Edit tour

Windows Analysis Report
1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe

Overview

General Information

Sample name:	1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe (renamed file extension from old to exe)
Original sample name:	1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.old
Analysis ID:	1466878
MD5:	cc4dd46308ebb24e27b340426f05056c
SHA1:	2e6339d284b125fd9872dd35ea2cbb8e926857c2
SHA256:	15a7081b1f16351979220fbf17d2f79579d216aac7a988d888b02706ddb1cf20
Infos:

Detection

ScreenConnect Tool

Score:	54
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Compliance

Score:	33
Range:	0 - 100

Signatures

.NET source code references suspicious native API functions

AI detected suspicious sample

Changes security center settings (notifications, updates, antivirus, firewall)

Contains functionality to hide user accounts

Enables network access during safeboot for specific services

Query firmware table information (likely to detect VMs)

Reads the Security eventlog

Reads the System eventlog

AV process strings found (often used to terminate AV products)

Adds / modifies Windows certificates

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates or modifies windows services

Detected potential crypto function

Drops PE files

Drops certificate files (DER)

EXE planting / hijacking vulnerabilities found

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

JA3 SSL client fingerprint seen in connection with other malware

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

May use bcdedit to modify the Windows boot settings

Modifies existing windows services

PE file contains an invalid checksum

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Dfsvc.EXE Network Connection To Uncommon Ports

Stores large binary data to the registry

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected ScreenConnect Tool

Classification

Process Tree

System is w10x64

1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe (PID: 60 cmdline: "C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe" MD5: CC4DD46308EBB24E27B340426F05056C)

dfsvc.exe (PID: 5408 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe" MD5: B4088F44B80D363902E11F897A7BAC09)

ScreenConnect.WindowsClient.exe (PID: 7812 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe" MD5: DBD7C0D2CF1BF5CEC608648F14DC8309)

ScreenConnect.ClientService.exe (PID: 7848 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=instance-ss6pex-relay.screenconnect.com&p=443&s=e409b2f5-1e44-4489-a8a4-30f0588f10c9&k=BgIAAACkAABSU0ExAAgAAAEAAQBdjPB2q8wjCfbSeYamY%2f1I8rI%2fJv32GQaD4DfyMmJGNmo%2f%2fRNg83nebcxkKC9J9fnvQipaIXrQUsxpppQnPKZ7juxo8OMg%2fgQWhvcJ843vxr8g3Su6i%2bOQ19Uh%2b6nNu4Mvd5N1Gn7gmJQP8LmLFqcM4XdqaWncXy3DTwTAm6za8sn0Nrpx%2fR7Jc98i2Kg%2bl%2fjkHFH9my9cD1Qp8bY32WV4Poh8SZJEDL3RX7M1gNCxhAy6Of%2bu4Ov%2f99l3%2bbDBAOICkjlLTBAUBYzj9YiB5Zym8VEMCtI%2b7OFy%2bv0PXxtCiizxlfv251D4ovL7mdH2HWE5l%2fwdqfUZx0u617T5JnSJ&r=&i=Ily" "1" MD5: 1B8110B335E144860E91F5E68CCDC8B3)

svchost.exe (PID: 5976 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 6436 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 7132 cmdline: C:\Windows\system32\svchost.exe -k LocalService -s W32Time MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 2256 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

SgrmBroker.exe (PID: 7068 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)

svchost.exe (PID: 1792 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 3212 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 5296 cmdline: C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 7284 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

MpCmdRun.exe (PID: 6000 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)

conhost.exe (PID: 6104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

svchost.exe (PID: 7740 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

ScreenConnect.ClientService.exe (PID: 7872 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=instance-ss6pex-relay.screenconnect.com&p=443&s=e409b2f5-1e44-4489-a8a4-30f0588f10c9&k=BgIAAACkAABSU0ExAAgAAAEAAQBdjPB2q8wjCfbSeYamY%2f1I8rI%2fJv32GQaD4DfyMmJGNmo%2f%2fRNg83nebcxkKC9J9fnvQipaIXrQUsxpppQnPKZ7juxo8OMg%2fgQWhvcJ843vxr8g3Su6i%2bOQ19Uh%2b6nNu4Mvd5N1Gn7gmJQP8LmLFqcM4XdqaWncXy3DTwTAm6za8sn0Nrpx%2fR7Jc98i2Kg%2bl%2fjkHFH9my9cD1Qp8bY32WV4Poh8SZJEDL3RX7M1gNCxhAy6Of%2bu4Ov%2f99l3%2bbDBAOICkjlLTBAUBYzj9YiB5Zym8VEMCtI%2b7OFy%2bv0PXxtCiizxlfv251D4ovL7mdH2HWE5l%2fwdqfUZx0u617T5JnSJ&r=&i=Ily" "1" MD5: 1B8110B335E144860E91F5E68CCDC8B3)

ScreenConnect.WindowsClient.exe (PID: 7952 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe" "RunRole" "15a971cf-ed33-4068-91f7-d1656f0da9bf" "User" MD5: DBD7C0D2CF1BF5CEC608648F14DC8309)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..ient_4b14c015c87c1ad8_0018.0001_none_b47bd9d9e77379ec\ScreenConnect.WindowsClient.exe	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..ient_4b14c015c87c1ad8_0018.0001_none_b47bd9d9e77379ec\ScreenConnect.WindowsClient.exe	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000010.00000000.1761418707.0000000000432000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
00000002.00000002.2172747682.000002478039E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
Process Memory Space: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe PID: 60	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
Process Memory Space: dfsvc.exe PID: 5408	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
Process Memory Space: ScreenConnect.WindowsClient.exe PID: 7812	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
Process Memory Space: ScreenConnect.ClientService.exe PID: 7848	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
16.0.ScreenConnect.WindowsClient.exe.430000.0.unpack	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security

Sigma Signatures

Sigma detected: Dfsvc.EXE Network Connection To Uncommon Ports

Source: Network Connection

Author: Nasreddine Bencherchali (Nextron Systems): Data: DestinationIp: 192.168.2.7, DestinationIsIpv6: false, DestinationPort: 49704, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe, Initiated: true, ProcessId: 5408, Protocol: tcp, SourceIp: 145.40.109.218, SourceIsIpv6: false, SourcePort: 443

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, ProcessId: 5976, ProcessName: svchost.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 92.6% probability

Cryptography

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe

Code function: 1_2_006E1260 LocalAlloc,LocalAlloc,GetModuleFileNameW,CreateFileW,SetFilePointer,SetFilePointer,ReadFile,ReadFile,LocalAlloc,SetFilePointer,ReadFile,CertOpenSystemStoreA,LocalFree,CryptQueryObject,CryptMsgGetParam,LocalAlloc,CryptMsgGetParam,CertCreateCertificateContext,CertAddCertificateContextToStore,CertFreeCertificateContext,LocalFree,LocalFree,CryptMsgClose,LoadLibraryA,GetProcAddress,Sleep,CertDeleteCertificateFromStore,CertDeleteCertificateFromStore,CertCloseStore,CloseHandle,LocalFree,LocalFree,

1_2_006E1260

Privilege Escalation

EXE planting / hijacking vulnerabilities found

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre...exe_25b0fbb6ef7eb094_0018.0001_none_97cb9f2a42c4956b\ScreenConnect.WindowsFileManager.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre...exe_25b0fbb6ef7eb094_0018.0001_none_97cb9f2a42c4956b\ScreenConnect.WindowsBackstageShell.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre...exe_25b0fbb6ef7eb094_0018.0001_none_97cb9f2a42c4956b\ScreenConnect.ClientService.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..ient_4b14c015c87c1ad8_0018.0001_none_b47bd9d9e77379ec\ScreenConnect.WindowsClient.exe	Jump to behavior

Compliance

EXE planting / hijacking vulnerabilities found

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre...exe_25b0fbb6ef7eb094_0018.0001_none_97cb9f2a42c4956b\ScreenConnect.WindowsFileManager.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre...exe_25b0fbb6ef7eb094_0018.0001_none_97cb9f2a42c4956b\ScreenConnect.WindowsBackstageShell.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre...exe_25b0fbb6ef7eb094_0018.0001_none_97cb9f2a42c4956b\ScreenConnect.ClientService.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	EXE: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..ient_4b14c015c87c1ad8_0018.0001_none_b47bd9d9e77379ec\ScreenConnect.WindowsClient.exe	Jump to behavior

Uses 32bit PE files

Source: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

PE / OLE file has a valid certificate

Source: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe

Static PE information: certificate valid

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 145.40.109.218:443 -> 192.168.2.7:49704 version: TLS 1.2

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: dfsvc.exe, 00000002.00000002.2172747682.00000247804C2000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.000002478007F000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000011.00000002.1774279771.0000000002A72000.00000002.00000001.01000000.0000000E.sdmp, ScreenConnect.WindowsClient.exe, 00000013.00000002.2502083565.0000000002981000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000013.00000002.2498483755.0000000000C80000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.ClientService.dll.2.dr, ScreenConnect.ClientService.dll0.2.dr
Source:	Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000011.00000000.1770100840.0000000000BDD000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr
Source:	Binary string: mscorlib.pdb source: ScreenConnect.ClientService.exe, 00000012.00000002.2519577245.00000000050F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: ScreenConnect.ClientService.exe, 00000012.00000002.2519577245.00000000050F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: dfsvc.exe, 00000002.00000002.2172747682.000002478075E000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.00000247802F6000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.000002478048E000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000010.00000002.1790988509.000000001B862000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Windows.dll0.2.dr, ScreenConnect.Windows.dll.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb/[ source: dfsvc.exe, 00000002.00000002.2172747682.000002478075E000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.00000247802F6000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.000002478048E000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000010.00000002.1790988509.000000001B862000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Windows.dll0.2.dr, ScreenConnect.Windows.dll.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000010.00000000.1761418707.0000000000432000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsClient.exe.2.dr
Source:	Binary string: C:\Users\jmorgan\Source\ScreenConnectWork\Misc\Bootstrapper\Release\ClickOnceRunner.pdb source: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: dfsvc.exe, 00000002.00000002.2172747682.00000247804C2000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780088000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000010.00000002.1775855882.0000000000DB2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.ClientService.exe, 00000012.00000002.2519577245.00000000050F0000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.Client.dll.2.dr, ScreenConnect.Client.dll0.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdbU! source: dfsvc.exe, 00000002.00000002.2172747682.00000247804C2000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.000002478007F000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000011.00000002.1774279771.0000000002A72000.00000002.00000001.01000000.0000000E.sdmp, ScreenConnect.WindowsClient.exe, 00000013.00000002.2502083565.0000000002981000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000013.00000002.2498483755.0000000000C80000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.ClientService.dll.2.dr, ScreenConnect.ClientService.dll0.2.dr
Source:	Binary string: System.pdb source: ScreenConnect.ClientService.exe, 00000012.00000002.2519577245.00000000050F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: dfsvc.exe, 00000002.00000002.2172747682.00000247804C2000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.000002478008C000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000011.00000002.1774607067.0000000004FA2000.00000002.00000001.01000000.0000000F.sdmp, ScreenConnect.Core.dll0.2.dr, ScreenConnect.Core.dll.2.dr
Source:	Binary string: e089\System.pdb source: ScreenConnect.ClientService.exe, 00000012.00000002.2498245531.0000000000967000.00000004.00000020.00020000.00000000.sdmp

Spreading

Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe

Code function: 1_2_006E4855 FindFirstFileExA,

1_2_006E4855

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File opened: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File opened: C:\Users\user\AppData\Local\Apps\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File opened: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe:Zone.Identifier	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File opened: C:\Users\user\AppData\Local\Apps\2.0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior

Networking

Enables network access during safeboot for specific services

Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe

Registry value created: NULL Service

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.application?h=instance-ss6pex-relay.screenconnect.com&p=443&k=BgIAAACkAABSU0ExAAgAAAEAAQBdjPB2q8wjCfbSeYamY%2F1I8rI%2FJv32GQaD4DfyMmJGNmo%2F%2FRNg83nebcxkKC9J9fnvQipaIXrQUsxpppQnPKZ7juxo8OMg%2FgQWhvcJ843vxr8g3Su6i%2BOQ19Uh%2B6nNu4Mvd5N1Gn7gmJQP8LmLFqcM4XdqaWncXy3DTwTAm6za8sn0Nrpx%2FR7Jc98i2Kg%2Bl%2FjkHFH9my9cD1Qp8bY32WV4Poh8SZJEDL3RX7M1gNCxhAy6Of%2Bu4Ov%2F99l3%2BbDBAOICkjlLTBAUBYzj9YiB5Zym8VEMCtI%2B7OFy%2Bv0PXxtCiizxlfv251D4ovL7mdH2HWE5l%2FwdqfUZx0u617T5JnSJ&s=e409b2f5-1e44-4489-a8a4-30f0588f10c9&i=Ily&e=Support&y=Guest&r= HTTP/1.1Host: bcl.screenconnect.comAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.manifest HTTP/1.1Host: bcl.screenconnect.comAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.ClientService.exe HTTP/1.1Host: bcl.screenconnect.comAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe HTTP/1.1Host: bcl.screenconnect.comAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe.config HTTP/1.1Host: bcl.screenconnect.comAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe.config HTTP/1.1Host: bcl.screenconnect.comAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe.config HTTP/1.1Host: bcl.screenconnect.comAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe HTTP/1.1Host: bcl.screenconnect.comAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Windows.dll HTTP/1.1Host: bcl.screenconnect.comAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Core.dll HTTP/1.1Host: bcl.screenconnect.comAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.dll HTTP/1.1Host: bcl.screenconnect.comAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.ClientService.dll HTTP/1.1Host: bcl.screenconnect.comAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe HTTP/1.1Host: bcl.screenconnect.comAccept-Encoding: gzipConnection: Keep-Alive

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.application?h=instance-ss6pex-relay.screenconnect.com&p=443&k=BgIAAACkAABSU0ExAAgAAAEAAQBdjPB2q8wjCfbSeYamY%2F1I8rI%2FJv32GQaD4DfyMmJGNmo%2F%2FRNg83nebcxkKC9J9fnvQipaIXrQUsxpppQnPKZ7juxo8OMg%2FgQWhvcJ843vxr8g3Su6i%2BOQ19Uh%2B6nNu4Mvd5N1Gn7gmJQP8LmLFqcM4XdqaWncXy3DTwTAm6za8sn0Nrpx%2FR7Jc98i2Kg%2Bl%2FjkHFH9my9cD1Qp8bY32WV4Poh8SZJEDL3RX7M1gNCxhAy6Of%2Bu4Ov%2F99l3%2BbDBAOICkjlLTBAUBYzj9YiB5Zym8VEMCtI%2B7OFy%2Bv0PXxtCiizxlfv251D4ovL7mdH2HWE5l%2FwdqfUZx0u617T5JnSJ&s=e409b2f5-1e44-4489-a8a4-30f0588f10c9&i=Ily&e=Support&y=Guest&r= HTTP/1.1Host: bcl.screenconnect.comAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.manifest HTTP/1.1Host: bcl.screenconnect.comAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.ClientService.exe HTTP/1.1Host: bcl.screenconnect.comAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe HTTP/1.1Host: bcl.screenconnect.comAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe.config HTTP/1.1Host: bcl.screenconnect.comAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe.config HTTP/1.1Host: bcl.screenconnect.comAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsBackstageShell.exe.config HTTP/1.1Host: bcl.screenconnect.comAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsFileManager.exe HTTP/1.1Host: bcl.screenconnect.comAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Windows.dll HTTP/1.1Host: bcl.screenconnect.comAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Core.dll HTTP/1.1Host: bcl.screenconnect.comAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.Client.dll HTTP/1.1Host: bcl.screenconnect.comAccept-Encoding: gzipConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.ClientService.dll HTTP/1.1Host: bcl.screenconnect.comAccept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /Bin/ScreenConnect.WindowsClient.exe HTTP/1.1Host: bcl.screenconnect.comAccept-Encoding: gzipConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: time.windows.com
Source: global traffic	DNS traffic detected: DNS query: bcl.screenconnect.com
Source: global traffic	DNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: instance-ss6pex-relay.screenconnect.com

