007FFAACFDAA2D 19_2_00007FFAACFDAA2D
Uses 32bit PE files
Source: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: ScreenConnect.WindowsBackstageShell.exe.2.dr, PopoutPanelTaskbarButton.cs Task registration methods: 'CreateDefaultDropDown'
Source: ScreenConnect.WindowsBackstageShell.exe.2.dr, ProgramTaskbarButton.cs Task registration methods: 'CreateDefaultDropDown'
Source: ScreenConnect.WindowsBackstageShell.exe.2.dr, TaskbarButton.cs Task registration methods: 'CreateDefaultDropDown'
Source: ScreenConnect.WindowsBackstageShell.exe0.2.dr, PopoutPanelTaskbarButton.cs Task registration methods: 'CreateDefaultDropDown'
Source: ScreenConnect.WindowsBackstageShell.exe0.2.dr, ProgramTaskbarButton.cs Task registration methods: 'CreateDefaultDropDown'
Source: ScreenConnect.WindowsBackstageShell.exe0.2.dr, TaskbarButton.cs Task registration methods: 'CreateDefaultDropDown'
Source: ScreenConnect.Windows.dll.2.dr, WindowsExtensions.cs Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: ScreenConnect.Windows.dll.2.dr, WindowsExtensions.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: ScreenConnect.Windows.dll.2.dr, WindowsExtensions.cs Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: ScreenConnect.ClientService.dll.2.dr, WindowsLocalUserExtensions.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: classification engine Classification label: mal54.evad.winEXE@23/81@6/3
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Code function: 1_2_006E1260 LocalAlloc,LocalAlloc,GetModuleFileNameW,CreateFileW,SetFilePointer,SetFilePointer,ReadFile,ReadFile,LocalAlloc,SetFilePointer,ReadFile,CertOpenSystemStoreA,LocalFree,CryptQueryObject,CryptMsgGetParam,LocalAlloc,CryptMsgGetParam,CertCreateCertificateContext,CertAddCertificateContextToStore,CertFreeCertificateContext,LocalFree,LocalFree,CryptMsgClose,LoadLibraryA,GetProcAddress,Sleep,CertDeleteCertificateFromStore,CertDeleteCertificateFromStore,CertCloseStore,CloseHandle,LocalFree,LocalFree, 1_2_006E1260
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe File created: C:\Users\user\AppData\Local\Deployment Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Mutant created: NULL
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Mutant created: \BaseNamedObjects\Global\netfxeventlog.1.0
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:6104:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe File created: C:\Users\user\AppData\Local\Temp\Deployment Jump to behavior
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Command line argument: dfsh 1_2_006E1260
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Command line argument: atio 1_2_006E1260
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Command line argument: dfshim 1_2_006E1260
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Command line argument: dfshim 1_2_006E1260
Source: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe String found in binary or memory: 3http://crl.usertrust.com/AddTrustExternalCARoot.crl05
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe File read: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe "C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe"
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalService -s W32Time
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process created: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe"
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process created: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=instance-ss6pex-relay.screenconnect.com&p=443&s=e409b2f5-1e44-4489-a8a4-30f0588f10c9&k=BgIAAACkAABSU0ExAAgAAAEAAQBdjPB2q8wjCfbSeYamY%2f1I8rI%2fJv32GQaD4DfyMmJGNmo%2f%2fRNg83nebcxkKC9J9fnvQipaIXrQUsxpppQnPKZ7juxo8OMg%2fgQWhvcJ843vxr8g3Su6i%2bOQ19Uh%2b6nNu4Mvd5N1Gn7gmJQP8LmLFqcM4XdqaWncXy3DTwTAm6za8sn0Nrpx%2fR7Jc98i2Kg%2bl%2fjkHFH9my9cD1Qp8bY32WV4Poh8SZJEDL3RX7M1gNCxhAy6Of%2bu4Ov%2f99l3%2bbDBAOICkjlLTBAUBYzj9YiB5Zym8VEMCtI%2b7OFy%2bv0PXxtCiizxlfv251D4ovL7mdH2HWE5l%2fwdqfUZx0u617T5JnSJ&r=&i=Ily" "1"
Source: unknown Process created: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=instance-ss6pex-relay.screenconnect.com&p=443&s=e409b2f5-1e44-4489-a8a4-30f0588f10c9&k=BgIAAACkAABSU0ExAAgAAAEAAQBdjPB2q8wjCfbSeYamY%2f1I8rI%2fJv32GQaD4DfyMmJGNmo%2f%2fRNg83nebcxkKC9J9fnvQipaIXrQUsxpppQnPKZ7juxo8OMg%2fgQWhvcJ843vxr8g3Su6i%2bOQ19Uh%2b6nNu4Mvd5N1Gn7gmJQP8LmLFqcM4XdqaWncXy3DTwTAm6za8sn0Nrpx%2fR7Jc98i2Kg%2bl%2fjkHFH9my9cD1Qp8bY32WV4Poh8SZJEDL3RX7M1gNCxhAy6Of%2bu4Ov%2f99l3%2bbDBAOICkjlLTBAUBYzj9YiB5Zym8VEMCtI%2b7OFy%2bv0PXxtCiizxlfv251D4ovL7mdH2HWE5l%2fwdqfUZx0u617T5JnSJ&r=&i=Ily" "1"
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process created: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe" "RunRole" "15a971cf-ed33-4068-91f7-d1656f0da9bf" "User"
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process created: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe" Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process created: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=instance-ss6pex-relay.screenconnect.com&p=443&s=e409b2f5-1e44-4489-a8a4-30f0588f10c9&k=BgIAAACkAABSU0ExAAgAAAEAAQBdjPB2q8wjCfbSeYamY%2f1I8rI%2fJv32GQaD4DfyMmJGNmo%2f%2fRNg83nebcxkKC9J9fnvQipaIXrQUsxpppQnPKZ7juxo8OMg%2fgQWhvcJ843vxr8g3Su6i%2bOQ19Uh%2b6nNu4Mvd5N1Gn7gmJQP8LmLFqcM4XdqaWncXy3DTwTAm6za8sn0Nrpx%2fR7Jc98i2Kg%2bl%2fjkHFH9my9cD1Qp8bY32WV4Poh8SZJEDL3RX7M1gNCxhAy6Of%2bu4Ov%2f99l3%2bbDBAOICkjlLTBAUBYzj9YiB5Zym8VEMCtI%2b7OFy%2bv0PXxtCiizxlfv251D4ovL7mdH2HWE5l%2fwdqfUZx0u617T5JnSJ&r=&i=Ily" "1" Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process created: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe" "RunRole" "15a971cf-ed33-4068-91f7-d1656f0da9bf" "User"
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Section loaded: dfshim.dll Jump to behavior