Source: dfsvc.exe, 00000002.00000002.2172747682.0000024780801000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780776000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.00000247806A5000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.00000247807CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bcl.screenconnect.com
Source: dfsvc.exe, 00000002.00000002.2172747682.0000024780772000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780801000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780246000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780762000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780256000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780776000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.00000247804C2000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780084000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.000002478048E000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: dfsvc.exe, 00000002.00000002.2180528481.00000247EE8ED000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780772000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780246000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780762000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780256000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2182417647.00000247F027F000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2183043457.00000247F0340000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780084000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2182449302.00000247F0299000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: dfsvc.exe, 00000002.00000002.2172747682.0000024780772000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780246000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780762000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780256000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780084000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2184216603.00000247F2337000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: F2E248BEDDBB2D85122423C41028BFD4.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
Source: dfsvc.exe, 00000002.00000002.2172747682.0000024780772000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780801000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780246000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780762000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780256000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780776000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.00000247804C2000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2182449302.00000247F0284000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2183043457.00000247F0340000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780084000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.000002478048E000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: svchost.exe, 00000007.00000002.2503381908.000002875CE6B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: dfsvc.exe, 00000002.00000002.2172747682.0000024780772000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780801000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780246000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780762000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780256000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780776000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.00000247804C2000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780084000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.000002478048E000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: dfsvc.exe, 00000002.00000002.2172747682.0000024780772000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780246000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780762000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780256000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2182417647.00000247F027F000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2183043457.00000247F0340000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780084000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2182449302.00000247F0299000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: dfsvc.exe, 00000002.00000002.2183316556.00000247F038B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlhttp://crl4.digicert.co
Source: dfsvc.exe, 00000002.00000002.2172747682.0000024780772000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780246000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780762000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780256000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780084000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2184216603.00000247F2337000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: dfsvc.exe, 00000002.00000002.2172747682.0000024780084000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRoot
Source: ScreenConnect.WindowsFileManager.exe0.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: dfsvc.exe, 00000002.00000002.2172747682.0000024780772000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780246000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780762000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780256000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2182417647.00000247F027F000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2183043457.00000247F0340000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780084000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2182449302.00000247F0299000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: dfsvc.exe, 00000002.00000002.2181786651.00000247F01DF000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2182449302.00000247F0299000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.2.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD41570.2.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: dfsvc.exe, 00000002.00000002.2180157276.00000247EE84E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en;
Source: qmgr.db.7.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.7.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.7.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.7.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.7.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.7.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.7.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: ScreenConnect.ClientService.exe, 00000012.00000002.2498245531.0000000000998000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://instance-ss6pex-relay.screenconnect.com:443/
Source: ScreenConnect.ClientService.exe, 00000012.00000002.2498245531.0000000000998000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://instance-ss6pex-relay.screenconnect.com:443/%
Source: ScreenConnect.ClientService.exe, 00000012.00000002.2498245531.0000000000998000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://instance-ss6pex-relay.screenconnect.com:443/9
Source: ScreenConnect.ClientService.exe, 00000012.00000002.2498245531.0000000000998000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://instance-ss6pex-relay.screenconnect.com:443/G
Source: ScreenConnect.ClientService.exe, 00000012.00000002.2498245531.0000000000998000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://instance-ss6pex-relay.screenconnect.com:443/a
Source: ScreenConnect.ClientService.exe, 00000012.00000002.2503200628.00000000016EA000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000012.00000002.2503200628.0000000001556000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000012.00000002.2503200628.0000000001635000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000012.00000002.2503200628.00000000018E6000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000012.00000002.2503200628.00000000017C0000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000012.00000002.2503200628.000000000150B000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000012.00000002.2503200628.0000000001809000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000012.00000002.2503200628.00000000015C0000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000012.00000002.2503200628.000000000167F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://instance-ss6pex-relay.screenconnect.com:443/d
Source: ScreenConnect.ClientService.exe, 00000012.00000002.2498245531.0000000000998000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://instance-ss6pex-relay.screenconnect.com:443/s
Source: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe	String found in binary or memory: http://ocsp.comodoca.com0$
Source: 8EC9B1D0ABBD7F98B401D425828828CE_BE4413523710330F97BEE5D4A544C42B0.2.dr	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rh
Source: C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F1410.2.dr	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxX
Source: dfsvc.exe, 00000002.00000002.2180528481.00000247EE8ED000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780772000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780246000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780762000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780256000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2182417647.00000247F027F000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2183043457.00000247F0340000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780084000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2182449302.00000247F0299000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: dfsvc.exe, 00000002.00000002.2172747682.0000024780772000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780801000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780246000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780762000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780256000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780776000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.00000247804C2000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2182449302.00000247F0284000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2183043457.00000247F0340000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780084000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.000002478048E000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: dfsvc.exe, 00000002.00000002.2172747682.0000024780772000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780801000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780246000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780762000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780256000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780776000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.00000247804C2000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780084000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.000002478048E000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: dfsvc.exe, 00000002.00000002.2172747682.0000024780772000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780246000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780762000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780256000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780084000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2184216603.00000247F2337000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: dfsvc.exe, 00000002.00000002.2180528481.00000247EE8F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.cr
Source: dfsvc.exe, 00000002.00000002.2181786651.00000247F01D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crlp
Source: dfsvc.exe, 00000002.00000002.2182162516.00000247F023F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.microso
Source: dfsvc.exe, 00000002.00000002.2172747682.000002478001A000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000012.00000002.2503200628.0000000001488000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: dfsvc.exe, 00000002.00000002.2172747682.0000024780801000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780776000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.00000247806A5000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.00000247807CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://server-nixc4ced126-web.screenconnect.com
Source: svchost.exe, 0000000B.00000002.2499280528.000002BAFFC87000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2498018632.000002BA80702000.00000004.00000020.00020000.00000000.sdmp, regid.1991-06.com.microsoft_Windows-10-Pro.swidtag.11.dr	String found in binary or memory: http://standards.iso.org/iso/19770/-2/2009/schema.xsd
Source: svchost.exe, 00000003.00000002.1446595264.000001EA88C13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: dfsvc.exe, 00000002.00000002.2180528481.00000247EE8ED000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780772000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780246000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780762000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780256000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2182417647.00000247F027F000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2183043457.00000247F0340000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780084000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2182449302.00000247F0299000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr, ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsClient.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: dfsvc.exe, 00000002.00000002.2172747682.0000024780548000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.000002478050C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.o
Source: dfsvc.exe, 00000002.00000002.2172747682.00000247802FA000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.000002478056B000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.000002478039E000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780548000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.or
Source: dfsvc.exe, 00000002.00000002.2172747682.0000024780090000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.xrml.org/schema/2001/11/xrml2core
Source: dfsvc.exe, 00000002.00000002.2172747682.0000024780090000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.xrml.org/schema/2001/11/xrml2coreS
Source: svchost.exe, 00000003.00000002.1446712644.000001EA88C58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1446131345.000001EA88C57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: dfsvc.exe, 00000002.00000002.2172747682.000002478039E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bcl.ptD
Source: dfsvc.exe, 00000002.00000002.2172747682.0000024780801000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780776000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.00000247806A5000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.00000247807CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bcl.screenconnX
Source: dfsvc.exe, 00000002.00000002.2172747682.0000024780776000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bcl.screenconnXr
Source: dfsvc.exe, 00000002.00000002.2172747682.00000247807CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bcl.screenconnXz
Source: dfsvc.exe, 00000002.00000002.2172747682.0000024780602000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bcl.screenconne
Source: dfsvc.exe, 00000002.00000002.2172747682.0000024780801000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780776000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.00000247806A5000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.00000247807CB000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780602000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.000002478025A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.000002478048E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bcl.screenconnect.com
Source: dfsvc.exe, 00000002.00000002.2172747682.000002478039E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bcl.screenconnect.com/Bin/
Source: dfsvc.exe, 00000002.00000002.2181786651.00000247F01DF000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.000002478039E000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2183043457.00000247F0340000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780602000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000010.00000002.1775450361.0000000000B79000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000010.00000002.1776077188.000000000292F000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000010.00000002.1776077188.0000000002921000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000010.00000002.1775774609.0000000000B9B000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000010.00000002.1775450361.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.Client.application
Source: ScreenConnect.WindowsClient.exe, 00000010.00000002.1776077188.0000000002921000.00000004.00000800.00020000.00000000.sdmp, B3V01X1N.log.2.dr	String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.Client.application#ScreenConnect.WindowsClient.appli
Source: dfsvc.exe, 00000002.00000002.2180464466.00000247EE8A6000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000010.00000002.1775774609.0000000000B9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.Client.application%%
Source: ScreenConnect.WindowsClient.exe, 00000010.00000002.1775450361.0000000000AB9000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000010.00000002.1776077188.0000000002921000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000010.00000002.1775450361.0000000000AB0000.00000004.00000020.00020000.00000000.sdmp, B3V01X1N.log.2.dr	String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.Client.application?h=instance-ss6pex-relay.screencon
Source: dfsvc.exe, 00000002.00000002.2183043457.00000247F0340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.Client.applicationG
Source: ScreenConnect.WindowsClient.exe, 00000010.00000002.1776077188.000000000292F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.Client.applicationX
Source: dfsvc.exe, 00000002.00000002.2183043457.00000247F0340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.Client.applicationataK9f
Source: dfsvc.exe, 00000002.00000002.2180157276.00000247EE84E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.Client.applicationig%
Source: dfsvc.exe, 00000002.00000002.2183043457.00000247F0340000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000010.00000002.1775450361.0000000000B79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.Client.applicationst
Source: ScreenConnect.WindowsClient.exe, 00000010.00000002.1775450361.0000000000B79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.Client.applicationstt
Source: dfsvc.exe, 00000002.00000002.2182449302.00000247F02AD000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.00000247801F8000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.00000247806A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.Client.dll
Source: ScreenConnect.WindowsClient.exe, 00000010.00000002.1776077188.000000000292F000.00000004.00000800.00020000.00000000.sdmp, B3V01X1N.log.2.dr	String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.Client.manifest
Source: dfsvc.exe, 00000002.00000002.2181786651.00000247F01DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.Client.manifest?
Source: dfsvc.exe, 00000002.00000002.2181786651.00000247F01DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.Client.manifestfm
Source: dfsvc.exe, 00000002.00000002.2172747682.00000247806A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.ClientServ
Source: dfsvc.exe, 00000002.00000002.2181786651.00000247F01DF000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.00000247801F8000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.00000247806A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.ClientService.dll
Source: dfsvc.exe, 00000002.00000002.2172747682.00000247806A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.ClientService.exe
Source: dfsvc.exe, 00000002.00000002.2181786651.00000247F01DF000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.00000247801F8000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.00000247806A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.Core.dll
Source: dfsvc.exe, 00000002.00000002.2181786651.00000247F01DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.Core.dllJ
Source: dfsvc.exe, 00000002.00000002.2172747682.0000024780801000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.Wi
Source: dfsvc.exe, 00000002.00000002.2172747682.0000024780801000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2182449302.00000247F02AD000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.00000247801F8000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.00000247806A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.Windows.dll
Source: dfsvc.exe, 00000002.00000002.2172747682.0000024780776000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsBackstageShX
Source: dfsvc.exe, 00000002.00000002.2172747682.0000024780776000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.00000247806A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsBackstageShell.exe
Source: dfsvc.exe, 00000002.00000002.2172747682.00000247807CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsBackstageShell.exe.
Source: dfsvc.exe, 00000002.00000002.2172747682.00000247807CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsBackstageShell.exe.config
Source: dfsvc.exe, 00000002.00000002.2178743753.00000247EC4C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsBackstageShell.exe.configesourceHandler
Source: dfsvc.exe, 00000002.00000002.2183043457.00000247F0340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsBackstageShell.exem
Source: dfsvc.exe, 00000002.00000002.2183043457.00000247F0340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsBackstageShell.exes
Source: dfsvc.exe, 00000002.00000002.2172747682.000002478048E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsClient.exe
Source: dfsvc.exe, 00000002.00000002.2172747682.00000247807CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsClient.exe.P
Source: dfsvc.exe, 00000002.00000002.2172747682.00000247807CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsClient.exe.config
Source: dfsvc.exe, 00000002.00000002.2172747682.00000247807CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsFileMan8
Source: dfsvc.exe, 00000002.00000002.2172747682.00000247807CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsFileManager.exe
Source: dfsvc.exe, 00000002.00000002.2172747682.00000247807CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsFileManager.exe.config
Source: dfsvc.exe, 00000002.00000002.2183043457.00000247F0340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsFileManager.exeA
Source: dfsvc.exe, 00000002.00000002.2172747682.0000024780776000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsFileManager.exex
Source: dfsvc.exe, 00000002.00000002.2172747682.000002478039E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bcl.screenconnect.com/Bin/h
Source: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe, 00000001.00000002.1340535064.00000000013AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bcl.screenconnect.com:443/Bin/ScreenConnect.Clie
Source: B3V01X1N.log.2.dr	String found in binary or memory: https://bcl.screenconnect.com:443/Bin/ScreenConnect.Client.application?h=instance-ss6pex-relay.scree
Source: dfsvc.exe, 00000002.00000002.2172747682.00000247806A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bcl.screenconnect.comptD
Source: svchost.exe, 00000003.00000002.1446712644.000001EA88C58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1446131345.000001EA88C57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000003.00000003.1446043971.000001EA88C5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1446758000.000001EA88C63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1445850657.000001EA88C62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1446111279.000001EA88C41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1446841312.000001EA88C70000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1445741704.000001EA88C6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1446670300.000001EA88C42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000003.00000002.1446841312.000001EA88C70000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1445741704.000001EA88C6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000003.00000002.1446712644.000001EA88C58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1446131345.000001EA88C57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000003.00000003.1445808184.000001EA88C67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1446779533.000001EA88C68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000003.00000002.1446841312.000001EA88C70000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1445741704.000001EA88C6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000003.00000002.1446712644.000001EA88C58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1446131345.000001EA88C57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000003.00000003.1446043971.000001EA88C5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1446758000.000001EA88C63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1445850657.000001EA88C62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1446620868.000001EA88C2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000003.00000002.1446712644.000001EA88C58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1446131345.000001EA88C57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000003.00000003.1445808184.000001EA88C67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1446779533.000001EA88C68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1446620868.000001EA88C2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000003.00000002.1446712644.000001EA88C58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1446131345.000001EA88C57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000003.00000002.1446712644.000001EA88C58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1446131345.000001EA88C57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000003.00000002.1446712644.000001EA88C58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1446131345.000001EA88C57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000003.00000002.1446758000.000001EA88C63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1445850657.000001EA88C62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1446620868.000001EA88C2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000003.00000003.1446111279.000001EA88C41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1446670300.000001EA88C42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000003.00000002.1446712644.000001EA88C58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1446131345.000001EA88C57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000003.00000002.1446758000.000001EA88C63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1445850657.000001EA88C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000003.00000003.1446149804.000001EA88C31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000003.00000002.1446670300.000001EA88C42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000003.00000002.1446758000.000001EA88C63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1445850657.000001EA88C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000003.00000003.1446111279.000001EA88C41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1446670300.000001EA88C42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
Source: svchost.exe, 00000003.00000003.1446131345.000001EA88C57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000003.00000002.1446712644.000001EA88C58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1446131345.000001EA88C57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000003.00000003.1445808184.000001EA88C67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1446779533.000001EA88C68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1446620868.000001EA88C2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: ScreenConnect.Core.dll.2.dr	String found in binary or memory: https://feedback.screenconnect.com/Feedback.axd
Source: edb.log.7.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 00000007.00000003.1345152933.000002875CCF0000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.7.dr, edb.log.7.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: qmgr.db.7.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe1C:
Source: svchost.exe, 00000003.00000003.1446111279.000001EA88C41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000003.00000003.1446084158.000001EA88C49000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1446111279.000001EA88C41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1446670300.000001EA88C42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1446149804.000001EA88C31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000003.00000003.1446149804.000001EA88C31000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1446131345.000001EA88C57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000003.00000002.1446620868.000001EA88C2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000003.00000002.1446712644.000001EA88C58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1446131345.000001EA88C57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000003.00000002.1446712644.000001EA88C58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1446131345.000001EA88C57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51669
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51667
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51668
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51662
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51660
Source: unknown	Network traffic detected: HTTP traffic on port 51658 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51665
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51666
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51663
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51664
Source: unknown	Network traffic detected: HTTP traffic on port 51667 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 51663 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51665 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51669 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51658
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51659
Source: unknown	Network traffic detected: HTTP traffic on port 51653 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51657
Source: unknown	Network traffic detected: HTTP traffic on port 51657 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51653
Source: unknown	Network traffic detected: HTTP traffic on port 51659 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51662 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 51660 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51664 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51666 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51668 -> 443

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 145.40.109.218:443 -> 192.168.2.7:49704 version: TLS 1.2

E-Banking Fraud

Drops certificate files (DER)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_BE4413523710330F97BEE5D4A544C42B	Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Reads the Security eventlog

Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnect
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnect
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\ScreenConnect

Reads the System eventlog

Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\ScreenConnect
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\ScreenConnect
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System

System Summary

Creates files inside the system directory

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe	Code function: 1_2_006EA285	1_2_006EA285
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFAACCD5E28	2_2_00007FFAACCD5E28
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFAACCBAF4F	2_2_00007FFAACCBAF4F
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFAACCCD510	2_2_00007FFAACCCD510
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFAACCC2768	2_2_00007FFAACCC2768
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFAACCC33B1	2_2_00007FFAACCC33B1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFAACCC97A8	2_2_00007FFAACCC97A8
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFAACCD3101	2_2_00007FFAACCD3101
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFAACCB6138	2_2_00007FFAACCB6138
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFAACCB1211	2_2_00007FFAACCB1211
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFAACCBF441	2_2_00007FFAACCBF441
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Code function: 16_2_00007FFAACCB73C0	16_2_00007FFAACCB73C0
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Code function: 16_2_00007FFAACCB0CFA	16_2_00007FFAACCB0CFA
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Code function: 16_2_00007FFAACCB0F50	16_2_00007FFAACCB0F50
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Code function: 16_2_00007FFAACCB6150	16_2_00007FFAACCB6150
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Code function: 16_2_00007FFAACCB1AD3	16_2_00007FFAACCB1AD3
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Code function: 16_2_00007FFAACCB1AF8	16_2_00007FFAACCB1AF8
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Code function: 16_2_00007FFAACCB0C73	16_2_00007FFAACCB0C73
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Code function: 19_2_00007FFAACCC703D	19_2_00007FFAACCC703D
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Code function: 19_2_00007FFAACCD238D	19_2_00007FFAACCD238D
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Code function: 19_2_00007FFAACFD6571	19_2_00007FFAACFD6571
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Code function: 19_2_00007FFAACFE2FED	19_2_00007FFAACFE2FED
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Code function: 19_2_00007FFAACFD6DC2	19_2_00007FFAACFD6DC2
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Code function: 19_2_00007FFAACFDAA2D	19_2_00007FFAACFDAA2D

Uses 32bit PE files

Source: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: ScreenConnect.WindowsBackstageShell.exe.2.dr, PopoutPanelTaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'
Source: ScreenConnect.WindowsBackstageShell.exe.2.dr, ProgramTaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'
Source: ScreenConnect.WindowsBackstageShell.exe.2.dr, TaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'
Source: ScreenConnect.WindowsBackstageShell.exe0.2.dr, PopoutPanelTaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'
Source: ScreenConnect.WindowsBackstageShell.exe0.2.dr, ProgramTaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'
Source: ScreenConnect.WindowsBackstageShell.exe0.2.dr, TaskbarButton.cs	Task registration methods: 'CreateDefaultDropDown'

Source: ScreenConnect.Windows.dll.2.dr, WindowsExtensions.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: ScreenConnect.Windows.dll.2.dr, WindowsExtensions.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: ScreenConnect.Windows.dll.2.dr, WindowsExtensions.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: ScreenConnect.ClientService.dll.2.dr, WindowsLocalUserExtensions.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)

Source: classification engine

Classification label: mal54.evad.winEXE@23/81@6/3

Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe

1_2_006E1260

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

File created: C:\Users\user\AppData\Local\Deployment

Jump to behavior

Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Mutant created: \BaseNamedObjects\Global\netfxeventlog.1.0
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6104:120:WilError_03

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

File created: C:\Users\user\AppData\Local\Temp\Deployment

Jump to behavior

Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe	Command line argument: dfsh	1_2_006E1260
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe	Command line argument: atio	1_2_006E1260
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe	Command line argument: dfshim	1_2_006E1260
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe	Command line argument: dfshim	1_2_006E1260

Source: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe

String found in binary or memory: 3http://crl.usertrust.com/AddTrustExternalCARoot.crl05

Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe

File read: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe "C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe"
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalService -s W32Time
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe"
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=instance-ss6pex-relay.screenconnect.com&p=443&s=e409b2f5-1e44-4489-a8a4-30f0588f10c9&k=BgIAAACkAABSU0ExAAgAAAEAAQBdjPB2q8wjCfbSeYamY%2f1I8rI%2fJv32GQaD4DfyMmJGNmo%2f%2fRNg83nebcxkKC9J9fnvQipaIXrQUsxpppQnPKZ7juxo8OMg%2fgQWhvcJ843vxr8g3Su6i%2bOQ19Uh%2b6nNu4Mvd5N1Gn7gmJQP8LmLFqcM4XdqaWncXy3DTwTAm6za8sn0Nrpx%2fR7Jc98i2Kg%2bl%2fjkHFH9my9cD1Qp8bY32WV4Poh8SZJEDL3RX7M1gNCxhAy6Of%2bu4Ov%2f99l3%2bbDBAOICkjlLTBAUBYzj9YiB5Zym8VEMCtI%2b7OFy%2bv0PXxtCiizxlfv251D4ovL7mdH2HWE5l%2fwdqfUZx0u617T5JnSJ&r=&i=Ily" "1"
Source: unknown	Process created: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=instance-ss6pex-relay.screenconnect.com&p=443&s=e409b2f5-1e44-4489-a8a4-30f0588f10c9&k=BgIAAACkAABSU0ExAAgAAAEAAQBdjPB2q8wjCfbSeYamY%2f1I8rI%2fJv32GQaD4DfyMmJGNmo%2f%2fRNg83nebcxkKC9J9fnvQipaIXrQUsxpppQnPKZ7juxo8OMg%2fgQWhvcJ843vxr8g3Su6i%2bOQ19Uh%2b6nNu4Mvd5N1Gn7gmJQP8LmLFqcM4XdqaWncXy3DTwTAm6za8sn0Nrpx%2fR7Jc98i2Kg%2bl%2fjkHFH9my9cD1Qp8bY32WV4Poh8SZJEDL3RX7M1gNCxhAy6Of%2bu4Ov%2f99l3%2bbDBAOICkjlLTBAUBYzj9YiB5Zym8VEMCtI%2b7OFy%2bv0PXxtCiizxlfv251D4ovL7mdH2HWE5l%2fwdqfUZx0u617T5JnSJ&r=&i=Ily" "1"
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe" "RunRole" "15a971cf-ed33-4068-91f7-d1656f0da9bf" "User"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=instance-ss6pex-relay.screenconnect.com&p=443&s=e409b2f5-1e44-4489-a8a4-30f0588f10c9&k=BgIAAACkAABSU0ExAAgAAAEAAQBdjPB2q8wjCfbSeYamY%2f1I8rI%2fJv32GQaD4DfyMmJGNmo%2f%2fRNg83nebcxkKC9J9fnvQipaIXrQUsxpppQnPKZ7juxo8OMg%2fgQWhvcJ843vxr8g3Su6i%2bOQ19Uh%2b6nNu4Mvd5N1Gn7gmJQP8LmLFqcM4XdqaWncXy3DTwTAm6za8sn0Nrpx%2fR7Jc98i2Kg%2bl%2fjkHFH9my9cD1Qp8bY32WV4Poh8SZJEDL3RX7M1gNCxhAy6Of%2bu4Ov%2f99l3%2bbDBAOICkjlLTBAUBYzj9YiB5Zym8VEMCtI%2b7OFy%2bv0PXxtCiizxlfv251D4ovL7mdH2HWE5l%2fwdqfUZx0u617T5JnSJ&r=&i=Ily" "1"	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe" "RunRole" "15a971cf-ed33-4068-91f7-d1656f0da9bf" "User"

Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe	Section loaded: dfshim.dll	Jump to behavior
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dfshim.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: thumbcache.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: moshost.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mapsbtsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mosstorage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mapconfiguration.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostservice.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: networkhelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdataplatformhelperutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mccspal.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcfgutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcmnutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmxmlhelputils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: inproclogger.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.networking.connectivity.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: synccontroller.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pimstore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: accountaccessor.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: systemeventsbrokerclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatalanguageutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mccsengineshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cemapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatatypehelperutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: phoneutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: w32time.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vmictimeprovider.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: storsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bcd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: storageusage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usosvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: updatepolicy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usocoreps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usoapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: licensemanagersvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: licensemanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: clipc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Section loaded: dfshim.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Section loaded: samlib.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Section loaded: dwrite.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: mpclient.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: secur32.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: version.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: userenv.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: gpapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: amsi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: profapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wscapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: urlmon.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: iertutil.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: srvcli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: netutils.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: slc.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sppc.dll

Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32

Jump to behavior

Reads internet explorer settings

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Found GUI installer (many successful clicks)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Automated click: Run
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Automated click: Run

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

PE / OLE file has a valid certificate

Source: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe

Static PE information: certificate valid

PE file contains a mix of data directories often seen in goodware

Source: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

PE file contains a debug data directory

Source: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsFileManager\obj\Release\ScreenConnect.WindowsFileManager.pdb source: ScreenConnect.WindowsFileManager.exe.2.dr, ScreenConnect.WindowsFileManager.exe0.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdb source: dfsvc.exe, 00000002.00000002.2172747682.00000247804C2000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.000002478007F000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000011.00000002.1774279771.0000000002A72000.00000002.00000001.01000000.0000000E.sdmp, ScreenConnect.WindowsClient.exe, 00000013.00000002.2502083565.0000000002981000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000013.00000002.2498483755.0000000000C80000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.ClientService.dll.2.dr, ScreenConnect.ClientService.dll0.2.dr
Source:	Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetServiceRunner.pdb source: ScreenConnect.ClientService.exe, 00000011.00000000.1770100840.0000000000BDD000.00000002.00000001.01000000.0000000D.sdmp, ScreenConnect.ClientService.exe.2.dr, ScreenConnect.ClientService.exe0.2.dr
Source:	Binary string: mscorlib.pdb source: ScreenConnect.ClientService.exe, 00000012.00000002.2519577245.00000000050F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: ScreenConnect.ClientService.exe, 00000012.00000002.2519577245.00000000050F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb source: dfsvc.exe, 00000002.00000002.2172747682.000002478075E000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.00000247802F6000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.000002478048E000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000010.00000002.1790988509.000000001B862000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Windows.dll0.2.dr, ScreenConnect.Windows.dll.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb/[ source: dfsvc.exe, 00000002.00000002.2172747682.000002478075E000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.00000247802F6000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.000002478048E000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000010.00000002.1790988509.000000001B862000.00000002.00000001.01000000.00000010.sdmp, ScreenConnect.Windows.dll0.2.dr, ScreenConnect.Windows.dll.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsBackstageShell\obj\Release\ScreenConnect.WindowsBackstageShell.pdb source: ScreenConnect.WindowsBackstageShell.exe.2.dr, ScreenConnect.WindowsBackstageShell.exe0.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\WindowsClient\obj\Release\ScreenConnect.WindowsClient.pdb source: ScreenConnect.WindowsClient.exe, 00000010.00000000.1761418707.0000000000432000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsClient.exe.2.dr
Source:	Binary string: C:\Users\jmorgan\Source\ScreenConnectWork\Misc\Bootstrapper\Release\ClickOnceRunner.pdb source: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Client\obj\Release\net20\ScreenConnect.Client.pdb source: dfsvc.exe, 00000002.00000002.2172747682.00000247804C2000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780088000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000010.00000002.1775855882.0000000000DB2000.00000002.00000001.01000000.00000011.sdmp, ScreenConnect.ClientService.exe, 00000012.00000002.2519577245.00000000050F0000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.Client.dll.2.dr, ScreenConnect.Client.dll0.2.dr
Source:	Binary string: C:\builds\cc\cwcontrol\Product\ClientService\obj\Release\ScreenConnect.ClientService.pdbU! source: dfsvc.exe, 00000002.00000002.2172747682.00000247804C2000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.000002478007F000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000011.00000002.1774279771.0000000002A72000.00000002.00000001.01000000.0000000E.sdmp, ScreenConnect.WindowsClient.exe, 00000013.00000002.2502083565.0000000002981000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000013.00000002.2498483755.0000000000C80000.00000004.08000000.00040000.00000000.sdmp, ScreenConnect.ClientService.dll.2.dr, ScreenConnect.ClientService.dll0.2.dr
Source:	Binary string: System.pdb source: ScreenConnect.ClientService.exe, 00000012.00000002.2519577245.00000000050F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb source: dfsvc.exe, 00000002.00000002.2172747682.00000247804C2000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.000002478008C000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000011.00000002.1774607067.0000000004FA2000.00000002.00000001.01000000.0000000F.sdmp, ScreenConnect.Core.dll0.2.dr, ScreenConnect.Core.dll.2.dr
Source:	Binary string: e089\System.pdb source: ScreenConnect.ClientService.exe, 00000012.00000002.2498245531.0000000000967000.00000004.00000020.00020000.00000000.sdmp

PE file contains a valid data directory to section mapping

Source: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Binary contains a suspicious time stamp

Source: ScreenConnect.WindowsBackstageShell.exe.2.dr

Static PE information: 0xFAECED74 [Mon May 28 21:34:44 2103 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe

1_2_006E1260

PE file contains an invalid checksum

Source: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe

Static PE information: real checksum: 0x22685 should be: 0x2283e

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe	Code function: 1_2_006E1E06 push ecx; ret	1_2_006E1E19
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFAACB9D2A5 pushad ; iretd	2_2_00007FFAACB9D2A6
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFAACCC8D47 push 8B495CBBh; iretd	2_2_00007FFAACCC8D4C
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFAACCB7D00 push eax; retf	2_2_00007FFAACCB7D1D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFAACCC09AD push E95BAFACh; ret	2_2_00007FFAACCC0C29
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFAACCD4B86 push ss; ret	2_2_00007FFAACCD4B87
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFAACCC97A8 push esp; iretd	2_2_00007FFAACCE56C9
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFAACCB00BD pushad ; iretd	2_2_00007FFAACCB00C1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFAACCB845E push eax; ret	2_2_00007FFAACCB846D
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Code function: 2_2_00007FFAACCB842E pushad ; ret	2_2_00007FFAACCB845D
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Code function: 17_2_010D15F0 pushfd ; iretd	17_2_010D15F9
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Code function: 17_2_010D75F0 pushad ; retf	17_2_010D75F9
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Code function: 19_2_00007FFAACCD238D pushad ; retn 5F4Bh	19_2_00007FFAACCFBCFD

Persistence and Installation Behavior

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.Client.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre...exe_25b0fbb6ef7eb094_0018.0001_none_97cb9f2a42c4956b\ScreenConnect.WindowsFileManager.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.WindowsFileManager.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..core_4b14c015c87c1ad8_0018.0001_none_533500b5fe8f96df\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..ient_4b14c015c87c1ad8_0018.0001_none_e94a5e880ddeece3\ScreenConnect.Client.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.ClientService.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre...exe_25b0fbb6ef7eb094_0018.0001_none_97cb9f2a42c4956b\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..dows_4b14c015c87c1ad8_0018.0001_none_57acd8973addaa0f\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.WindowsClient.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre...exe_25b0fbb6ef7eb094_0018.0001_none_97cb9f2a42c4956b\ScreenConnect.ClientService.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..vice_4b14c015c87c1ad8_0018.0001_none_048898fe944efa4a\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..ient_4b14c015c87c1ad8_0018.0001_none_b47bd9d9e77379ec\ScreenConnect.WindowsClient.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File created: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file

May use bcdedit to modify the Windows boot settings

Source: ScreenConnect.ClientService.dll.2.dr	Binary or memory string: bcdedit.exeg/copy {current} /d "Reboot and Reconnect Safe Mode"7{.{8}-.{4}-.{4}-.{4}-.{12}}
Source: ScreenConnect.ClientService.dll0.2.dr	Binary or memory string: bcdedit.exeg/copy {current} /d "Reboot and Reconnect Safe Mode"7{.{8}-.{4}-.{4}-.{4}-.{12}}

Boot Survival

Creates or modifies windows services

Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application

Modifies existing windows services

Source: C:\Windows\System32\svchost.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\Config

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Contains functionality to hide user accounts

Source: ScreenConnect.WindowsClient.exe, 00000010.00000002.1790988509.000000001B862000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.ClientService.exe, 00000011.00000002.1774279771.0000000002A72000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.WindowsClient.exe, 00000013.00000002.2502083565.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.WindowsClient.exe, 00000013.00000002.2498483755.0000000000C80000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.ClientService.dll.2.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.ClientService.dll0.2.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList?ScreenConnect.WindowsClient.exe
Source: ScreenConnect.Windows.dll0.2.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ScreenConnect.Windows.dll.2.dr	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList

Stores large binary data to the registry

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Key value created or modified: HKEY_CURRENT_USER_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{60051b8f-4f12-400a-8e50-dd05ebd438d1}\scre..tion_25b0fbb6ef7eb094_0018.0001_20ca72b17ca9e71d {c989bb7a-8385-4715-98cf-a741a8edb823}!ApplicationTrust

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Windows\System32\svchost.exe

System information queried: FirmwareTableInformation

Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Memory allocated: 247EC680000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Memory allocated: 247EE060000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Memory allocated: A00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Memory allocated: 1A920000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Memory allocated: 1090000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Memory allocated: 2AD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Memory allocated: 29D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Memory allocated: D80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Memory allocated: 1420000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Memory allocated: 3420000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Memory allocated: C40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Memory allocated: 1A980000 memory reserve \| memory write watch

Contains capabilities to detect virtual machines

Source: C:\Windows\System32\svchost.exe

File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599327	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598526	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597998	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596499	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596377	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596215	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596087	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595978	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595852	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595749	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594398	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594296	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Window / User API: threadDelayed 2801			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Window / User API: threadDelayed 6891			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.Client.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre...exe_25b0fbb6ef7eb094_0018.0001_none_97cb9f2a42c4956b\ScreenConnect.WindowsFileManager.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.WindowsFileManager.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..core_4b14c015c87c1ad8_0018.0001_none_533500b5fe8f96df\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..ient_4b14c015c87c1ad8_0018.0001_none_e94a5e880ddeece3\ScreenConnect.Client.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre...exe_25b0fbb6ef7eb094_0018.0001_none_97cb9f2a42c4956b\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..dows_4b14c015c87c1ad8_0018.0001_none_57acd8973addaa0f\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..vice_4b14c015c87c1ad8_0018.0001_none_048898fe944efa4a\ScreenConnect.ClientService.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.WindowsBackstageShell.exe	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe TID: 6400	Thread sleep count: 211 > 30	Jump to behavior
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe TID: 6400	Thread sleep time: -40000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296	Thread sleep time: -23980767295822402s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296	Thread sleep time: -599546s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296	Thread sleep time: -599327s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296	Thread sleep time: -599000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296	Thread sleep time: -598891s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296	Thread sleep time: -598766s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296	Thread sleep time: -598641s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296	Thread sleep time: -598526s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296	Thread sleep time: -598344s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296	Thread sleep time: -598219s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296	Thread sleep time: -598109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296	Thread sleep time: -597998s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296	Thread sleep time: -597891s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296	Thread sleep time: -597766s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296	Thread sleep time: -597641s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296	Thread sleep time: -597531s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296	Thread sleep time: -597422s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296	Thread sleep time: -597313s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296	Thread sleep time: -597188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296	Thread sleep time: -597063s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296	Thread sleep time: -596953s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296	Thread sleep time: -596844s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296	Thread sleep time: -596719s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296	Thread sleep time: -596609s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296	Thread sleep time: -596499s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296	Thread sleep time: -596377s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296	Thread sleep time: -596215s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296	Thread sleep time: -596087s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296	Thread sleep time: -595978s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296	Thread sleep time: -595852s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296	Thread sleep time: -595749s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296	Thread sleep time: -595641s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296	Thread sleep time: -595531s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296	Thread sleep time: -595422s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296	Thread sleep time: -595313s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296	Thread sleep time: -595188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296	Thread sleep time: -595078s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296	Thread sleep time: -594969s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296	Thread sleep time: -594844s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296	Thread sleep time: -594734s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296	Thread sleep time: -594625s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296	Thread sleep time: -594516s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296	Thread sleep time: -594398s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 4296	Thread sleep time: -594296s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6488	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe TID: 7832	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe TID: 7868	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe TID: 8084	Thread sleep time: -30000s >= -30000s

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\Windows\System32 FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe

Code function: 1_2_006E4855 FindFirstFileExA,

1_2_006E4855

Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe	Thread delayed: delay time: 40000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599327	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598526	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597998	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596499	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596377	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596215	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 596087	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595978	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595852	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595749	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594398	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Thread delayed: delay time: 594296	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File opened: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File opened: C:\Users\user\AppData\Local\Apps\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File opened: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe:Zone.Identifier	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File opened: C:\Users\user\AppData\Local\Apps\2.0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior

Source: svchost.exe, 00000009.00000002.2499281453.0000018C29E50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: dfsvc.exe, 00000002.00000002.2182449302.00000247F02AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000009.00000002.2499018912.0000018C29E2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: svchost.exe, 00000009.00000002.2499529708.0000018C29E7D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: dfsvc.exe, 00000002.00000002.2182927197.00000247F032B000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2180157276.00000247EE84E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2503342393.000002875CE56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2500866643.000002875782B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000009.00000002.2498604853.0000018C29E02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: dfsvc.exe, 00000002.00000002.2182927197.00000247F032B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW)V
Source: svchost.exe, 00000009.00000002.2499529708.0000018C29E66000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000es
Source: svchost.exe, 00000009.00000002.2499830618.0000018C29F02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000009.00000002.2499018912.0000018C29E2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000009.00000002.2499281453.0000018C29E50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000005.00000002.2498094203.00000282FC031000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000012.00000002.2498245531.0000000000998000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe

Process information queried: ProcessInformation

Anti Debugging

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe

Code function: 1_2_006E4414 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_006E4414

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe

1_2_006E1260

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe

Code function: 1_2_006E34FD mov eax, dword ptr fs:[00000030h]

1_2_006E34FD

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe

Code function: 1_2_006E664F GetProcessHeap,

1_2_006E664F

Enables debug privileges

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Process token adjusted: Debug

Launches processes in debugging mode, may be used to hinder debugging

Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe

Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"

Jump to behavior

Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe	Code function: 1_2_006E4414 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_006E4414
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe	Code function: 1_2_006E1D02 SetUnhandledExceptionFilter,	1_2_006E1D02
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe	Code function: 1_2_006E16F1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_006E16F1
Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe	Code function: 1_2_006E1BB4 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_006E1BB4

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: ScreenConnect.Windows.dll.2.dr, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.VirtualAlloc(attemptImageBase, dwSize, WindowsNative.MEM.MEM_COMMIT \| WindowsNative.MEM.MEM_RESERVE, WindowsNative.PAGE.PAGE_READWRITE)
Source: ScreenConnect.Windows.dll.2.dr, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.LoadLibrary(loadedImageBase + ptr[i].Name)
Source: ScreenConnect.Windows.dll.2.dr, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.GetProcAddress(intPtr, ptr5)
Source: ScreenConnect.Windows.dll.2.dr, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.VirtualProtect(loadedImageBase + sectionHeaders[i].VirtualAddress, (IntPtr)num, flNewProtect, &pAGE)
Source: ScreenConnect.Windows.dll.2.dr, WindowsExtensions.cs	Reference to suspicious API methods: HandleMinder.CreateWithFunc(WindowsNative.OpenProcess(processAccess, bInheritHandle: false, processID), WindowsNative.CloseHandle)