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: dfshim.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: cryptnet.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: uiautomationcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: smartscreenps.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: thumbcache.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: moshost.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mapsbtsvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mosstorage.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ztrace_maps.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mapconfiguration.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: aphostservice.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: networkhelper.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: userdataplatformhelperutil.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: syncutil.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mccspal.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dmcfgutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dmcmnutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dmxmlhelputils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: inproclogger.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: flightsettings.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: windows.networking.connectivity.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: npmproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msv1_0.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntlmshared.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptdll.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: synccontroller.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: pimstore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: aphostclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: accountaccessor.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dsclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: systemeventsbrokerclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: userdatalanguageutil.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mccsengineshared.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cemapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: userdatatypehelperutil.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: phoneutil.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rmclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: w32time.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dsrole.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: vmictimeprovider.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: qmgr.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bitsperf.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: firewallapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: esent.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: fwbase.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: flightsettings.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netprofm.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: npmproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bitsigd.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: upnp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ssdpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: appxdeploymentclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wsmauto.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wsmsvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dsrole.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: pcwum.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msv1_0.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntlmshared.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptdll.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rmclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: usermgrcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: samlib.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: es.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bitsproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: storsvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: fltlib.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bcd.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wer.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: appxdeploymentclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: storageusage.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: usosvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: updatepolicy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: upshared.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: usocoreps.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: usoapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: licensemanagersvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: licensemanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: clipc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Section loaded: dfshim.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Section loaded: samlib.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Section loaded: dwrite.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: mpclient.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: secur32.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: sspicli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: version.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: msasn1.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: userenv.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: gpapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: wbemcomn.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: amsi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: profapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: wscapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: urlmon.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: iertutil.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: srvcli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: netutils.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: slc.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: sppc.dll
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Automated click: Run
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Automated click: Run
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Static PE information: certificate valid
Source: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: dfsvc.exe, 00000002.00000002.2172747682.00000247804C2000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.000002478007F000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000011.00000002.1774279771.0000000002A72000.00000002.00000001.01000000.0000000E.sdmp, ScreenConnect.WindowsClient.exe, 00000013.00000002.2502083565.0000000002981000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000013.00000002.2498483755.0000000000C80000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.ClientService.dll.2.dr, ScreenConnect.ClientService.dll0.2.dr
Source: Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000011.00000000.1770100840.0000000000BDD000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr
Source: Binary string: mscorlib.pdb source: ScreenConnect.ClientService.exe, 00000012.00000002.2519577245.00000000050F7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: ScreenConnect.ClientService.exe, 00000012.00000002.2519577245.00000000050F0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: dfsvc.exe, 00000002.00000002.2172747682.000002478075E000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.00000247802F6000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.000002478048E000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000010.00000002.1790988509.000000001B862000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Windows.dll0.2.dr, ScreenConnect.Windows.dll.2.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb/[ source: dfsvc.exe, 00000002.00000002.2172747682.000002478075E000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.00000247802F6000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.000002478048E000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000010.00000002.1790988509.000000001B862000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Windows.dll0.2.dr, ScreenConnect.Windows.dll.2.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000010.00000000.1761418707.0000000000432000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsClient.exe.2.dr
Source: Binary string: C:\Users\jmorgan\Source\ScreenConnectWork\Misc\Bootstrapper\Release\ClickOnceRunner.pdb source: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe
Source: Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: dfsvc.exe, 00000002.00000002.2172747682.00000247804C2000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780088000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000010.00000002.1775855882.0000000000DB2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.ClientService.exe, 00000012.00000002.2519577245.00000000050F0000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.Client.dll.2.dr, ScreenConnect.Client.dll0.2.dr
Source: Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdbU! source: dfsvc.exe, 00000002.00000002.2172747682.00000247804C2000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.000002478007F000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000011.00000002.1774279771.0000000002A72000.00000002.00000001.01000000.0000000E.sdmp, ScreenConnect.WindowsClient.exe, 00000013.00000002.2502083565.0000000002981000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000013.00000002.2498483755.0000000000C80000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.ClientService.dll.2.dr, ScreenConnect.ClientService.dll0.2.dr
Source: Binary string: System.pdb source: ScreenConnect.ClientService.exe, 00000012.00000002.2519577245.00000000050F0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: dfsvc.exe, 00000002.00000002.2172747682.00000247804C2000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.000002478008C000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000011.00000002.1774607067.0000000004FA2000.00000002.00000001.01000000.0000000F.sdmp, ScreenConnect.Core.dll0.2.dr, ScreenConnect.Core.dll.2.dr
Source: Binary string: e089\System.pdb source: ScreenConnect.ClientService.exe, 00000012.00000002.2498245531.0000000000967000.00000004.00000020.00020000.00000000.sdmp
Source: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Binary contains a suspicious time stamp
Source: ScreenConnect.WindowsBackstageShell.exe.2.dr Static PE information: 0xFAECED74 [Mon May 28 21:34:44 2103 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Code function: 1_2_006E1260 LocalAlloc,LocalAlloc,GetModuleFileNameW,CreateFileW,SetFilePointer,SetFilePointer,ReadFile,ReadFile,LocalAlloc,SetFilePointer,ReadFile,CertOpenSystemStoreA,LocalFree,CryptQueryObject,CryptMsgGetParam,LocalAlloc,CryptMsgGetParam,CertCreateCertificateContext,CertAddCertificateContextToStore,CertFreeCertificateContext,LocalFree,LocalFree,CryptMsgClose,LoadLibraryA,GetProcAddress,Sleep,CertDeleteCertificateFromStore,CertDeleteCertificateFromStore,CertCloseStore,CloseHandle,LocalFree,LocalFree, 1_2_006E1260
PE file contains an invalid checksum
Source: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Static PE information: real checksum: 0x22685 should be: 0x2283e
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Code function: 1_2_006E1E06 push ecx; ret 1_2_006E1E19
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Code function: 2_2_00007FFAACB9D2A5 pushad ; iretd 2_2_00007FFAACB9D2A6
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Code function: 2_2_00007FFAACCC8D47 push 8B495CBBh; iretd 2_2_00007FFAACCC8D4C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Code function: 2_2_00007FFAACCB7D00 push eax; retf 2_2_00007FFAACCB7D1D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Code function: 2_2_00007FFAACCC09AD push E95BAFACh; ret 2_2_00007FFAACCC0C29
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Code function: 2_2_00007FFAACCD4B86 push ss; ret 2_2_00007FFAACCD4B87
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Code function: 2_2_00007FFAACCC97A8 push esp; iretd 2_2_00007FFAACCE56C9
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Code function: 2_2_00007FFAACCB00BD pushad ; iretd 2_2_00007FFAACCB00C1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Code function: 2_2_00007FFAACCB845E push eax; ret 2_2_00007FFAACCB846D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Code function: 2_2_00007FFAACCB842E pushad ; ret 2_2_00007FFAACCB845D
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Code function: 17_2_010D15F0 pushfd ; iretd 17_2_010D15F9
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Code function: 17_2_010D75F0 pushad ; retf 17_2_010D75F9
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Code function: 19_2_00007FFAACCD238D pushad ; retn 5F4Bh 19_2_00007FFAACCFBCFD
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe File created: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.Client.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe File created: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.Core.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe File created: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.ClientService.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe File created: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.Windows.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe File created: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre...exe_25b0fbb6ef7eb094_0018.0001_none_97cb9f2a42c4956b\ScreenConnect.WindowsFileManager.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe File created: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.WindowsFileManager.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe File created: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..core_4b14c015c87c1ad8_0018.0001_none_533500b5fe8f96df\ScreenConnect.Core.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe File created: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..ient_4b14c015c87c1ad8_0018.0001_none_e94a5e880ddeece3\ScreenConnect.Client.