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe "C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe"			Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe "C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=instance-ss6pex-relay.screenconnect.com&p=443&s=e409b2f5-1e44-4489-a8a4-30f0588f10c9&k=BgIAAACkAABSU0ExAAgAAAEAAQBdjPB2q8wjCfbSeYamY%2f1I8rI%2fJv32GQaD4DfyMmJGNmo%2f%2fRNg83nebcxkKC9J9fnvQipaIXrQUsxpppQnPKZ7juxo8OMg%2fgQWhvcJ843vxr8g3Su6i%2bOQ19Uh%2b6nNu4Mvd5N1Gn7gmJQP8LmLFqcM4XdqaWncXy3DTwTAm6za8sn0Nrpx%2fR7Jc98i2Kg%2bl%2fjkHFH9my9cD1Qp8bY32WV4Poh8SZJEDL3RX7M1gNCxhAy6Of%2bu4Ov%2f99l3%2bbDBAOICkjlLTBAUBYzj9YiB5Zym8VEMCtI%2b7OFy%2bv0PXxtCiizxlfv251D4ovL7mdH2HWE5l%2fwdqfUZx0u617T5JnSJ&r=&i=Ily" "1"			Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe "c:\users\user\appdata\local\apps\2.0\bwl7gtay.epv\5w5hva52.70c\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\screenconnect.clientservice.exe" "?e=support&y=guest&h=instance-ss6pex-relay.screenconnect.com&p=443&s=e409b2f5-1e44-4489-a8a4-30f0588f10c9&k=bgiaaackaabsu0exaagaaaeaaqbdjpb2q8wjcfbseyamy%2f1i8ri%2fjv32gqad4dfymmjgnmo%2f%2frng83nebcxkkc9j9fnvqipaixrqusxpppqnpkz7juxo8omg%2fgqwhvcj843vxr8g3su6i%2boq19uh%2b6nnu4mvd5n1gn7gmjqp8lmlfqcm4xdqawncxy3dtwtam6za8sn0nrpx%2fr7jc98i2kg%2bl%2fjkhfh9my9cd1qp8by32wv4poh8szjedl3rx7m1gncxhay6of%2bu4ov%2f99l3%2bbdbaoickjlltbaubyzj9yib5zym8vemcti%2b7ofy%2bv0pxxtciizxlfv251d4ovl7mdh2hwe5l%2fwdqfuzx0u617t5jnsj&r=&i=ily" "1"
Source: unknown	Process created: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe "c:\users\user\appdata\local\apps\2.0\bwl7gtay.epv\5w5hva52.70c\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\screenconnect.clientservice.exe" "?e=support&y=guest&h=instance-ss6pex-relay.screenconnect.com&p=443&s=e409b2f5-1e44-4489-a8a4-30f0588f10c9&k=bgiaaackaabsu0exaagaaaeaaqbdjpb2q8wjcfbseyamy%2f1i8ri%2fjv32gqad4dfymmjgnmo%2f%2frng83nebcxkkc9j9fnvqipaixrqusxpppqnpkz7juxo8omg%2fgqwhvcj843vxr8g3su6i%2boq19uh%2b6nnu4mvd5n1gn7gmjqp8lmlfqcm4xdqawncxy3dtwtam6za8sn0nrpx%2fr7jc98i2kg%2bl%2fjkhfh9my9cd1qp8by32wv4poh8szjedl3rx7m1gncxhay6of%2bu4ov%2f99l3%2bbdbaoickjlltbaubyzj9yib5zym8vemcti%2b7ofy%2bv0pxxtciizxlfv251d4ovl7mdh2hwe5l%2fwdqfuzx0u617t5jnsj&r=&i=ily" "1"
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Process created: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe "c:\users\user\appdata\local\apps\2.0\bwl7gtay.epv\5w5hva52.70c\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\screenconnect.clientservice.exe" "?e=support&y=guest&h=instance-ss6pex-relay.screenconnect.com&p=443&s=e409b2f5-1e44-4489-a8a4-30f0588f10c9&k=bgiaaackaabsu0exaagaaaeaaqbdjpb2q8wjcfbseyamy%2f1i8ri%2fjv32gqad4dfymmjgnmo%2f%2frng83nebcxkkc9j9fnvqipaixrqusxpppqnpkz7juxo8omg%2fgqwhvcj843vxr8g3su6i%2boq19uh%2b6nnu4mvd5n1gn7gmjqp8lmlfqcm4xdqawncxy3dtwtam6za8sn0nrpx%2fr7jc98i2kg%2bl%2fjkhfh9my9cd1qp8by32wv4poh8szjedl3rx7m1gncxhay6of%2bu4ov%2f99l3%2bbdbaoickjlltbaubyzj9yib5zym8vemcti%2b7ofy%2bv0pxxtciizxlfv251d4ovl7mdh2hwe5l%2fwdqfuzx0u617t5jnsj&r=&i=ily" "1"	Jump to behavior

Source: ScreenConnect.WindowsClient.exe, 00000010.00000000.1761418707.0000000000432000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsClient.exe.2.dr	Binary or memory string: Progman
Source: ScreenConnect.WindowsClient.exe, 00000010.00000000.1761418707.0000000000432000.00000002.00000001.01000000.0000000C.sdmp, ScreenConnect.WindowsClient.exe0.2.dr, ScreenConnect.WindowsClient.exe.2.dr	Binary or memory string: Shell_TrayWnd-Shell_SecondaryTrayWnd%MsgrIMEWindowClass

Language, Device and Operating System Detection

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe

Code function: 1_2_006E1E1B cpuid

1_2_006E1E1B

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.Client.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.WindowsClient.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.WindowsClient.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.Client.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.WindowsClient.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.ClientService.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.WindowsBackstageShell.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.WindowsFileManager.exe.config VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.WindowsClient.exe.config VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.WindowsBackstageShell.exe.config VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.WindowsFileManager.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.Client.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.ClientService.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.WindowsClient.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.Client.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.Core.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.Windows.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.Core.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.Core.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.Windows.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.Client.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.Client.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.Core.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.Windows.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe	Queries volume information: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.dll VolumeInformation

Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe

Code function: 1_2_006E1A9C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

1_2_006E1A9C

Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{D68DDC3A-831F-4fae-9E44-DA132C1ACF46} STATE

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: svchost.exe, 0000000D.00000002.2500009459.00000250F8902000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000D.00000002.2500009459.00000250F8902000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Adds / modifies Windows certificates

Source: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe

Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\03A5B14663EB12023091B84A6D6A68BC871DE66B Blob