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe File created: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.ClientService.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe File created: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre...exe_25b0fbb6ef7eb094_0018.0001_none_97cb9f2a42c4956b\ScreenConnect.WindowsBackstageShell.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe File created: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..dows_4b14c015c87c1ad8_0018.0001_none_57acd8973addaa0f\ScreenConnect.Windows.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe File created: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.WindowsClient.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe File created: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre...exe_25b0fbb6ef7eb094_0018.0001_none_97cb9f2a42c4956b\ScreenConnect.ClientService.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe File created: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..vice_4b14c015c87c1ad8_0018.0001_none_048898fe944efa4a\ScreenConnect.ClientService.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe File created: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..ient_4b14c015c87c1ad8_0018.0001_none_b47bd9d9e77379ec\ScreenConnect.WindowsClient.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe File created: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.WindowsBackstageShell.exe Jump to dropped file
May use bcdedit to modify the Windows boot settings
Source: ScreenConnect.ClientService.dll.2.dr Binary or memory string: bcdedit.exeg/copy {current} /d "Reboot and Reconnect Safe Mode"7{.{8}-.{4}-.{4}-.{4}-.{12}}
Source: ScreenConnect.ClientService.dll0.2.dr Binary or memory string: bcdedit.exeg/copy {current} /d "Reboot and Reconnect Safe Mode"7{.{8}-.{4}-.{4}-.{4}-.{12}}
Creates or modifies windows services
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application
Modifies existing windows services
Source: C:\Windows\System32\svchost.exe Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\Config Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Contains functionality to hide user accounts
Source: ScreenConnect.WindowsClient.exe, 00000010.00000002.1790988509.000000001B862000.00000002.00000001.01000000.00000010.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.ClientService.exe, 00000011.00000002.1774279771.0000000002A72000.00000002.00000001.01000000.0000000E.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.WindowsClient.exe, 00000013.00000002.2502083565.0000000002981000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.WindowsClient.exe, 00000013.00000002.2498483755.0000000000C80000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.ClientService.dll.2.dr String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.ClientService.dll0.2.dr String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.Windows.dll0.2.dr String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.Windows.dll.2.dr String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Stores large binary data to the registry
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Key value created or modified: HKEY_CURRENT_USER_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{60051b8f-4f12-400a-8e50-dd05ebd438d1}\scre..tion_25b0fbb6ef7eb094_0018.0001_20ca72b17ca9e71d {c989bb7a-8385-4715-98cf-a741a8edb823}!ApplicationTrust Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Windows\System32\svchost.exe System information queried: FirmwareTableInformation Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Memory allocated: 247EC680000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Memory allocated: 247EE060000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Memory allocated: A00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Memory allocated: 1A920000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Memory allocated: 1090000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Memory allocated: 2AD0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Memory allocated: 29D0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Memory allocated: D80000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Memory allocated: 1420000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Memory allocated: 3420000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Memory allocated: C40000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Memory allocated: 1A980000 memory reserve | memory write watch
Contains capabilities to detect virtual machines
Source: C:\Windows\System32\svchost.exe File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 599890 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 599781 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 599546 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 599437 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 599327 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 599219 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 599109 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 599000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 598891 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 598766 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 598641 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 598526 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 598344 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 598219 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 598109 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 597998 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 597891 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 597766 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 597641 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 597531 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 597422 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 597313 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 597188 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 597063 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 596953 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 596844 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 596719 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 596609 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 596499 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 596377 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 596215 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 596087 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 595978 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 595852 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 595749 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 595641 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 595531 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 595422 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 595313 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 595188 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 595078 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 594969 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 594844 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 594734 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 594625 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 594516 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 594398 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 594296 Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Window / User API: threadDelayed 2801 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Window / User API: threadDelayed 6891 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.Client.