Jump to behavior

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Remote Access Functionality

Yara detected ScreenConnect Tool

Source: Yara match	File source: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe, type: SAMPLE
Source: Yara match	File source: 16.0.ScreenConnect.WindowsClient.exe.430000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000000.1761418707.0000000000432000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2172747682.000002478039E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe PID: 60, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dfsvc.exe PID: 5408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ScreenConnect.WindowsClient.exe PID: 7812, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ScreenConnect.ClientService.exe PID: 7848, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..ient_4b14c015c87c1ad8_0018.0001_none_b47bd9d9e77379ec\ScreenConnect.WindowsClient.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..ient_4b14c015c87c1ad8_0018.0001_none_b47bd9d9e77379ec\ScreenConnect.WindowsClient.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	121 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Native API	1 DLL Search Order Hijacking	1 DLL Search Order Hijacking	1 Obfuscated Files or Information	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	13 Command and Scripting Interpreter	2 Windows Service	2 Windows Service	1 Install Root Certificate	Security Account Manager	35 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	12 Process Injection	1 Timestomp	NTDS	161 Security Software Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	1 Bootkit	1 Scheduled Task/Job	1 DLL Side-Loading	LSA Secrets	2 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Search Order Hijacking	Cached Domain Credentials	151 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Modify Registry	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	151 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	12 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Hidden Users	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Bootkit	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe	17%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre...exe_25b0fbb6ef7eb094_0018.0001_none_97cb9f2a42c4956b\ScreenConnect.ClientService.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre...exe_25b0fbb6ef7eb094_0018.0001_none_97cb9f2a42c4956b\ScreenConnect.WindowsBackstageShell.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre...exe_25b0fbb6ef7eb094_0018.0001_none_97cb9f2a42c4956b\ScreenConnect.WindowsFileManager.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..core_4b14c015c87c1ad8_0018.0001_none_533500b5fe8f96df\ScreenConnect.Core.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..dows_4b14c015c87c1ad8_0018.0001_none_57acd8973addaa0f\ScreenConnect.Windows.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..ient_4b14c015c87c1ad8_0018.0001_none_b47bd9d9e77379ec\ScreenConnect.WindowsClient.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..ient_4b14c015c87c1ad8_0018.0001_none_e94a5e880ddeece3\ScreenConnect.Client.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..vice_4b14c015c87c1ad8_0018.0001_none_048898fe944efa4a\ScreenConnect.ClientService.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.Client.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.ClientService.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.ClientService.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.Core.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.Windows.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.WindowsBackstageShell.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.WindowsClient.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.WindowsFileManager.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://dev.ditu.live.com/REST/v1/Routes/	0%	Avira URL Cloud	safe
https://bcl.screenconnect.com/Bin/ScreenConnect.Client.dll	0%	Avira URL Cloud	safe
https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsClient.exe.P	0%	Avira URL Cloud	safe
https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsFileMan8	0%	Avira URL Cloud	safe
https://bcl.screenconnect.com/Bin/ScreenConnect.Windows.dll	0%	Avira URL Cloud	safe
http://standards.iso.org/iso/19770/-2/2009/schema.xsd	0%	Avira URL Cloud	safe
https://dev.virtualearth.net/REST/v1/Routes/Walking	0%	Avira URL Cloud	safe
https://bcl.screenconnect.com/Bin/ScreenConnect.Client.applicationataK9f	0%	Avira URL Cloud	safe
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/	0%	Avira URL Cloud	safe
https://dev.virtualearth.net/REST/v1/Transit/Schedules/	0%	Avira URL Cloud	safe
https://bcl.screenconnect.com/Bin/ScreenConnect.ClientService.exe	0%	Avira URL Cloud	safe
http://www.bingmapsportal.com	0%	Avira URL Cloud	safe
http://server-nixc4ced126-web.screenconnect.com	0%	Avira URL Cloud	safe
https://bcl.screenconnect.com/Bin/ScreenConnect.Client.application?h=instance-ss6pex-relay.screencon	0%	Avira URL Cloud	safe
https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsFileManager.exeA	0%	Avira URL Cloud	safe
http://instance-ss6pex-relay.screenconnect.com:443/a	0%	Avira URL Cloud	safe
https://dev.virtualearth.net/REST/v1/Imagery/Copyright/	0%	Avira URL Cloud	safe
https://bcl.screenconnect.com/Bin/ScreenConnect.Client.applicationG	0%	Avira URL Cloud	safe
https://bcl.screenconnect.com/Bin/ScreenConnect.Client.applicationstt	0%	Avira URL Cloud	safe
https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsBackstageShell.exe	0%	Avira URL Cloud	safe
https://dev.virtualearth.net/REST/v1/Routes/	0%	Avira URL Cloud	safe
https://bcl.screenconnect.com/Bin/	0%	Avira URL Cloud	safe
https://bcl.screenconnect.com/Bin/ScreenConnect.ClientServ	0%	Avira URL Cloud	safe
http://instance-ss6pex-relay.screenconnect.com:443/d	0%	Avira URL Cloud	safe
https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=	0%	Avira URL Cloud	safe
http://instance-ss6pex-relay.screenconnect.com:443/s	0%	Avira URL Cloud	safe
http://www.w3.or	0%	Avira URL Cloud	safe
http://crl.ver)	0%	Avira URL Cloud	safe
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=	0%	Avira URL Cloud	safe
https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsBackstageShell.exe.configesourceHandler	0%	Avira URL Cloud	safe
https://dev.virtualearth.net/REST/v1/Locations	0%	Avira URL Cloud	safe
https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/	0%	Avira URL Cloud	safe
https://dynamic.t	0%	Avira URL Cloud	safe
https://g.live.com/odclientsettings/Prod1C:	0%	Avira URL Cloud	safe
https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsBackstageShell.exe.	0%	Avira URL Cloud	safe
http://instance-ss6pex-relay.screenconnect.com:443/G	0%	Avira URL Cloud	safe
https://dev.virtualearth.net/REST/v1/Routes/Transit	0%	Avira URL Cloud	safe
https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsFileManager.exex	0%	Avira URL Cloud	safe
https://bcl.screenconnect.com/Bin/ScreenConnect.ClientService.dll	0%	Avira URL Cloud	safe
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=	0%	Avira URL Cloud	safe
https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsBackstageShell.exe.config	0%	Avira URL Cloud	safe
https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/	0%	Avira URL Cloud	safe
https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsFileManager.exe.config	0%	Avira URL Cloud	safe
https://bcl.screenconnect.com/Bin/ScreenConnect.Client.applicationst	0%	Avira URL Cloud	safe
https://bcl.screenconnect.com/Bin/ScreenConnect.Client.manifest?	0%	Avira URL Cloud	safe
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	0%	Avira URL Cloud	safe
https://dev.virtualearth.net/REST/v1/Routes/Driving	0%	Avira URL Cloud	safe
https://bcl.screenconnect.comptD	0%	Avira URL Cloud	safe
http://instance-ss6pex-relay.screenconnect.com:443/%	0%	Avira URL Cloud	safe
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx	0%	Avira URL Cloud	safe
https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsClient.exe.config	0%	Avira URL Cloud	safe
http://instance-ss6pex-relay.screenconnect.com:443/9	0%	Avira URL Cloud	safe
http://schemas.microso	0%	Avira URL Cloud	safe
https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsBackstageShell.exes	0%	Avira URL Cloud	safe
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	0%	Avira URL Cloud	safe
https://bcl.screenconnect.com/Bin/ScreenConnect.Client.manifestfm	0%	Avira URL Cloud	safe
https://dev.ditu.live.com/mapcontrol/logging.ashx	0%	Avira URL Cloud	safe
http://www.xrml.org/schema/2001/11/xrml2coreS	0%	Avira URL Cloud	safe
https://bcl.screenconnect.com/Bin/ScreenConnect.Wi	0%	Avira URL Cloud	safe
https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsBackstageShell.exem	0%	Avira URL Cloud	safe
https://bcl.screenconnect.com	0%	Avira URL Cloud	safe
http://www.w3.o	0%	Avira URL Cloud	safe
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/	0%	Avira URL Cloud	safe
https://bcl.screenconnect.com:443/Bin/ScreenConnect.Clie	0%	Avira URL Cloud	safe
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx	0%	Avira URL Cloud	safe
https://bcl.screenconnect.com/Bin/ScreenConnect.Client.applicationX	0%	Avira URL Cloud	safe
https://bcl.screenconnect.com/Bin/ScreenConnect.Core.dllJ	0%	Avira URL Cloud	safe
https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsClient.exe	0%	Avira URL Cloud	safe
http://instance-ss6pex-relay.screenconnect.com:443/	0%	Avira URL Cloud	safe
https://bcl.screenconnect.com/Bin/ScreenConnect.Client.application%%	0%	Avira URL Cloud	safe
https://dev.ditu.live.com/REST/v1/Transit/Stops/	0%	Avira URL Cloud	safe
https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsBackstageShX	0%	Avira URL Cloud	safe
http://www.xrml.org/schema/2001/11/xrml2core	0%	Avira URL Cloud	safe
https://bcl.screenconnect.com/Bin/ScreenConnect.Client.application#ScreenConnect.WindowsClient.appli	0%	Avira URL Cloud	safe
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=	0%	Avira URL Cloud	safe
https://dev.virtualearth.net/REST/v1/Traffic/Incidents/	0%	Avira URL Cloud	safe
https://g.live.com/odclientsettings/ProdV21C:	0%	Avira URL Cloud	safe
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?	0%	Avira URL Cloud	safe
https://dev.virtualearth.net/mapcontrol/logging.ashx	0%	Avira URL Cloud	safe
https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsFileManager.exe	0%	Avira URL Cloud	safe
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=	0%	Avira URL Cloud	safe
https://bcl.screenconnX	0%	Avira URL Cloud	safe
https://feedback.screenconnect.com/Feedback.axd	0%	Avira URL Cloud	safe
https://bcl.screenconnXr	0%	Avira URL Cloud	safe
https://bcl.screenconnect.com/Bin/ScreenConnect.Client.manifest	0%	Avira URL Cloud	safe
https://bcl.screenconnect.com/Bin/ScreenConnect.Client.applicationig%	0%	Avira URL Cloud	safe
https://bcl.screenconnXz	0%	Avira URL Cloud	safe
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen	0%	Avira URL Cloud	safe
https://bcl.ptD	0%	Avira URL Cloud	safe
https://bcl.screenconnect.com:443/Bin/ScreenConnect.Client.application?h=instance-ss6pex-relay.scree	0%	Avira URL Cloud	safe
https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=	0%	Avira URL Cloud	safe
https://dev.ditu.live.com/REST/v1/Locations	0%	Avira URL Cloud	safe
http://bcl.screenconnect.com	0%	Avira URL Cloud	safe
https://bcl.screenconnect.com/Bin/ScreenConnect.Core.dll	0%	Avira URL Cloud	safe
https://bcl.screenconnect.com/Bin/h	0%	Avira URL Cloud	safe
https://bcl.screenconnect.com/Bin/ScreenConnect.Client.application	0%	Avira URL Cloud	safe
https://bcl.screenconne	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false	unknown
server-nixc4ced126-web.screenconnect.com	145.40.109.218	true	false	unknown
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	unknown
server-nixc4ced126-relay.screenconnect.com	145.40.109.216	true	false	unknown
instance-ss6pex-relay.screenconnect.com	unknown	unknown	false	unknown
18.31.95.13.in-addr.arpa	unknown	unknown	false	unknown
time.windows.com	unknown	unknown	false	unknown
bcl.screenconnect.com	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://bcl.screenconnect.com/Bin/ScreenConnect.Client.dll	false	Avira URL Cloud: safe	unknown
https://bcl.screenconnect.com/Bin/ScreenConnect.Windows.dll	false	Avira URL Cloud: safe	unknown
https://bcl.screenconnect.com/Bin/ScreenConnect.ClientService.exe	false	Avira URL Cloud: safe	unknown
https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsBackstageShell.exe	false	Avira URL Cloud: safe	unknown
https://bcl.screenconnect.com/Bin/ScreenConnect.ClientService.dll	false	Avira URL Cloud: safe	unknown
https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsBackstageShell.exe.config	false	Avira URL Cloud: safe	unknown
https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsFileManager.exe.config	false	Avira URL Cloud: safe	unknown
https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsClient.exe.config	false	Avira URL Cloud: safe	unknown
https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsClient.exe	false	Avira URL Cloud: safe	unknown
https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsFileManager.exe	false	Avira URL Cloud: safe	unknown
https://bcl.screenconnect.com/Bin/ScreenConnect.Client.manifest	false	Avira URL Cloud: safe	unknown
https://bcl.screenconnect.com/Bin/ScreenConnect.Core.dll	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsFileMan8	dfsvc.exe, 00000002.00000002.2172747682.00000247807CB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.ditu.live.com/REST/v1/Routes/	svchost.exe, 00000003.00000003.1445808184.000001EA88C67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1446779533.000001EA88C68000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Walking	svchost.exe, 00000003.00000002.1446712644.000001EA88C58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1446131345.000001EA88C57000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bcl.screenconnect.com/Bin/ScreenConnect.Client.applicationataK9f	dfsvc.exe, 00000002.00000002.2183043457.00000247F0340000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://standards.iso.org/iso/19770/-2/2009/schema.xsd	svchost.exe, 0000000B.00000002.2499280528.000002BAFFC87000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2498018632.000002BA80702000.00000004.00000020.00020000.00000000.sdmp, regid.1991-06.com.microsoft_Windows-10-Pro.swidtag.11.dr	false	Avira URL Cloud: safe	unknown
https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsClient.exe.P	dfsvc.exe, 00000002.00000002.2172747682.00000247807CB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/	svchost.exe, 00000003.00000003.1446043971.000001EA88C5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1446758000.000001EA88C63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1445850657.000001EA88C62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1446111279.000001EA88C41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1446841312.000001EA88C70000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1445741704.000001EA88C6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1446670300.000001EA88C42000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Transit/Schedules/	svchost.exe, 00000003.00000003.1446111279.000001EA88C41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1446670300.000001EA88C42000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://server-nixc4ced126-web.screenconnect.com	dfsvc.exe, 00000002.00000002.2172747682.0000024780801000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780776000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.00000247806A5000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.00000247807CB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	dfsvc.exe, 00000002.00000002.2172747682.000002478001A000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000012.00000002.2503200628.0000000001488000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.bingmapsportal.com	svchost.exe, 00000003.00000002.1446595264.000001EA88C13000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 00000003.00000003.1446043971.000001EA88C5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1446758000.000001EA88C63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1445850657.000001EA88C62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1446620868.000001EA88C2B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://instance-ss6pex-relay.screenconnect.com:443/a	ScreenConnect.ClientService.exe, 00000012.00000002.2498245531.0000000000998000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bcl.screenconnect.com/Bin/ScreenConnect.Client.applicationstt	ScreenConnect.WindowsClient.exe, 00000010.00000002.1775450361.0000000000B79000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bcl.screenconnect.com/Bin/ScreenConnect.Client.applicationG	dfsvc.exe, 00000002.00000002.2183043457.00000247F0340000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsFileManager.exeA	dfsvc.exe, 00000002.00000002.2183043457.00000247F0340000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bcl.screenconnect.com/Bin/ScreenConnect.Client.application?h=instance-ss6pex-relay.screencon	ScreenConnect.WindowsClient.exe, 00000010.00000002.1775450361.0000000000AB9000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000010.00000002.1776077188.0000000002921000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000010.00000002.1775450361.0000000000AB0000.00000004.00000020.00020000.00000000.sdmp, B3V01X1N.log.2.dr	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/	svchost.exe, 00000003.00000003.1445808184.000001EA88C67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1446779533.000001EA88C68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1446620868.000001EA88C2B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://instance-ss6pex-relay.screenconnect.com:443/d	ScreenConnect.ClientService.exe, 00000012.00000002.2503200628.00000000016EA000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000012.00000002.2503200628.0000000001556000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000012.00000002.2503200628.0000000001635000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000012.00000002.2503200628.00000000018E6000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000012.00000002.2503200628.00000000017C0000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000012.00000002.2503200628.000000000150B000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000012.00000002.2503200628.0000000001809000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000012.00000002.2503200628.00000000015C0000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.ClientService.exe, 00000012.00000002.2503200628.000000000167F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bcl.screenconnect.com/Bin/ScreenConnect.ClientServ	dfsvc.exe, 00000002.00000002.2172747682.00000247806A5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=	svchost.exe, 00000003.00000003.1446111279.000001EA88C41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1446670300.000001EA88C42000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://instance-ss6pex-relay.screenconnect.com:443/s	ScreenConnect.ClientService.exe, 00000012.00000002.2498245531.0000000000998000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.w3.or	dfsvc.exe, 00000002.00000002.2172747682.00000247802FA000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.000002478056B000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.000002478039E000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780548000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bcl.screenconnect.com/Bin/	dfsvc.exe, 00000002.00000002.2172747682.000002478039E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.ver)	svchost.exe, 00000007.00000002.2503381908.000002875CE6B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsBackstageShell.exe.configesourceHandler	dfsvc.exe, 00000002.00000002.2178743753.00000247EC4C0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=	svchost.exe, 00000003.00000003.1446084158.000001EA88C49000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1446111279.000001EA88C41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1446670300.000001EA88C42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1446149804.000001EA88C31000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Locations	svchost.exe, 00000003.00000002.1446712644.000001EA88C58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1446131345.000001EA88C57000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/	svchost.exe, 00000003.00000002.1446712644.000001EA88C58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1446131345.000001EA88C57000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://g.live.com/odclientsettings/Prod1C:	edb.log.7.dr	false	Avira URL Cloud: safe	unknown
https://dynamic.t	svchost.exe, 00000003.00000003.1446131345.000001EA88C57000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsBackstageShell.exe.	dfsvc.exe, 00000002.00000002.2172747682.00000247807CB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 00000003.00000002.1446712644.000001EA88C58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1446131345.000001EA88C57000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://instance-ss6pex-relay.screenconnect.com:443/G	ScreenConnect.ClientService.exe, 00000012.00000002.2498245531.0000000000998000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsFileManager.exex	dfsvc.exe, 00000002.00000002.2172747682.0000024780776000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=	svchost.exe, 00000003.00000002.1446758000.000001EA88C63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1445850657.000001EA88C62000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 00000003.00000002.1446841312.000001EA88C70000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1445741704.000001EA88C6E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 00000003.00000003.1446149804.000001EA88C31000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bcl.screenconnect.com/Bin/ScreenConnect.Client.manifest?	dfsvc.exe, 00000002.00000002.2181786651.00000247F01DF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 00000003.00000002.1446712644.000001EA88C58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1446131345.000001EA88C57000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bcl.screenconnect.com/Bin/ScreenConnect.Client.applicationst	dfsvc.exe, 00000002.00000002.2183043457.00000247F0340000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000010.00000002.1775450361.0000000000B79000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bcl.screenconnect.comptD	dfsvc.exe, 00000002.00000002.2172747682.00000247806A5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx	svchost.exe, 00000003.00000003.1446111279.000001EA88C41000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://instance-ss6pex-relay.screenconnect.com:443/%	ScreenConnect.ClientService.exe, 00000012.00000002.2498245531.0000000000998000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://instance-ss6pex-relay.screenconnect.com:443/9	ScreenConnect.ClientService.exe, 00000012.00000002.2498245531.0000000000998000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.ditu.live.com/mapcontrol/logging.ashx	svchost.exe, 00000003.00000002.1446712644.000001EA88C58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1446131345.000001EA88C57000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.microso	dfsvc.exe, 00000002.00000002.2182162516.00000247F023F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	svchost.exe, 00000003.00000002.1446620868.000001EA88C2B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bcl.screenconnect.com/Bin/ScreenConnect.Client.manifestfm	dfsvc.exe, 00000002.00000002.2181786651.00000247F01DF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsBackstageShell.exes	dfsvc.exe, 00000002.00000002.2183043457.00000247F0340000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.xrml.org/schema/2001/11/xrml2coreS	dfsvc.exe, 00000002.00000002.2172747682.0000024780090000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsBackstageShell.exem	dfsvc.exe, 00000002.00000002.2183043457.00000247F0340000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bcl.screenconnect.com	dfsvc.exe, 00000002.00000002.2172747682.0000024780801000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780776000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.00000247806A5000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.00000247807CB000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780602000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.000002478025A000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.000002478048E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bcl.screenconnect.com/Bin/ScreenConnect.Wi	dfsvc.exe, 00000002.00000002.2172747682.0000024780801000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.w3.o	dfsvc.exe, 00000002.00000002.2172747682.0000024780548000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.000002478050C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bcl.screenconnect.com/Bin/ScreenConnect.Client.applicationX	ScreenConnect.WindowsClient.exe, 00000010.00000002.1776077188.000000000292F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 00000003.00000003.1445808184.000001EA88C67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1446779533.000001EA88C68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1446620868.000001EA88C2B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bcl.screenconnect.com:443/Bin/ScreenConnect.Clie	1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe, 00000001.00000002.1340535064.00000000013AE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx	svchost.exe, 00000003.00000002.1446712644.000001EA88C58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1446131345.000001EA88C57000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bcl.screenconnect.com/Bin/ScreenConnect.Core.dllJ	dfsvc.exe, 00000002.00000002.2181786651.00000247F01DF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://instance-ss6pex-relay.screenconnect.com:443/	ScreenConnect.ClientService.exe, 00000012.00000002.2498245531.0000000000998000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bcl.screenconnect.com/Bin/ScreenConnect.Client.application%%	dfsvc.exe, 00000002.00000002.2180464466.00000247EE8A6000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000010.00000002.1775774609.0000000000B9B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bcl.screenconnect.com/Bin/ScreenConnect.WindowsBackstageShX	dfsvc.exe, 00000002.00000002.2172747682.0000024780776000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.ditu.live.com/REST/v1/Transit/Stops/	svchost.exe, 00000003.00000002.1446841312.000001EA88C70000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1445741704.000001EA88C6E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.xrml.org/schema/2001/11/xrml2core	dfsvc.exe, 00000002.00000002.2172747682.0000024780090000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bcl.screenconnect.com/Bin/ScreenConnect.Client.application#ScreenConnect.WindowsClient.appli	ScreenConnect.WindowsClient.exe, 00000010.00000002.1776077188.0000000002921000.00000004.00000800.00020000.00000000.sdmp, B3V01X1N.log.2.dr	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Traffic/Incidents/	svchost.exe, 00000003.00000002.1446758000.000001EA88C63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1445850657.000001EA88C62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1446620868.000001EA88C2B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=	svchost.exe, 00000003.00000003.1446149804.000001EA88C31000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1446131345.000001EA88C57000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://g.live.com/odclientsettings/ProdV21C:	svchost.exe, 00000007.00000003.1345152933.000002875CCF0000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.7.dr, edb.log.7.dr	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?	svchost.exe, 00000003.00000002.1446758000.000001EA88C63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1445850657.000001EA88C62000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/mapcontrol/logging.ashx	svchost.exe, 00000003.00000002.1446712644.000001EA88C58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1446131345.000001EA88C57000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=	svchost.exe, 00000003.00000002.1446670300.000001EA88C42000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bcl.screenconnXz	dfsvc.exe, 00000002.00000002.2172747682.00000247807CB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bcl.screenconnX	dfsvc.exe, 00000002.00000002.2172747682.0000024780801000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780776000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.00000247806A5000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.00000247807CB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bcl.screenconnXr	dfsvc.exe, 00000002.00000002.2172747682.0000024780776000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://feedback.screenconnect.com/Feedback.axd	ScreenConnect.Core.dll.2.dr	false	Avira URL Cloud: safe	unknown
https://bcl.screenconnect.com/Bin/ScreenConnect.Client.applicationig%	dfsvc.exe, 00000002.00000002.2180157276.00000247EE84E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen	svchost.exe, 00000003.00000002.1446712644.000001EA88C58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1446131345.000001EA88C57000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bcl.screenconnect.com:443/Bin/ScreenConnect.Client.application?h=instance-ss6pex-relay.scree	B3V01X1N.log.2.dr	false	Avira URL Cloud: safe	unknown
https://bcl.ptD	dfsvc.exe, 00000002.00000002.2172747682.000002478039E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=	svchost.exe, 00000003.00000002.1446712644.000001EA88C58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1446131345.000001EA88C57000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://bcl.screenconnect.com	dfsvc.exe, 00000002.00000002.2172747682.0000024780801000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780776000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.00000247806A5000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.00000247807CB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bcl.screenconnect.com/Bin/h	dfsvc.exe, 00000002.00000002.2172747682.000002478039E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.ditu.live.com/REST/v1/Locations	svchost.exe, 00000003.00000002.1446712644.000001EA88C58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1446131345.000001EA88C57000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bcl.screenconnect.com/Bin/ScreenConnect.Client.application	dfsvc.exe, 00000002.00000002.2181786651.00000247F01DF000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.000002478039E000.00000004.00000800.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2183043457.00000247F0340000.00000004.00000020.00020000.00000000.sdmp, dfsvc.exe, 00000002.00000002.2172747682.0000024780602000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000010.00000002.1775450361.0000000000B79000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000010.00000002.1776077188.000000000292F000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000010.00000002.1776077188.0000000002921000.00000004.00000800.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000010.00000002.1775774609.0000000000B9B000.00000004.00000020.00020000.00000000.sdmp, ScreenConnect.WindowsClient.exe, 00000010.00000002.1775450361.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bcl.screenconne	dfsvc.exe, 00000002.00000002.2172747682.0000024780602000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
145.40.109.216	server-nixc4ced126-relay.screenconnect.com	Netherlands		34108	BREEDBANDDELFTNL	false
145.40.109.218	server-nixc4ced126-web.screenconnect.com	Netherlands		34108	BREEDBANDDELFTNL	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1466878
Start date and time:	2024-07-03 14:32:16 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe (renamed file extension from old to exe)
Original Sample Name:	1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.old
Detection:	MAL
Classification:	mal54.evad.winEXE@23/81@6/3
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 63% Number of executed functions: 225 Number of non-executed functions: 19

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, MoUsoCoreWorker.exe
Excluded IPs from analysis (whitelisted): 40.119.148.38, 184.28.90.27, 199.232.214.172, 192.229.221.95, 199.232.210.172, 93.184.221.240
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, twc.trafficmanager.net, wu.ec.azureedge.net, cacerts.digicert.com, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, e16604.g.akamaiedge.net, ocsp.edge.digicert.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net
Execution Graph export aborted for target ScreenConnect.ClientService.exe, PID 7848 because it is empty
Execution Graph export aborted for target ScreenConnect.ClientService.exe, PID 7872 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe