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.Core.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.ClientService.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.Windows.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre...exe_25b0fbb6ef7eb094_0018.0001_none_97cb9f2a42c4956b\ScreenConnect.WindowsFileManager.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.WindowsFileManager.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..core_4b14c015c87c1ad8_0018.0001_none_533500b5fe8f96df\ScreenConnect.Core.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..ient_4b14c015c87c1ad8_0018.0001_none_e94a5e880ddeece3\ScreenConnect.Client.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre...exe_25b0fbb6ef7eb094_0018.0001_none_97cb9f2a42c4956b\ScreenConnect.WindowsBackstageShell.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..dows_4b14c015c87c1ad8_0018.0001_none_57acd8973addaa0f\ScreenConnect.Windows.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..vice_4b14c015c87c1ad8_0018.0001_none_048898fe944efa4a\ScreenConnect.ClientService.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.WindowsBackstageShell.exe Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe TID: 6400 Thread sleep count: 211 > 30 Jump to behavior
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe TID: 6400 Thread sleep time: -40000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296 Thread sleep time: -23980767295822402s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296 Thread sleep time: -599890s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296 Thread sleep time: -599781s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296 Thread sleep time: -599656s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296 Thread sleep time: -599546s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296 Thread sleep time: -599437s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296 Thread sleep time: -599327s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296 Thread sleep time: -599219s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296 Thread sleep time: -599109s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296 Thread sleep time: -599000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296 Thread sleep time: -598891s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296 Thread sleep time: -598766s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296 Thread sleep time: -598641s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296 Thread sleep time: -598526s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296 Thread sleep time: -598344s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296 Thread sleep time: -598219s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296 Thread sleep time: -598109s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296 Thread sleep time: -597998s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296 Thread sleep time: -597891s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296 Thread sleep time: -597766s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296 Thread sleep time: -597641s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296 Thread sleep time: -597531s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296 Thread sleep time: -597422s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296 Thread sleep time: -597313s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296 Thread sleep time: -597188s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296 Thread sleep time: -597063s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296 Thread sleep time: -596953s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296 Thread sleep time: -596844s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296 Thread sleep time: -596719s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296 Thread sleep time: -596609s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296 Thread sleep time: -596499s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296 Thread sleep time: -596377s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296 Thread sleep time: -596215s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296 Thread sleep time: -596087s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296 Thread sleep time: -595978s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296 Thread sleep time: -595852s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296 Thread sleep time: -595749s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296 Thread sleep time: -595641s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296 Thread sleep time: -595531s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296 Thread sleep time: -595422s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296 Thread sleep time: -595313s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296 Thread sleep time: -595188s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296 Thread sleep time: -595078s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296 Thread sleep time: -594969s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296 Thread sleep time: -594844s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296 Thread sleep time: -594734s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296 Thread sleep time: -594625s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296 Thread sleep time: -594516s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296 Thread sleep time: -594398s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296 Thread sleep time: -594296s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6488 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe TID: 7832 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe TID: 7868 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe TID: 8084 Thread sleep time: -30000s >= -30000s
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe File Volume queried: C:\Windows\System32 FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Code function: 1_2_006E4855 FindFirstFileExA, 1_2_006E4855
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Thread delayed: delay time: 40000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 599890 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 599781 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 599546 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 599437 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 599327 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 599219 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 599109 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 599000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 598891 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 598766 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 598641 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 598526 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 598344 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 598219 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 598109 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 597998 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 597891 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 597766 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 597641 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 597531 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 597422 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 597313 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 597188 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 597063 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 596953 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 596844 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 596719 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 596609 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 596499 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 596377 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 596215 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 596087 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 595978 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 595852 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 595749 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 595641 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 595531 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 595422 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 595313 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 595188 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 595078 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 594969 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 594844 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 594734 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 594625 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 594516 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 594398 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Thread delayed: delay time: 594296 Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe File opened: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe File opened: C:\Users\user\AppData\Local\Apps\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe File opened: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe:Zone.Identifier Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe File opened: C:\Users\user\AppData\Local\Apps\2.0\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: svchost.exe, 00000009.00000002.2499281453.0000018C29E50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: dfsvc.exe, 00000002.00000002.2182449302.00000247F02AD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000009.00000002.2499018912.0000018C29E2B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: (@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: svchost.exe, 00000009.00000002.2499529708.0000018C29E7D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: dfsvc.exe, 00000002.00000002.2182927197.00000247F032B000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2180157276.00000247EE84E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2503342393.000002875CE56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2500866643.000002875782B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000009.00000002.2498604853.0000018C29E02000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: dfsvc.exe, 00000002.00000002.2182927197.00000247F032B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW)V
Source: svchost.exe, 00000009.00000002.2499529708.0000018C29E66000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000es
Source: svchost.exe, 00000009.00000002.2499830618.0000018C29F02000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000009.00000002.2499018912.0000018C29E2B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000009.00000002.2499281453.0000018C29E50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: #Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000005.00000002.2498094203.00000282FC031000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000012.00000002.2498245531.0000000000998000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process information queried: ProcessInformation
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Code function: 1_2_006E4414 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_006E4414
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Code function: 1_2_006E1260 LocalAlloc,LocalAlloc,GetModuleFileNameW,CreateFileW,SetFilePointer,SetFilePointer,ReadFile,ReadFile,LocalAlloc,SetFilePointer,ReadFile,CertOpenSystemStoreA,LocalFree,CryptQueryObject,CryptMsgGetParam,LocalAlloc,CryptMsgGetParam,CertCreateCertificateContext,CertAddCertificateContextToStore,CertFreeCertificateContext,LocalFree,LocalFree,CryptMsgClose,LoadLibraryA,GetProcAddress,Sleep,CertDeleteCertificateFromStore,CertDeleteCertificateFromStore,CertCloseStore,CloseHandle,LocalFree,LocalFree, 1_2_006E1260
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Code function: 1_2_006E34FD mov eax, dword ptr fs:[00000030h] 1_2_006E34FD
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Code function: 1_2_006E664F GetProcessHeap, 1_2_006E664F
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Process token adjusted: Debug
Launches processes in debugging mode, may be used to hinder debugging
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe" Jump to behavior