Simulations

Behavior and APIs

Time	Type	Description
08:33:18	API Interceptor	14309x Sleep call for process: dfsvc.exe modified
08:33:18	API Interceptor	1x Sleep call for process: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe modified
08:33:18	API Interceptor	2x Sleep call for process: svchost.exe modified
09:34:46	API Interceptor	1x Sleep call for process: ScreenConnect.ClientService.exe modified
09:34:53	API Interceptor	1x Sleep call for process: MpCmdRun.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fp2e7a.wpc.phicdn.net	http://www.cajamar-soporte.com	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFhSZp6GshBFVdVLEzBsru52fhlDAZ8Q3OfCA-2F-2Bk2qB9l25yp_OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZM3qYZS8WARR8FVyg-2FqvoINWytiD-2FheyMDzu6v-2BoRt5KWyPoztbWkeGPmxB3DyZYTb9a0dAMPLFunr2Ay3ayAFAAvKLYcNXJh5TbSbsyQLthHxBhJhxiFX8keWC7AD3Hw3SgmU-2Be6lkIQuq7tgnHL9CbCr8GEaIyKgtaL1D3uFR7kdAbCakzZIHLBzzIP6uu3b9lr3L70N6m-2FPL5vz2WpJ-2B4Z2WkXjdKV6CAWTeZlidHHDlZecGQIcrIqiWGF6jpeY-3D#Dsonya.buzzard@aggregate.com	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://us-east-2.protection.sophos.com/?d=beehiiv.com&u=aHR0cHM6Ly9saW5rLm1haWwuYmVlaGlpdi5jb20vbHMvY2xpY2s_dXBuPXUwMDEublhka2JOSUpSeEZBS3VJWUJaMjU1N3l4Ujd6TmpDcFhIYW5SQnlyQXY3ZHMzMDZEQ091c3dBUU0yYzhiZFN4b1BudElFVWpoUzJhdzI1aDJUcWNiZVVCdXQ3WEhqcHZMejN4aS0yRnBZN2NYb3RNbXNIRlVyUkd5RDAzTGhIZms2a2E1ZGZEVFpCSlVkWnpOandHYUJsR0x3U1B4MlN1TVNIWEl5ZlI3YVdDNW1aeFNQLTJCUWFOUmpzMlpwblRwbmxpLTJGX245c19sZUtscWNRUnJvOGtNTXJocHFZOENpeTQ4MnhLUmJTM1NZcE16TVUtMkY5c0VvdjNqMExCNE1kOVZ3WUJvOEY2bEhJTllZbE90LTJGcjRQd1FwOXdCVmFuUXpmRy0yQnZlaFF5WVBjamlVbFpSN3VSaHJFbWFrLTJCYXY5T2RyYldyREphTmo3ck1iNmlhckR2Rjh1d2xPeDZ5VFY5ODFHLTJGejZiRDczakVOVHk4M0pXa2kzVzNTSzRBRURwQjd3dEg4blRyZ203ZjYxaEg2enlzYjFLYVl0S0pyWUJjU2QxNTN2SDQ5eDlTeW5acVZ0TGdqN2RrWU1FRkE1NzV6WWF6b2UwQmw2UnVUM1RHTkJiU2JpOHhUNUFnRGJMUjY4TlU1ay0yRmtDVFJtOHJrWWRMSDBNRGgtMkY3c1J6dVE4TEJxeDBvQzZ6WXVFQk0xRVFBdGI3eGxMZVEtMkJ5SEtiOE4yVHV0TFdpVEk4amc4b3U5MTkxRlM5SDEyLTJCbnJpT0hESVo2Nk1yd3pIeTRScFBQWlAtMkJ0Y1NscGt2Z01HT2F5Nmx6UGlCdE1MeGRrODI5eGU3TThFT1VLRDR2UHIxZFdYZ3c3MjFQQjFNa3k=&i=NWNiNGNiOGY1NWZlOGIxMTAwZmUxN2Uy&t=YUVvbWN0aDQzMW4yV29uam9nK2tUNmU1dStvM2VicUNJeENiWDR5Zk1nTT0=&h=ddfea45e1610491898abc824d1dabad5&s=AVNPUEhUT0NFTkNSWVBUSVaKXvCVdmaYUeJ4sMCGgh9xhnT0RF3qCfPvI6ciaUbnMg	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://esg-frontend-service.livelybush-ffb58a47.northeurope.azurecontainerapps.io/	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://tucertificado.es	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://www.doneck.com	Get hash	malicious	Unknown	Browse	192.229.221.95
	SecuriteInfo.com.Win32.PWSX-gen.21042.22708.exe	Get hash	malicious	AgentTesla	Browse	192.229.221.95
	https://maknastudio.com/pkyo	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://bombeirosamora-my.sharepoint.com/:o:/g/personal/geral_comando_bombeirosamora_pt/EqT53jeWO6ZGkv1O_1FowosB2CSGfrKDmTZiEPPt31Ds7g?e=5%3aGFx4a1&at=9	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	http://cdn.polyfill.io	Get hash	malicious	Unknown	Browse	192.229.221.95
bg.microsoft.map.fastly.net	La1EGA8voq.exe	Get hash	malicious	Remcos	Browse	199.232.210.172
	https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFhSZp6GshBFVdVLEzBsru52fhlDAZ8Q3OfCA-2F-2Bk2qB9l25yp_OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZM3qYZS8WARR8FVyg-2FqvoINWytiD-2FheyMDzu6v-2BoRt5KWyPoztbWkeGPmxB3DyZYTb9a0dAMPLFunr2Ay3ayAFAAvKLYcNXJh5TbSbsyQLthHxBhJhxiFX8keWC7AD3Hw3SgmU-2Be6lkIQuq7tgnHL9CbCr8GEaIyKgtaL1D3uFR7kdAbCakzZIHLBzzIP6uu3b9lr3L70N6m-2FPL5vz2WpJ-2B4Z2WkXjdKV6CAWTeZlidHHDlZecGQIcrIqiWGF6jpeY-3D#Dsonya.buzzard@aggregate.com	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://netorg4760159-my.sharepoint.com/:o:/g/personal/m_lada_specialistceramics_co_uk/Est2zqaL8tdCnm1FFsGXxuQBFHvo32bUnARjMzIqK8tSUg?e=5%3aoB5RFO&at=9	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172
	Invoice - 21153253589581947197326090404964329500290845699807 - Toyotaconnected.pdf	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://ejecajd.r.bh.d.sendibt3.com/tr/cl/V9yYBoIhg-mhiB4j_Rjreo0N1He_j2m-xS6GBPj2oqW16M8g5ecZP_JmsWPfULsGJTcoQiB9efTp7HX72hZmAr4fd1kRXbs2Ym5Q2C_F4PAnan5vNLIsRlnpBoKf27fDkQexMqhU8gjrOO92tIj6XdaPzzvG3XtpDeigX88YtrQEMlg6mS41D_Jyzo1m7pDrSSfSDzI1qe6IyY2Bn49WiUEbBl3F0Fz3jkTUXYMY_dkADcAtSN6gTgiWETXeQVn3j8zQUAITeXO9VLU	Get hash	malicious	Unknown	Browse	199.232.210.172
	http://tucertificado.es	Get hash	malicious	Unknown	Browse	199.232.214.172
	SecuriteInfo.com.Win32.PWSX-gen.21042.22708.exe	Get hash	malicious	AgentTesla	Browse	199.232.210.172
	Letter-04.doc	Get hash	malicious	Unknown	Browse	199.232.210.172
	awb_shipping_post_02072024224782020031808174CN18020724000000224(991KB).vbs	Get hash	malicious	GuLoader	Browse	199.232.214.172
	https://www.itanhangasaude.com.br/www/1475312998d8aKqdmPdPNJZi4JNq7WIowwvYGOvuIT___714820ufgtMx5cBwKyVuzlJn3VAYy1QdJUF0IuhCb1EFSueBwxxR9n7T4VNMSyrZd9kcF9rD67v2lJn3VufgtMP8xfiVl9n3IuhCbR9n7Tx5cBw4VNMSx5cBwi3vtsVl9n3MryfS1EFSuufgtMi3vts7O1AR408519___47741237d8aKqdmPdPNJZi4JNq7WIowwvYGOvuIT	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
BREEDBANDDELFTNL	http://multichaindappsx.pages.dev/	Get hash	malicious	Unknown	Browse	145.40.97.66
	AAMwAy8pB7.elf	Get hash	malicious	Mirai, Moobot	Browse	145.43.122.192
	http://playsportzone.com	Get hash	malicious	Unknown	Browse	145.40.97.66
	https://www.winhelponline.com/blog/microsoft-edge-url-shortcut/	Get hash	malicious	HTMLPhisher	Browse	145.40.97.66
	https://www.barstoolsports.com/blog/3517288/i-would-fucking-kill-you-right-now-if-i-could-kelly-and-tate-finally-met-in-chicago-and-boy-oh-boy-was-it-fireworks#story-comments	Get hash	malicious	Unknown	Browse	145.40.97.67
	http://mibs-neotenies-b73c3308-57653002eca0e1-3ad8141911d9be9-258.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	145.40.97.67
	https://shorturl.at/c9o0a	Get hash	malicious	Unknown	Browse	145.40.97.67
	wQsdlAeKOF.elf	Get hash	malicious	Mirai	Browse	145.40.82.209
	http://www.today.com	Get hash	malicious	Unknown	Browse	145.40.97.66
	https://www.ghanaweb.com	Get hash	malicious	Unknown	Browse	145.40.97.67
BREEDBANDDELFTNL	http://multichaindappsx.pages.dev/	Get hash	malicious	Unknown	Browse	145.40.97.66
	AAMwAy8pB7.elf	Get hash	malicious	Mirai, Moobot	Browse	145.43.122.192
	http://playsportzone.com	Get hash	malicious	Unknown	Browse	145.40.97.66
	https://www.winhelponline.com/blog/microsoft-edge-url-shortcut/	Get hash	malicious	HTMLPhisher	Browse	145.40.97.66
	https://www.barstoolsports.com/blog/3517288/i-would-fucking-kill-you-right-now-if-i-could-kelly-and-tate-finally-met-in-chicago-and-boy-oh-boy-was-it-fireworks#story-comments	Get hash	malicious	Unknown	Browse	145.40.97.67
	http://mibs-neotenies-b73c3308-57653002eca0e1-3ad8141911d9be9-258.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	145.40.97.67
	https://shorturl.at/c9o0a	Get hash	malicious	Unknown	Browse	145.40.97.67
	wQsdlAeKOF.elf	Get hash	malicious	Mirai	Browse	145.40.82.209
	http://www.today.com	Get hash	malicious	Unknown	Browse	145.40.97.66
	https://www.ghanaweb.com	Get hash	malicious	Unknown	Browse	145.40.97.67

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	http://www.cajamar-soporte.com	Get hash	malicious	Unknown	Browse	145.40.109.218
	1mXbuDDPbF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	145.40.109.218
	k8TljgjfDl.exe	Get hash	malicious	Snake Keylogger	Browse	145.40.109.218
	https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFhSZp6GshBFVdVLEzBsru52fhlDAZ8Q3OfCA-2F-2Bk2qB9l25yp_OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZM3qYZS8WARR8FVyg-2FqvoINWytiD-2FheyMDzu6v-2BoRt5KWyPoztbWkeGPmxB3DyZYTb9a0dAMPLFunr2Ay3ayAFAAvKLYcNXJh5TbSbsyQLthHxBhJhxiFX8keWC7AD3Hw3SgmU-2Be6lkIQuq7tgnHL9CbCr8GEaIyKgtaL1D3uFR7kdAbCakzZIHLBzzIP6uu3b9lr3L70N6m-2FPL5vz2WpJ-2B4Z2WkXjdKV6CAWTeZlidHHDlZecGQIcrIqiWGF6jpeY-3D#Dsonya.buzzard@aggregate.com	Get hash	malicious	Unknown	Browse	145.40.109.218
	q7r87KTHbc.exe	Get hash	malicious	AgentTesla	Browse	145.40.109.218
	fKSLpv8s1v.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	145.40.109.218
	New Orders 116403.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	145.40.109.218
	TRANEXAMIC ACID & CAMPHANEDIOL SPECIFICATIONS.exe	Get hash	malicious	AgentTesla	Browse	145.40.109.218
	Invoice - 21153253589581947197326090404964329500290845699807 - Toyotaconnected.pdf	Get hash	malicious	Unknown	Browse	145.40.109.218
	Project_ref_03072024_pdf.exe	Get hash	malicious	AgentTesla	Browse	145.40.109.218

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre...exe_25b0fbb6ef7eb094_0018.0001_none_97cb9f2a42c4956b\ScreenConnect.WindowsFileManager.exe	s.exe	Get hash	malicious	ScreenConnect Tool	Browse
	s.exe	Get hash	malicious	ScreenConnect Tool	Browse
C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre...exe_25b0fbb6ef7eb094_0018.0001_none_97cb9f2a42c4956b\ScreenConnect.ClientService.exe	s.exe	Get hash	malicious	ScreenConnect Tool	Browse
	s.exe	Get hash	malicious	ScreenConnect Tool	Browse
C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre...exe_25b0fbb6ef7eb094_0018.0001_none_97cb9f2a42c4956b\ScreenConnect.WindowsBackstageShell.exe	s.exe	Get hash	malicious	ScreenConnect Tool	Browse
	s.exe	Get hash	malicious	ScreenConnect Tool	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7067017715771463
Encrypted:	false
SSDEEP:	1536:2JPJJ5JdihkWB/U7mWz0FujGRFDp3w+INKEbx9jzW9KHSjoN2jucfh11AoYQ6VqK:2JIB/wUKUKQncEmYRTwh0+
MD5:	77AB6CCDF8809DE2E9C71A80EFD78C7C
SHA1:	28A806F2FBC0A2A6F38231EEC46662EB1C50215E
SHA-256:	3789677AB5459982C97AFF76BBB482B758DF1FE55517017E69290D045C67759D
SHA-512:	B51813CF85E7244420DA7ABDB90D2A0EAE56EC1E16AB61E557F9F56119DC80B3EC047FAC4091A1156DAFF20A76C31C035C406DB9DF1A30C6F6996C8EF8BF6023
Malicious:	false
Preview:	...........@..@.+...{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.................................u.f!.Lz3.#.........`h.................h.......0.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x54a85fa3, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7899817725263908
Encrypted:	false
SSDEEP:	1536:7SB2ESB2SSjlK/JvED2y0IEWBqbMo5g5FYkr3g16k42UPkLk+kq+UJ8xUJoU+dzV:7azaPvgurTd42UgSii
MD5:	4AA94AEA26A5F1A37A96469DE3202A0C
SHA1:	29D85E1CE08DEC4F226DD982E3AFB7529C4738E5
SHA-256:	ECC02BA068E62A070CB734C92A6A605ABFDAB19DA2583242B0B410C67A3C1A99
SHA-512:	B319A8C7916BFCE62E64868236574CDD83B372D8F22813D5B8409E77BEE93CAA9B4E43FD6A720ACE2716EE0397E047EC9B3C7E13FAFDA246ADB8453A8AE61F86
Malicious:	false
Preview:	T._.... ...............X\...;...{......................0.`.....42...{5..!...\|k.h.b.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........+...{...............................................................................................................................................................................................2...{....................................V}.!...\|k...................@..!...\|k..........................#......h.b.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.08036216393978302
Encrypted:	false
SSDEEP:	3:ADi/KYeBDiExt/57Dek3JCl+/illEqW3l/TjzzQ/t:AuKzBDiEbR3tTemd8/
MD5:	D8ADEB4CEAEA791261B6F35EE77FCC7D
SHA1:	2903ADBCF12D2D3F5C569D5343026B2CCC772FF9
SHA-256:	56255DA67F1D4D1B2C619AA4308BDD411CC1C8B98DDE4C174A199DF5C2E53DE2
SHA-512:	F1FAC22EE2457EF9721CB315B4033465474E3461E312434C8E8429BD48E8365B9C034FC6E4A695A466297A6E35EF4EF8A4C4AB1F6C69D195F45F94C789F306E3
Malicious:	false
Preview:	.........................................;...{...!...\|k.42...{5.........42...{5.42...{5...Y.42...{59..................@..!...\|k.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.4cdd5988-935f-4255-9ab4-31eed42bc85e.1.etl

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	1.198465154202691
Encrypted:	false
SSDEEP:	12:mqPqF69Fq5TO6hk56GWtbgjO3s7Nxk56GlfxhKZdd2l:v1ghGtm2jGtlZidd2l
MD5:	483901B389D024A5A88A38A5921FB76A
SHA1:	2ECA550C35D12E1CE37D2AD2F36B61F2C315068A
SHA-256:	FB595E8773693A332ADA3D6D62541FA519C42FED04C05ACE0BC0E83ED37E175A
SHA-512:	5A4AC36C68F9B13F1290C4E92E09805993840EF8CCA8AD7E5AB3C939BA1AAE244460946493D8F60BA683F24283B43BC47494C00ECE25E031460154DD2AFF0C87
Malicious:	false
Preview:	............................................................................D............../E...................eJ..............Zb..K....(......................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1............................................................=\|X............../E...........U.p.d.a.t.e.S.e.s.s.i.o.n.O.r.c.h.e.s.t.r.a.t.i.o.n...C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.U.S.O.S.h.a.r.e.d.\.L.o.g.s.\.S.y.s.t.e.m.\.U.p.d.a.t.e.S.e.s.s.i.o.n.O.r.c.h.e.s.t.r.a.t.i.o.n...4.c.d.d.5.9.8.8.-.9.3.5.f.-.4.2.5.5.-.9.a.b.4.-.3.1.e.e.d.4.2.b.c.8.5.e...1...e.t.l...........P.P............/E...................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	999
Entropy (8bit):	4.966299883488245
Encrypted:	false
SSDEEP:	24:Jd4T7gw4TchTGBLtKEHcHGuDyeHRuDye6MGFiP6euDyRtz:34T53VGLv8HGuDyeHRuDye6MGFiP6euy
MD5:	24567B9212F806F6E3E27CDEB07728C0
SHA1:	371AE77042FFF52327BF4B929495D5603404107D
SHA-256:	82F352AD3C9B3E58ECD3207EDC38D5F01B14D968DA908406BD60FD93230B69F6
SHA-512:	5D5E65FCD9061DADC760C9B3124547F2BABEB49FD56A2FD2FE2AD2211A1CB15436DB24308A0B5A87DA24EC6AB2A9B0C5242D828BE85BD1B2683F9468CE310904
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<software_identification_tag xmlns="http://standards.iso.org/iso/19770/-2/2009/schema.xsd">...<entitlement_required_indicator>true</entitlement_required_indicator>...<product_title>Windows 10 Pro</product_title>...<product_version>....<name>10.0.19041.1865</name>....<numeric>.....<major>10</major>.....<minor>0</minor>.....<build>19041</build>.....<review>1865</review>....</numeric>...</product_version>...<software_creator>....<name>Microsoft Corporation</name>....<regid>regid.1991-06.com.microsoft</regid>...</software_creator>...<software_licensor>....<name>Microsoft Corporation</name>....<regid>regid.1991-06.com.microsoft</regid>...</software_licensor>...<software_id>....<unique_id>Windows-10-Pro</unique_id>....<tag_creator_regid>regid.1991-06.com.microsoft</tag_creator_regid>...</software_id>...<tag_creator>....<name>Microsoft Corporation</name>....<regid>regid.1991-06.com.microsoft</regid>...</tag_creator>..</software_identification_tag>..

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 4770 bytes, 1 file, at 0x2c +A "disallowedcert.stl", number 1, 1 datablock, 0x1 compression
Category:	dropped
Size (bytes):	4770
Entropy (8bit):	7.946747821604857
Encrypted:	false
SSDEEP:	96:9/nBu64pydcvOHRUfu0xK1bQYMRSRNoYmxYvk56sHMZhh4m:9/nBuP2cGxUfu6K1bpWJ6vfh4m
MD5:	1BFE591A4FE3D91B03CDF26EAACD8F89
SHA1:	719C37C320F518AC168C86723724891950911CEA
SHA-256:	9CF94355051BF0F4A45724CA20D1CC02F76371B963AB7D1E38BD8997737B13D8
SHA-512:	02F88DA4B610678C31664609BCFA9D61DB8D0B0617649981AF948F670F41A6207B4EC19FECCE7385A24E0C609CBBF3F2B79A8ACAF09A03C2C432CC4DCE75E9DB
Malicious:	false
Preview:	MSCF............,...................O.................2Wqh .disallowedcert.stl....^K...CK.wTS...:.w.K'.C0T.....Bh.{....C.)......Y@...(..).R."E..D^6........u....\|f~3...o.3. ..SPK.k.o#...."{-.U..P........:..aPr.@.d......Dy.h.....)..:...!./\A.....A<I_<$...q.h..........'.....7....H...@`T..K.S.%...Y4..R.....`.....-....D...(..b..-c."...G.=.dx..S+..2.a.E....d.L...77J...c.[..@..iT&..^78..g....NW6.Ek..FY.F........cNt.O...R..........D...... k........J.y...z.d...;.9_t...].@....yw..}.x....d.t..`f\K..;\|.h.X...4/.;.xT......q>.0...<...3...X..L$.&.,b.....\V....\......G..O..@..H3.....t..J..).x.?.{[..G>.7...<...^Q..z..Gw9P..d....i].n%K}.z..2.Py...A..s...z..@...4..........4.....Y.d..._Z.5.s..fl.C..#.K{9^.E...k..z.Ma..G.(.....5g. ...}.t.#4....$;.,....S@fs....k......u .^2.#_...I........;.......w..P...UCY...$;.S._\|.x..dK...[i..q..^.l..A.?.....'N.. .L.l......m.*.+f#]............A.;.....Z..rIt....RW....Kr1e=8.=.z:Oi.z.d..r..C_......o...]j.N;.s....3@3.dgrv.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_BE4413523710330F97BEE5D4A544C42B