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Code function: 1_2_006E4414 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_006E4414
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Code function: 1_2_006E1D02 SetUnhandledExceptionFilter, 1_2_006E1D02
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Code function: 1_2_006E16F1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_006E16F1
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Code function: 1_2_006E1BB4 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_006E1BB4
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code references suspicious native API functions
Source: ScreenConnect.Windows.dll.2.dr, WindowsMemoryNativeLibrary.cs Reference to suspicious API methods: WindowsNative.VirtualAlloc(attemptImageBase, dwSize, WindowsNative.MEM.MEM_COMMIT | WindowsNative.MEM.MEM_RESERVE, WindowsNative.PAGE.PAGE_READWRITE)
Source: ScreenConnect.Windows.dll.2.dr, WindowsMemoryNativeLibrary.cs Reference to suspicious API methods: WindowsNative.LoadLibrary(loadedImageBase + ptr[i].Name)
Source: ScreenConnect.Windows.dll.2.dr, WindowsMemoryNativeLibrary.cs Reference to suspicious API methods: WindowsNative.GetProcAddress(intPtr, ptr5)
Source: ScreenConnect.Windows.dll.2.dr, WindowsMemoryNativeLibrary.cs Reference to suspicious API methods: WindowsNative.VirtualProtect(loadedImageBase + sectionHeaders[i].VirtualAddress, (IntPtr)num, flNewProtect, &pAGE)
Source: ScreenConnect.Windows.dll.2.dr, WindowsExtensions.cs Reference to suspicious API methods: HandleMinder.CreateWithFunc(WindowsNative.OpenProcess(processAccess, bInheritHandle: false, processID), WindowsNative.CloseHandle)
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Process created: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process created: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=instance-ss6pex-relay.screenconnect.com&p=443&s=e409b2f5-1e44-4489-a8a4-30f0588f10c9&k=BgIAAACkAABSU0ExAAgAAAEAAQBdjPB2q8wjCfbSeYamY%2f1I8rI%2fJv32GQaD4DfyMmJGNmo%2f%2fRNg83nebcxkKC9J9fnvQipaIXrQUsxpppQnPKZ7juxo8OMg%2fgQWhvcJ843vxr8g3Su6i%2bOQ19Uh%2b6nNu4Mvd5N1Gn7gmJQP8LmLFqcM4XdqaWncXy3DTwTAm6za8sn0Nrpx%2fR7Jc98i2Kg%2bl%2fjkHFH9my9cD1Qp8bY32WV4Poh8SZJEDL3RX7M1gNCxhAy6Of%2bu4Ov%2f99l3%2bbDBAOICkjlLTBAUBYzj9YiB5Zym8VEMCtI%2b7OFy%2bv0PXxtCiizxlfv251D4ovL7mdH2HWE5l%2fwdqfUZx0u617T5JnSJ&r=&i=Ily" "1" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process created: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe "c:\users\user\appdata\local\apps\2.0\bwl7gtay.epv\5w5hva52.70c\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\screenconnect.clientservice.exe" "?e=support&y=guest&h=instance-ss6pex-relay.screenconnect.com&p=443&s=e409b2f5-1e44-4489-a8a4-30f0588f10c9&k=bgiaaackaabsu0exaagaaaeaaqbdjpb2q8wjcfbseyamy%2f1i8ri%2fjv32gqad4dfymmjgnmo%2f%2frng83nebcxkkc9j9fnvqipaixrqusxpppqnpkz7juxo8omg%2fgqwhvcj843vxr8g3su6i%2boq19uh%2b6nnu4mvd5n1gn7gmjqp8lmlfqcm4xdqawncxy3dtwtam6za8sn0nrpx%2fr7jc98i2kg%2bl%2fjkhfh9my9cd1qp8by32wv4poh8szjedl3rx7m1gncxhay6of%2bu4ov%2f99l3%2bbdbaoickjlltbaubyzj9yib5zym8vemcti%2b7ofy%2bv0pxxtciizxlfv251d4ovl7mdh2hwe5l%2fwdqfuzx0u617t5jnsj&r=&i=ily" "1"
Source: unknown Process created: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe "c:\users\user\appdata\local\apps\2.0\bwl7gtay.epv\5w5hva52.70c\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\screenconnect.clientservice.exe" "?e=support&y=guest&h=instance-ss6pex-relay.screenconnect.com&p=443&s=e409b2f5-1e44-4489-a8a4-30f0588f10c9&k=bgiaaackaabsu0exaagaaaeaaqbdjpb2q8wjcfbseyamy%2f1i8ri%2fjv32gqad4dfymmjgnmo%2f%2frng83nebcxkkc9j9fnvqipaixrqusxpppqnpkz7juxo8omg%2fgqwhvcj843vxr8g3su6i%2boq19uh%2b6nnu4mvd5n1gn7gmjqp8lmlfqcm4xdqawncxy3dtwtam6za8sn0nrpx%2fr7jc98i2kg%2bl%2fjkhfh9my9cd1qp8by32wv4poh8szjedl3rx7m1gncxhay6of%2bu4ov%2f99l3%2bbdbaoickjlltbaubyzj9yib5zym8vemcti%2b7ofy%2bv0pxxtciizxlfv251d4ovl7mdh2hwe5l%2fwdqfuzx0u617t5jnsj&r=&i=ily" "1"
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Process created: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe "c:\users\user\appdata\local\apps\2.0\bwl7gtay.epv\5w5hva52.70c\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\screenconnect.clientservice.exe" "?e=support&y=guest&h=instance-ss6pex-relay.screenconnect.com&p=443&s=e409b2f5-1e44-4489-a8a4-30f0588f10c9&k=bgiaaackaabsu0exaagaaaeaaqbdjpb2q8wjcfbseyamy%2f1i8ri%2fjv32gqad4dfymmjgnmo%2f%2frng83nebcxkkc9j9fnvqipaixrqusxpppqnpkz7juxo8omg%2fgqwhvcj843vxr8g3su6i%2boq19uh%2b6nnu4mvd5n1gn7gmjqp8lmlfqcm4xdqawncxy3dtwtam6za8sn0nrpx%2fr7jc98i2kg%2bl%2fjkhfh9my9cd1qp8by32wv4poh8szjedl3rx7m1gncxhay6of%2bu4ov%2f99l3%2bbdbaoickjlltbaubyzj9yib5zym8vemcti%2b7ofy%2bv0pxxtciizxlfv251d4ovl7mdh2hwe5l%2fwdqfuzx0u617t5jnsj&r=&i=ily" "1" Jump to behavior
Source: ScreenConnect.WindowsClient.exe, 00000010.00000000.1761418707.0000000000432000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsClient.exe.2.dr Binary or memory string: Progman
Source: ScreenConnect.WindowsClient.exe, 00000010.00000000.1761418707.0000000000432000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsClient.exe.2.dr Binary or memory string: Shell_TrayWnd-Shell_SecondaryTrayWnd%MsgrIMEWindowClass
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Code function: 1_2_006E1E1B cpuid 1_2_006E1E1B
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.Windows.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.Core.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.Client.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.ClientService.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.WindowsClient.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.WindowsClient.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.Windows.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.Core.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.Client.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.ClientService.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.WindowsClient.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.ClientService.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.WindowsBackstageShell.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.WindowsFileManager.exe.config VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.WindowsClient.exe.config VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.WindowsBackstageShell.exe.config VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.WindowsFileManager.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.Windows.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.Core.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.Client.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.ClientService.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.WindowsClient.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C: VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C: VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.Client.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.Core.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.Windows.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.Core.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.Core.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.Windows.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.Client.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.Client.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.Core.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.Windows.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.dll VolumeInformation
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Code function: 1_2_006E1A9C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 1_2_006E1A9C
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{D68DDC3A-831F-4fae-9E44-DA132C1ACF46} STATE Jump to behavior
AV process strings found (often used to terminate AV products)
Source: svchost.exe, 0000000D.00000002.2500009459.00000250F8902000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000D.00000002.2500009459.00000250F8902000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Adds / modifies Windows certificates
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\03A5B14663EB12023091B84A6D6A68BC871DE66B Blob Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Program Files\Windows Defender\MpCmdRun.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Yara detected ScreenConnect Tool
Source: Yara match File source: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe, type: SAMPLE
Source: Yara match File source: 16.0.ScreenConnect.WindowsClient.exe.430000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000010.00000000.1761418707.0000000000432000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2172747682.000002478039E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe PID: 60, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dfsvc.exe PID: 5408, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ScreenConnect.WindowsClient.exe PID: 7812, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ScreenConnect.ClientService.exe PID: 7848, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..ient_4b14c015c87c1ad8_0018.0001_none_b47bd9d9e77379ec\ScreenConnect.WindowsClient.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..ient_4b14c015c87c1ad8_0018.0001_none_b47bd9d9e77379ec\ScreenConnect.WindowsClient.exe, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1466878 Sample: 1C769A32-2CBF-4738-9013-480... Startdate: 03/07/2024 Architecture: WINDOWS Score: 54 44 time.windows.com 2->44 46 server-nixc4ced126-web.screenconnect.com 2->46 48 7 other IPs or domains 2->48 60 .NET source code references suspicious native API functions 2->60 62 Contains functionality to hide user accounts 2->62 64 AI detected suspicious sample 2->64 9 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe 4 2->9         started        11 ScreenConnect.ClientService.exe 2->11         started        15 svchost.exe 2->15         started        17 9 other processes 2->17 signatures3 process4 dnsIp5 19 dfsvc.exe 129 115 9->19         started        52 server-nixc4ced126-relay.screenconnect.com 145.40.109.216, 443, 51662, 51663 BREEDBANDDELFTNL Netherlands 11->52 68 Reads the Security eventlog 11->68 70 Reads the System eventlog 11->70 23 ScreenConnect.WindowsClient.exe 11->23         started        72 Changes security center settings (notifications, updates, antivirus, firewall) 15->72 26 MpCmdRun.exe 15->26         started        54 127.0.0.1 unknown unknown 17->54 74 Query firmware table information (likely to detect VMs) 17->74 signatures6 process7 dnsIp8 50 server-nixc4ced126-web.screenconnect.com 145.40.109.218, 443, 49704, 49706 BREEDBANDDELFTNL Netherlands 19->50 36 C:\...\ScreenConnect.WindowsFileManager.exe, PE32 19->36 dropped 38 C:\Users\...\ScreenConnect.WindowsClient.exe, PE32 19->38 dropped 40 ScreenConnect.WindowsBackstageShell.exe, PE32 19->40 dropped 42 13 other files (none is malicious) 19->42 dropped 28 ScreenConnect.WindowsClient.exe 19 10 19->28         started        66 Contains functionality to hide user accounts 23->66 31 conhost.exe 26->31         started        file9 signatures10 process11 signatures12 76 Contains functionality to hide user accounts 28->76 33 ScreenConnect.ClientService.exe 28->33         started        process13 signatures14 56 Contains functionality to hide user accounts 33->56 58 Enables network access during safeboot for specific services 33->58
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
145.40.109.216
 server-nixc4ced126-relay.screenconnect.com Netherlands
34108 BREEDBANDDELFTNL false
145.40.109.218
 server-nixc4ced126-web.screenconnect.com Netherlands
34108 BREEDBANDDELFTNL false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.214.172 true
server-nixc4ced126-web.screenconnect.com 145.40.109.218 true
fp2e7a.wpc.phicdn.net 192.229.221.95 true
server-nixc4ced126-relay.screenconnect.com 145.40.109.216 true
instance-ss6pex-relay.screenconnect.com unknown unknown
18.31.95.13.in-addr.arpa unknown unknown
time.windows.com unknown unknown
bcl.screenconnect.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://bcl.screenconnect.com/Bin/ScreenConnect.Client.dll false
  • Avira URL Cloud: safe
 unknown
https://bcl.screenconnect.com/Bin/ScreenConnect.Windows.dll false
  • Avira URL Cloud: safe
 unknown
https://bcl.screenconnect.com/Bin/ScreenConnect.ClientService.exe false
  • Avira URL Cloud: safe
 unknown
https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsBackstageShell.exe false
  • Avira URL Cloud: safe
 unknown
https://bcl.screenconnect.com/Bin/ScreenConnect.ClientService.dll false
  • Avira URL Cloud: safe
 unknown
https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsBackstageShell.exe.config false
  • Avira URL Cloud: safe
 unknown
https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsFileManager.exe.config false
  • Avira URL Cloud: safe
 unknown
https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsClient.exe.config false
  • Avira URL Cloud: safe
 unknown
https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsClient.exe false
  • Avira URL Cloud: safe
 unknown
https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsFileManager.exe false
  • Avira URL Cloud: safe
 unknown
https://bcl.screenconnect.com/Bin/ScreenConnect.Client.manifest false
  • Avira URL Cloud: safe
 unknown
https://bcl.screenconnect.com/Bin/ScreenConnect.Core.dll false
  • Avira URL Cloud: safe
 unknown