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	727
Entropy (8bit):	7.566186420888115
Encrypted:	false
SSDEEP:	12:5o6Tq92I5h44TkYbJZV7ob5Itdx2QFeRt5J+iRsfe9vXOVRRRuSMtK0e+Xj3l:5cAYVG6t5URt5QiRsivXOjRRuSMtvekV
MD5:	A41DBF2BC6ED499C89A067709ADDD873
SHA1:	FD021C18835DD737402368D91303E6751ED3953A
SHA-256:	1E6DF074DCC1882741D0FCD8C8AC5BD26E099C80C52B777E66D4DAEF651B06EF
SHA-512:	B5CF05A7F4CC8F16C6844417764AF62F0C60C50064204E1EC6647B749118C51C2C4FE3DA6AE8727C65863DA8D08FBEB016370F8979B6680EC99D6CCD55E8544A
Malicious:	false
Preview:	0..........0.....+.....0......0...0......h7..;._....a{..e.NB..20240702225429Z0s0q0I0...+.........]....^Idk...NG.X....h7..;._....a{..e.NB....`....fB.........20240702223902Z....20240709213902Z0....H...............k.!~.Jn..s.h.T...~^...V.....(.'.z`.c...\$O.0;YZ....R...v9.3....4..j.[b+.h...-a]1.....#\@.l..N..43...jL.\|.8...k.=:...N......2..&..-..._7.".6..a+yP.0KP..ap#\|.]............F.O..j...@.c.....m.P\.]..D..._......}%.9......;.,.0..8.......r.V....s.}.<7.}... ..x.C^55.4P..U.B..T....2V..?HsR..IC].F..^1p. ...Xc.!0..k.~...... .]....)U....g.5...~..F.A...Y^UX.n..#.j.EPR]:]/e....?2....i:..Q.Z.gG...L.y..H..3.T.f..XUg.,?.....:.d..(...&.\|T.-...0]...{i.<.c..W.l.r.K..*.....v.....?...T.\|..#]Q.p.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	727
Entropy (8bit):	7.627671835133159
Encrypted:	false
SSDEEP:	12:5onfZfc5RlRtBfQdb5/sH5ftEuMip9MxO3ngKhQoBLbxy2q9r3Rtmsgkx3:5ipcdZWb5/wtEudrXGwy5F3Rssgkx3
MD5:	9093557AF82822C4D8BE88D36ADE0CCD
SHA1:	1C744E36086EEDC8A44C6D8935E05AF08B5A9072
SHA-256:	854BECA7C05496F3289740D8F02F4E399FCD3217026098EF888BEE4F9C5CDB38
SHA-512:	4F943E5E5B8FF9DFA398838D2E1BD5070A47B4D1E49043139CB4CE20A7BCE2BAB131419712EECF00BA5ECB82318116EA62031FF947086B6756B48BBDB894DAE8
Malicious:	false
Preview:	0..........0.....+.....0......0...0..........q]dL..g?....O..20240701184215Z0s0q0I0...+........."..;F..=\@ua..........q]dL..g?....O....@.`.L.^........20240701184215Z....20240708184215Z0....H.............".z..b.{....`v.......I..!...n\|LTf.>.,.-.5a../....eUz.Z..N...K.....j..:.......5..kk-....yv?....Z..8....1s.....D....}.G1.(...._bP.q.....O&..?G.3.......]......$\|.J.p..hr...H...p....,...&E.o..y..V.e...Y...S~.Bk#p..:......+Bp.....z{O.._)....;..%n=.u./.IM....<.AFyC..Nk.J.....E*W}X...qk.:..f.w.........J)g.]<e$..G...5._.y....4R.....r.T.:.).......i...s8..h.%Zc...Q.@.BvU.....W)....qZ.Xj.%U...NdF.&e=.......Q...gEd4.......xY-.......:T.Yg-.AP.f..gy.l.2j..0......w..C..Y.[....Y..x....8...c.i..a.=.X..)\

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	Certificate, Version=3
Category:	dropped
Size (bytes):	1428
Entropy (8bit):	7.688784034406474
Encrypted:	false
SSDEEP:	24:nIGWnSIGWnSGc9VIyy0KuiUQ+7n0TCDZJCCAyuIqwmCFUZnPQ1LSdT:nIL7LJSRQ+QgAyuxwfynPQmR
MD5:	78F2FCAA601F2FB4EBC937BA532E7549
SHA1:	DDFB16CD4931C973A2037D3FC83A4D7D775D05E4
SHA-256:	552F7BDCF1A7AF9E6CE672017F4F12ABF77240C78E761AC203D1D9D20AC89988
SHA-512:	BCAD73A7A5AFB7120549DD54BA1F15C551AE24C7181F008392065D1ED006E6FA4FA5A60538D52461B15A12F5292049E929CFFDE15CC400DEC9CDFCA0B36A68DD
Malicious:	false
Preview:	0...0..x..........W..!2.9...wu\0....H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...130801120000Z..380115120000Z0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40.."0....H.............0..........sh..]J<0"0i3..%..!=..Y..).=X.v..{....0....8..V.m...y....._..<R.R....~...W.YUr.h.p..u.js2...D.......t;mq.-... .. .c)-..^N..!a.4...^.[......4@_.zf.w.H.fWW.TX..+.O.0.V..{]..O^.5.1..^......@.y.x...j.8.....7...}...>..p.U.A2...sn..\|!L....u]xf.:1D.3@...ZI...g.'..O9..X..$\F.d..i.v.v=Y]Bv...izH....f.t..K...c....:.=...E%...D.+~....am.3...K...}....!........p,A`..c.D..vb~.....d.3....C....w.....!..T)%.l..RQGt.&..Au.z._.?..A..[..P.1..r."..\|Lu?c.!_. Qko....O..E_. ........~.&...i/..-............B0@0...U.......0....0...U...........0...U..........q]dL..g?....O0....H..............a.}.l.........dh.V.w.p...J...x\.._...)V.6I]Dc...f.#.=y.mk.T..<.C@..P.R..;...ik.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	338
Entropy (8bit):	3.5679609408257233
Encrypted:	false
SSDEEP:	6:kKBC87JmsN+SkQlPlEGYRMY9z+s3Ql2DUevat:MzTkPlE99SCQl2DUevat
MD5:	834546373DE973A49A5B03D7219293E1
SHA1:	071F8A9361E3A0D05812BAAFBBC56CBFEF2F2DB0
SHA-256:	B5395E692174E086A02FFD1FE39B3B242806BBE97DC3D81834C9F4A96557644D
SHA-512:	D1218618672A65C8C4BC754F227A1BDEC7D90E3941F136BFD1A60FA005072A8C01705D7913E4E97CB7DB605485C9B5BC62D5281E66419AD73FD87B3BD2F19280
Malicious:	false
Preview:	p...... ................(...............................................RL.N.... .........p.........$.....(=........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.23464019790757
Encrypted:	false
SSDEEP:	6:kKMkT9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:UkqDImsLNkPlE99SNxAhUe/3
MD5:	AB9CA674500F5B2EABFC0482A5DDFF0C
SHA1:	43086DCCD7054CAE8544D0CC39A0CE4B73755F64
SHA-256:	A9BF5B29E36BE4D40F42C387F174777C47D40509BE7A37B493D4F68A3429BC51
SHA-512:	10D4B8FEBE58669455E1CB9750271929131A2FF24F2E702477D9FA475EDDA5031715E98C0BADFA085E27803F9A2672DE0F6458F3B9A6C7086B81338903392EE5
Malicious:	false
Preview:	p...... ...........k....(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_BE4413523710330F97BEE5D4A544C42B

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	404
Entropy (8bit):	3.9532184924137335
Encrypted:	false
SSDEEP:	12:XGK//QmxMiv8sF3HtllJZIvOP200A9UUW:xImxxvnJ2nA9lW
MD5:	7CBD00B20DEFC29F170F94FE06080DBD
SHA1:	534F32BEE8D40BE07944A614542391E639A3BCFD
SHA-256:	F1BFCB0B9DA8C9EEFAB668B2836CE6894CD990FAE2A9B8DDF976F74CC3768A89
SHA-512:	7670C69CB189C1EE2BED08AF5D5215EC573F47C9CE050D08E1E107FE4B2E534BEDE695A268746A43AD14A3FE2FAFCEED102FAA3DC0E360DDDEE2871129F0DC04
Malicious:	false
Preview:	p...... .... ..._{.2....(.........................jH......................jH... .........$.8... ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.S.R.X.e.r.F.0.e.F.e.S.W.R.r.i.p.T.g.T.k.c.J.W.M.m.7.i.Q.Q.U.a.D.f.g.6.7.Y.7.%.2.B.F.8.R.h.v.v.%.2.B.Y.X.s.I.i.G.X.0.T.k.I.C.E.A.u.T.Y.A.U.b.z.P.Z.m.Q.p.m.J.m.N.W.6.l.8.4.%.3.D...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	412
Entropy (8bit):	3.9807523500926583
Encrypted:	false
SSDEEP:	12:SQ01IsYmxMiv8sFBSfamB3rbFURMOlAkr:SdYmxxv7Sf13rbQJr
MD5:	CFD521FF3B1CEEECF37F29F24AC237DB
SHA1:	86A4C8E85BCA0517C3EEF5B8E7E479528F5AC668
SHA-256:	962855B715E2F28B6866897B967F22A039A27AC760FF7364B19DE170585178E6
SHA-512:	1257DC61D3A4A5F2218F8AAC75BAF0E02B85D2EE08E8CD082F3A83633278B6521D5D9B75DC9783EA4AE1F34BD816C0B697EBA6B30E45EA7E0A61C21E4D788128
Malicious:	false
Preview:	p...... ....(...hw.q....(.................d......f.f.....................f.f... .........G?... ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.f.I.s.%.2.B.L.j.D.t.G.w.Q.0.9.X.E.B.1.Y.e.q.%.2.B.t.X.%.2.B.B.g.Q.Q.U.7.N.f.j.g.t.J.x.X.W.R.M.3.y.5.n.P.%.2.B.e.6.m.K.4.c.D.0.8.C.E.A.i.t.Q.L.J.g.0.p.x.M.n.1.7.N.q.b.2.T.r.t.k.%.3.D...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	254
Entropy (8bit):	3.068646898467291
Encrypted:	false
SSDEEP:	6:kK/uLDcJgjcalgRAOAUSW0PTKDXMOXISKlUp:XuLYS4tWOxSW0PAMsZp
MD5:	563EB5AE739915C51018408FB105AC6D
SHA1:	16E5693D76411925E5DA2BA8A1E945845DD5F272
SHA-256:	6AC7CC322BB31F3B1662289EC9DD85E58BDA5D401112874C1DB3338693962F94
SHA-512:	9DEB04D40519D4E723B0BD5A0C62C7A64A6A6F58911D0A4DAB5719F0853620233C5F09006B3443C73C07FAE95CDEFCD6C275FA7DDC0D349C10DE64DE2D4DB02B
Malicious:	false
Preview:	p...... ....l....=.....(....................................................... ............n......................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.R.o.o.t.G.4...c.r.t...".5.a.2.8.6.4.1.7.-.5.9.4."...

C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\manifests\scre...exe_25b0fbb6ef7eb094_0018.0001_none_97cb9f2a42c4956b.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	25496
Entropy (8bit):	5.065336363003334
Encrypted:	false
SSDEEP:	384:NHqYAGsFGxj6i/eX9BUT5X9R/QPIBM7YV+++amt4:NKRaj6VX9B+X9R/QPI+0V+++amt4
MD5:	16DA75477967B48760AB29E25100E562
SHA1:	C035DB1308635B07157B305F2365C2F612D317A9
SHA-256:	DB7BF4850BCF1329722D2A7A4355C1123269B15EB2562E3991A2E03D382A97B9
SHA-512:	2A233AAA16187EFA690BB81209D9B7C2BCA1D77A92A6729E683CC7544AF8AD095C282E498DC09DE80E14E955E90840600BD83E312CC29A241FDCDAD16639EFAC
Malicious:	false
Preview:	PcmH.........O.NH..4f.......!...T...........................e...?....<.g..J.\|r,..`P....}'.d.........8........R....................U.K...W.....U..c...................'-........s".I...R.....$............=..kk.......S..{.........6.......'~.x.h.....[...........5...M...8..........~9......-.a:...j.......;...K*...!.<......6..A....y.].m..C....=4.....E....&..{.!.G....qz...#aI...@.R....K....u..IV..N......D..O.....E..X.R......3LD.SV...[s.T..<Y...O.&r..Vz\...........`.......=...P...S...W...Z...].......,.......L.......T.......\.......`.......\|...........................................@.......0...........<.......T.......h.......\|...0.......................................0...........<.......T.......h.......\|...0.......................................0...........8.......L.......`...0...l.......................................................................,.......8.......L.......`.......l...........................................................................................@...

C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\manifests\scre...exe_25b0fbb6ef7eb094_0018.0001_none_97cb9f2a42c4956b.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (10073), with CRLF line terminators
Category:	dropped
Size (bytes):	17858
Entropy (8bit):	5.957071882530624
Encrypted:	false
SSDEEP:	384:NeG1kKsjbVJcwaMHf6b/TX9SUT4X9FX9R/QPIYM7Y7:NIt6nX9SDX9FX9R/QPIN07
MD5:	F07208902A10A9CDDF338F6256FE6B11
SHA1:	FC7E577DEC034B680A80B51A6D188AF3B429E2F4
SHA-256:	ADD65D10A544D74CE772D5130EA11C1827B8521EA7B06B1FAE7251BD852C46E4
SHA-512:	A9DEE634EB94D01CC25FFE6E793E41CD7B49814B3A4BA4515719BAD15602BFE34BE2A7029ACCAEE123330D34CE39736FAE4F4F80BCD3F3FAE822653419733435
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">.. <asmv1:assemblyIdentity name="ScreenConnect.WindowsClient.exe" version="24.1.7.8892" publicKeyToken="25b0fbb6ef7eb094" language="neutral" processorArchitecture="msil" type="win32" />.. <application />.. <entryPoint>.. <assemblyIdentity name="ScreenConnect.WindowsClient" version="24.1.7.8892" publicKeyToken="4B14C015C87C1AD8" language="neutral" processorArchitecture="msil" />.. <commandLine file="ScreenConnect.WindowsClient.exe" parameter

C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\manifests\scre..core_4b14c015c87c1ad8_0018.0001_none_533500b5fe8f96df.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	3452
Entropy (8bit):	4.264976824507276
Encrypted:	false
SSDEEP:	48:WIEYeF7lMDWW+LgGe6S+9owQX7go7mLoKp3GeeR+G1mlD8FtR7hIYX:WIWWweV+WwQXRmLoK83R+G1m8F7hIYX
MD5:	05417E6F4CA7B531631804C02A550995
SHA1:	AE5FCD6AA7B770144B98414185587BDDAD281B06
SHA-256:	F9751AD6BCB48D9D87990E3684346582BC65824A14E565B3B38D3EBDBA9B7D25
SHA-512:	A5DF022DA73261145A5AA0132B7D2DA50676124D64E1B0E001A4D032C3BE67114D8D9722362DB41E7E0DF89CA30D9684D1B686566F3D028BD2EF9797CC29E5E2
Malicious:	false
Preview:	PcmH........Y..%....#...(.......T..........................."........<.g..J.\|r,..`P..............E..X......U..c...................'-........s".I...R.....$............=..kk.....'~.x.h.................z..w.....[~31.X....s)..;$D......B(.........f..VC.........;..........................0...@...0...p...0.......0...................................0.......4.......D.......T.......\...4...h...........P...\...........@...................................,...(...4.......\.......d.......x...(.......................(.......................(...........$...4...,.......`...................................................................................................................................................................................................nameScreenConnect.Core%%processorArchitecture%%%msilpublicKeyToken%%4B14C015C87C1AD8version%24.1.7.8892%....................................................MdHd............D...........MdSp(...$...&...(...#............... urn:schemas

C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\manifests\scre..core_4b14c015c87c1ad8_0018.0001_none_533500b5fe8f96df.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1215
Entropy (8bit):	5.130500697087904
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onR+geP0AYvSkcVSkcMKzpdciSkTo:3FYZ8h9o4gI0A0GVETDTo
MD5:	9E3FD8A2790F7D451F4D9B853EDB19CB
SHA1:	C4F26162B4666CF98DA7467F819140D6063565E2
SHA-256:	6244A07CF52244E257AC5E2CA1EB619CE9434B3ED0AEF6C93C9CFB258AED7AEB
SHA-512:	64A9A9FA4B45EBA7334444D87AA8B4A808FF5BBD3BC71CB205193BC9DE2B623D15E5FF6E3CE9D2ACF445ACA738749398A1C5249AFF09AF8EAEED6F465389010C
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Core" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.1.7.8892" />.. <file name="ScreenConnect.Core.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System.Configuration" publicKeyToken="b03f5f7f11d50a3a" version="2.0.0.0" />.. </dependentAssemb

C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\manifests\scre..dows_4b14c015c87c1ad8_0018.0001_none_57acd8973addaa0f.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	5256
Entropy (8bit):	4.087733859064071
Encrypted:	false
SSDEEP:	96:y04+RzgPheV+Ww76kZpJMRAcBhFZwnANbz:rRzgWJQZp2KcsAN
MD5:	8AA7C193B54AAB84154D13B747288191
SHA1:	44DE5D406FBC94AB95B47D245CD4848BAA83D344
SHA-256:	BB6800CC67269FA4E4F49269870817DA4250E795BDA50DF5DDFC21959D8B6D4F
SHA-512:	8B318D4243928C038E6E326946CEC643CDFE9766788FD298AB325FD79CFF6F2350F1A34A057187F7CEB5FED2E2EFF20E1B256E14597E8FB399B667551CCF7476
Malicious:	false
Preview:	PcmH........X...X..4...t.......T...............P...........3........<.g..J.\|r,..`P............O.&r..Vz.....U..c...................'-........s".I...R.....$............=..kk.....[.......................z..w.....[~31.X....C.........y..&..d......B(.........^.ie...u".....E..X.%...s".I...R&...F.....Ey)....+.`...m,......;../............... ...#...'...*...-...0...0.......0...D...0...t...0.......0.......0.......0...4...0...d...................................................................4...........4...P...........h...@.......................................(...................$...(...8.......`.......h.......x...(.......................(...............................(... .......H.......P...(...`...................(.......................(...............d...........l.......................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\manifests\scre..dows_4b14c015c87c1ad8_0018.0001_none_57acd8973addaa0f.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1980
Entropy (8bit):	5.057630602870424
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onRbggeP0A6vSkcyMWcVSkcHSkcf5bdcadccdcckdTo:3FYZ8h9oygI0AWHMWGQAXRTFgTo
MD5:	4AC5D03B56ACF6EC0969D4017745DF3A
SHA1:	585FB53CB3B99848572813A5DFE13F9F9A56866B
SHA-256:	A4D063C3BA3B9D1572DB0193C55EB23C2C4D500987D600A7641B82076F1A5E8F
SHA-512:	ED5EF6055A4EFEE57EB43306E1929F55EEEB2AFB8EA12D69BF1F575B0626F46E0EEEC8A16C48249639ACA5D2A6C0B8D1421B543888F09953D12B0C1B46BAF85E
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Windows" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.1.7.8892" />.. <file name="ScreenConnect.Windows.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.1.7.8892" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </depende

C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\manifests\scre..ient_4b14c015c87c1ad8_0018.0001_none_b47bd9d9e77379ec.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	6584
Entropy (8bit):	4.075670888578214
Encrypted:	false
SSDEEP:	96:Ux0PPBpRUeV+Wwwg8Wpf2F7h9vjj/lQqFz8WrTVqO/e:XPPlJspfkh9/tg0Va
MD5:	216DC5046A20810247EA14EC5284D9CB
SHA1:	D6AD90FCB22CEF8744C987E32D6C459F8FA803E6
SHA-256:	A8751C06EEA080BA16AF74F5249EB4C17A2A4B54C69A3195E0D6DC2AAC7D07AD
SHA-512:	131E1EAE00642C424AAF8C7A2EC51CFA4DBF718E7AAF36AF65687FE54776B926B098DFFC9B5DFEB5323D1DE26D754D31877087D59C5A00242F89826A8478C02B
Malicious:	false
Preview:	PcmH........k......9@...........T...............t...........?........<.g..J.\|r,..`P.............U.K...W.....U..c...................'-........s".I...R.....$............=..kk.........}'.d................z..w.....[~31.X....[s.T..<....s".I...R....y..&..d."....B(.....#...C.....&...^.ie...u).....E..X.,...F.....Ey/...O.&r..Vz2...f..VC..5......;..8.....V....X;........... ...$...'...*...-...0...3...6...9...<...0.......0.......0.......0...4...0...d...0.......0.......0.......0...$...0...T...0.......................................................................4...$.......X...P...T...........@...................................,...(...4.......\.......d.......x...(...............................(.......................(...........D.......L...(...`...................(.......................(.......................(...,.......T.......\...(...h...................(.......................(...................................................................................................

C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\manifests\scre..ient_4b14c015c87c1ad8_0018.0001_none_b47bd9d9e77379ec.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	2569
Entropy (8bit):	5.0259568369832275
Encrypted:	false
SSDEEP:	48:3FYZ8h9o5gI0AtHMWAXQ3MWTMWRGTDBTo:1YiW4AWzvDm
MD5:	F9B14DF497B4C59141DD68827E7D6C2E
SHA1:	EB415A7B5A7784694458B4D8BA6CB30BF38C81FE
SHA-256:	0CAD8868B6947F86137E592308EC8BA46E318898DC338557B4FDCE0D056A5D9C
SHA-512:	5E0F9F2D89DCA27B9F89CC25C040B7C8E5F5A27230C1E1EA91FFD6E1B51EBD0C3E739C2F917FBCC63E125CF819E71FDF3DD27B47B03EC51A6D34CC7AA6F14FF2
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.WindowsClient" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.1.7.8892" />.. <file name="ScreenConnect.WindowsClient.exe" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.1.7.8892" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System.Drawing" publicKeyToken="b03f5f7f11d50a3a" version="2.0.0.

C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\manifests\scre..ient_4b14c015c87c1ad8_0018.0001_none_e94a5e880ddeece3.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	3032
Entropy (8bit):	4.341513112107231
Encrypted:	false
SSDEEP:	48:F/Q/cIgMe6S+9oww7gq794wMfi1JlhjrnwbH:FY/cgeV+Wwwr94b61prnEH
MD5:	0AA182032C34679AA797FE21D3138F83
SHA1:	FDD9E94E1E70474856682CC5A85AB90BF68E805A
SHA-256:	37A1F037DE68F6AC101D16DA0D530524EA3E33CBA13DF95AC68255E0C8EAC033
SHA-512:	BFF5196183CDC310501E3F86F0558B2C91BAC6A9CF13B25F35EEDDEDBCB12E21823C7BBD3C09B457A4F605BED4E1F866E6B6EBC18F0E23B2B389E8D7284F2E9E
Malicious:	false
Preview:	PcmH........y...M..............T....................................<.g..J.\|r,..`P............[s.T..<.....U..c...................'-........s".I...R.....$............=..kk.......S..{..................z..w.....[~31.X......E..X.....s".I...R.......;......................0.......0...@...0...p...................................................................4...........<...P...........P...@...h...................................(...............................(...,.......T.......\...(...d...........(...............................................................................................................................................................nameScreenConnect.ClientprocessorArchitecture%%%msilpublicKeyToken%%4B14C015C87C1AD8version%24.1.7.8892%....................................................MdHd............<...........MdSp ...$....... ..."............... urn:schemas-microsoft-com:asm.v1.assembly.xmlns.1.0.manifestVersion urn:schemas-microsoft-com:asm.v2.asmv2)

C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\manifests\scre..ient_4b14c015c87c1ad8_0018.0001_none_e94a5e880ddeece3.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1039
Entropy (8bit):	5.1467712039224764
Encrypted:	false
SSDEEP:	12:MMHdF4XZ8i9o9olxbv5NEgVkP0A7R7vNxW57FpS+iENg49vNxW5NgMsNg49vNxWO:JdFYZ8h9onRigeP0A0vSkcyMWcVSkTo
MD5:	24AF083471952E5073014B7269B94D1D
SHA1:	3AA11476B34B771738DBD42F61FBD3FE16139064
SHA-256:	6FDB3834F278D039F8F36F875C1A842BE8143DF0547E9DB04AAF54B655DC2B3D
SHA-512:	C2A6FF6BA4C67A6F676E1BE4A639AA07F43D7848FAF0D24C04A4097D14C9BF371B15FE5E60B7E9FB747DD07FF2637A303C52A59BA9885317CEB66A97B2E56732
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Client" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.1.7.8892" />.. <file name="ScreenConnect.Client.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.1.7.8892" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependent

C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\manifests\scre..tion_25b0fbb6ef7eb094_0018.0001_none_38bfd8c0a9435f4e.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	14608
Entropy (8bit):	5.717428606239835
Encrypted:	false
SSDEEP:	192:7xQJ9rB61KfwM28s8ojyKN8s8oTN2x2QPIlFDLhEDh7BqWojOn:7xw9rB61KfwM2X9jZX9R/QPIBM7YjE
MD5:	0BE927B6546BD24395F26D51039F1D09
SHA1:	32332C8885C9FC90898ED6E700254F1D90656CD0
SHA-256:	7AD636FC98977EA87433A5161FD6ED7FCCCBA80ED5B5064D4592B1D9659BC5F3
SHA-512:	3174744A42E801246A8A3C579579F9BA598C8E75DA5744B386FBA50399FDAEE187CE976BAA7BF51A1F3D5BA0330C43B7D8AA4A831BDA23EEA85C860C46529906
Malicious:	false
Preview:	PcmH..........\.....$...@.......T...............8...........#........<.g..J.\|r,..`PF...}&............Z.....)....E......x...\......=+.p.......I\t.\..>................j.K...6.....U..c...................'-...........-.a.....$............=..kk..........8........R...........}'.d....j...........K*...!.................`...........................0...................................................(.......@.......P.......T...'...X...................................................4................3......P....7......<8......D8......L8......l8......p8..L...x8.......8.......8.......8.......8.......8..ScreenConnect.Client.manifest%%%.~W}..Kh....m...)....#.............-........................E......................................4.0.30319%%%Client%%4.0%ScreenConnect Software%%ScreenConnect Client....................................P.......nameScreenConnect.WindowsClient.application%processorArchitecture%%%msilpublicKeyToken%%25b0fbb6ef7eb094version%24.1.7.8892%........................

C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\manifests\scre..tion_25b0fbb6ef7eb094_0018.0001_none_38bfd8c0a9435f4e.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (63849), with CRLF line terminators
Category:	dropped
Size (bytes):	154833
Entropy (8bit):	5.727289301680242
Encrypted:	false
SSDEEP:	3072:G0/vkX5kpILTnVNWfCXq9ymLHL2zMIg+bLPm2o9HuzhJOvP:3vw/VI1HLKzg+bLPmt8vOvP
MD5:	AED64BA55CAE1F1F1A54CE97CD52C22D
SHA1:	04DAD201E977D9816EE84BAD0B14F10D49898038
SHA-256:	45736D997CEDD615AAD1EEF88124C2948AB9C8F70D1E797A28CD26C5CAA8D7FF
SHA-512:	E08E5280CD170D29350F27D2E2E86A0835CA27C1A43B83ADE9AAF2339521A1AB0890EFDDAE94E9C35E80733D3BFFFCCBFF8410B32538D439E9D36853E84F6F07
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?><asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xrml="urn:mpeg:mpeg21:2003:01-REL-R-NS" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">.. <assemblyIdentity name="ScreenConnect.WindowsClient.application" version="24.1.7.8892" publicKeyToken="25b0fbb6ef7eb094" language="neutral" processorArchitecture="msil" xmlns="urn:schemas-microsoft-com:asm.v1" />.. <description asmv2:publisher="ScreenConnect Software" asmv2:product="ScreenConnect Client" xmlns="urn:schemas-microsoft-com:asm.v1" />.. <deployment install="false" trustURLParameters="tru

C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\manifests\scre..vice_4b14c015c87c1ad8_0018.0001_none_048898fe944efa4a.cdf-ms

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	4428
Entropy (8bit):	4.0804454280684395
Encrypted:	false
SSDEEP:	48:1XCDvx+1gJe6S+9ow87gnW75uvs/vOTV4gkPKH11fKfTh5dTyA9Uno9f:1X2eV+Ww8g45ueOOg8KL6ThLTyOff
MD5:	35B209DB7472BE0ACDC32146C81D853D
SHA1:	47CBF491D168FCB259FF50AEE50E4405188D70A7
SHA-256:	BB94E9FA33FC8E1712347B5F17141BAB948A15EBED43A8D504C6FE544C557A0A
SHA-512:	8F861C4DD6191614187C4A03A905748FA5D6D042B89E270A5AA040B0D59AD7FC3A4D2819320964BFC2FD72F5E070D23F17BE132F47877D06783E0BE8DE4FD178
Malicious:	false
Preview:	PcmH...............,...T.......T...............8...........+........<.g..J.\|r,..`P...............3LD.S.....U..c...................'-........s".I...R.....$............=..kk........6...................z..w.....[~31.X....[s.T..<....s".I...R....y..&..d......B(...........E..X.!...O.&r..Vz$......;..'..................."...%...(...0.......0.......0.......0...D...0...t...0................................................... .......0.......8...4...D.......x...P...l...........@...................,.......4.......D...(...L.......t.......\|...........(...............................(................... ...(...4.......\.......d...(...\|...................(...............L...........0...................................................................................................................................................................................................................................................................................................nameScreenConnect.Cl

C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\manifests\scre..vice_4b14c015c87c1ad8_0018.0001_none_048898fe944efa4a.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1632
Entropy (8bit):	5.083221047941078
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onRzgeP0As+vSkcyMWcbEMWcuMWcVSkcf5bdTo:3FYZ8h9o9gI0AsCHMWTMW3MWGAXTo
MD5:	7D3BB8D33E0013B9BC19259D35631000
SHA1:	A274018BEF6F3BFF0CAE63D0706CBE94D5005362
SHA-256:	3E9C02C807AC20BD6C80A586BDC4C61BEB69F5D8576D7A1A34DB9681CCD92756
SHA-512:	D77A68BE6FE5755E4091694902A431F008241B4AC0BA0550E3E781BEBC1DC221A1EA507C363EC3D2EDDDD4631A18A82B0BE4AB10DDC5979677C85B725FBE7718
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.ClientService" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.1.7.8892" />.. <file name="ScreenConnect.ClientService.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.1.7.8892" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Windows" publicKeyToken="4b14c015c87c1ad8" version=

C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre...exe_25b0fbb6ef7eb094_0018.0001_none_97cb9f2a42c4956b\ScreenConnect.ClientService.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	95520
Entropy (8bit):	6.504817871950198
Encrypted:	false
SSDEEP:	1536:Tg1s9pgbNBAklbZfe2+zRVdHeDxGXAorrCnBsWBcd6myJkg8U0HMN77px0:8hbNDxZGXfdHrX7rAc6myJkg8U0H2f8
MD5:	1B8110B335E144860E91F5E68CCDC8B3
SHA1:	4F1662C9F914776E22616D2619D6CD99DC4333A7
SHA-256:	DC326E95E7F778AA53F67B420C3F7621ED078EE33EF9BEB62D4907E90F55A389
SHA-512:	DBD21613450F61BE471BD4406847773CD96B3355B70BCB1CA74043D0FF102C0E782ABD185F9DBCFB6A07FB71F490F3D500AEA32056F2978CFBB106F4BADB373A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: s.exe, Detection: malicious, Browse Filename: s.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(..qF.qF.qF....qF.....qF....qF.<.B.qF.<.E.qF.<.C.qF....qF.#..qF.qG..qF.2.O.qF.2...qF.2.D.qF.Rich.qF.........................PE..L.....wc...............!.............!............@..................................@....@.................................p...x....`..P............L.. )...p......`!..p............................ ..@............................................text...:........................... ..`.rdata...f.......h..................@..@.data........@.......,..............@....rsrc...P....`.......6..............@..@.reloc.......p.......<..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre...exe_25b0fbb6ef7eb094_0018.0001_none_97cb9f2a42c4956b\ScreenConnect.WindowsBackstageShell.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	61216
Entropy (8bit):	6.316183273231889
Encrypted:	false
SSDEEP:	1536:gAi+zmNzdj1bv8DtYQ4RE+TC37/ibto7IxTM:gUzmNgYQbbMoCM
MD5:	993C201D63C86C889385D0F50560ED77
SHA1:	E032E82C325BC00B4BA03E27C872307C41575A2E
SHA-256:	7596C3B6DFDC06320D31D2F7622766E66F3845BF11C75ACB3E356DB9CD530AF9
SHA-512:	798D94954D3E3796D860015CA99E5435259BB0FFA1E63C8CE00129A7AB9BE78E40B171B718D34345DBAF4743A576530F4DB159CF74CB832CCCCA834395D2C787
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: s.exe, Detection: malicious, Browse Filename: s.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...t............."...0................. ........@.. ....................... ............@.....................................O....... ............... )..............8............................................ ............... ..H............text...0.... ...................... ..`.rsrc... ...........................@..@.reloc..............................@..B........................H........S...............................................................(....^.(.......a...%...}....:.(......}....:.(......}....:.(......}........0..........(....(....(....(....r...p(....o....(....(....r...p..~....(....(....r9..p..~....(....(.....g~).....(....rY..p.(....&(.....(....s ...(!...s....(".....0...........(#.....($.....(%....s....%.o&...%.o'...%.o(...%s!...o)...%~....o...}......(....o+...o,....(-.....@...%..(.....o.....s/...}.....{...........s0...o1....s...

C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre...exe_25b0fbb6ef7eb094_0018.0001_none_97cb9f2a42c4956b\ScreenConnect.WindowsBackstageShell.exe.config

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre...exe_25b0fbb6ef7eb094_0018.0001_none_97cb9f2a42c4956b\ScreenConnect.WindowsClient.exe.config

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre...exe_25b0fbb6ef7eb094_0018.0001_none_97cb9f2a42c4956b\ScreenConnect.WindowsFileManager.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	81696
Entropy (8bit):	5.861248336043749
Encrypted:	false
SSDEEP:	1536:ntyvl441zbUrI5kLP+VVVVVVVVVVVVVVVVVVVVVVVVVC7sg7FxKIT:kt6rukLdAg/
MD5:	D7AC4220C10C1474730546D15EDD1810
SHA1:	BB87E80B2132E0CE8591F772091E79EC640E8D16
SHA-256:	24138FE20AA06390F09FD8BD6ED78E35F6C33D60C0CCF66759100986C1607BE6
SHA-512:	DD5112B9BF4845D42E2D7F06DC7A053B3B78D7A2AE498A7C2DA445DF23E4D854A12BF4D6C215FAB885307477C0A431D6B1BFC54C01BB368F81229FEE56BB9E70
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: s.exe, Detection: malicious, Browse Filename: s.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0..@...........^... ...`....@.. .......................`............@..................................^..O....`.................. )...@.......]..8............................................ ............... ..H............text....>... ...@.................. ..`.rsrc........`.......B..............@..@.reloc.......@......................@..B.................^......H....... +..@2..................`]........................................(....^.(.......;...%...}....:.(......}....:.(......}....:.(......}........0..........s>....(....(....(....(....(.....(....(......s....}B....s....}C....~@...%-.&~?.....<...s ...%.@...o...+.....@...s ...o...+......A...s!...o...+}D.......B...s"...o...+.......(#...&......(#...& .... ...........($...&s....t......r...prs..p(%...(&...~>...%-.&...'...s(...%.>.....A...().......(........(+...o,...(-...t....

C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre...exe_25b0fbb6ef7eb094_0018.0001_none_97cb9f2a42c4956b\ScreenConnect.WindowsFileManager.exe.config

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..core_4b14c015c87c1ad8_0018.0001_none_533500b5fe8f96df\ScreenConnect.Core.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	546304
Entropy (8bit):	6.032887867306247
Encrypted:	false
SSDEEP:	6144:hAUz5UEsIXxk3QCLKSkGEexE77VcYbUinCLrDfElYzMsdqe1J6tMznSAiOzfw8qS:hK67tEshnkDfyt9MznZU8RTIPM
MD5:	5C259DA933C9261944AFB6AA9A7E858B
SHA1:	CAD0ECB9AC68694CC601A7C980F985D9C29AFA88
SHA-256:	0D04EF4B196E5CE3412E58474FF5303CCBDC0A2F32487946B382B0B672615833
SHA-512:	F7E6C778943771FA1830805021DC7E64E47A30895AB9D5BF3708D82ABD2BFCCABA58CA86CFED8D38C879DF9E41999054838ABD6B55E7DD400DAEC84480DC5041
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....F..........." ..0..N...........i... ........... ....................................@..................................h..O.......t...........................<h..8............................................ ............... ..H............text...@M... ...N.................. ..`.rsrc...t............P..............@..@.reloc...............T..............@..B.................i......H........@...&...................g........................................{:.....{;...V.(<.....}:.....};......0..A........u~.......4.,/(=....{:....{:...o>...,.(?....{;....{;...o@...... ... )UU.Z(=....{:...oA...X )UU.Z(?....{;...oB...X...0..b........r...p......%..{:......%q.........-.&.+.......oC....%..{;......%q.........-.&.+.......oC....(D.....{E.....{F...V.(<.....}E.....}F....0..A........u........4.,/(=....{E....{E...o>...,.(?....{F....{F...o@...... F.b# )UU.

C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..dows_4b14c015c87c1ad8_0018.0001_none_57acd8973addaa0f\ScreenConnect.Windows.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1721344
Entropy (8bit):	6.638166859033057
Encrypted:	false
SSDEEP:	24576:fQBtbsFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPTs5:fqbsJkGYYpT0+TFiH7efP
MD5:	AB11C92301BD6B916F51EB3C6BA1F348
SHA1:	EDBCEA68F4D7B06AEF28A9E631FA0A5CFBB7889F
SHA-256:	EA86C15300B8CC311DE257456EA8B281AB7B5F231A4FCBCFF07E6F300E9ADE14
SHA-512:	9A42A8F6A71F55E8F85FF97593FFA2D3935FF80142CE6A57A9A104EE6D97043CF20C29F386007929DA31496E270EA9D5C0C7766D687D36D0E5523391E1B68E17
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....A..........." ..0..<..........Z[... ...`....... ..............................a.....@..................................[..O....`..\|...........................dZ..8............................................ ............... ..H............text...h;... ...<.................. ..`.rsrc...\|....`.......>..............@..@.reloc...............B..............@..B................;[......H.......,...................0....Y........................................()...^.()..........%...}....:.().....}....:.().....}....:.().....}......s.....s+...:.(,.....(-.....{...."..}....J.(/........(0...&:.(,.....(1.....{2..."..}2....0..(........(3......+.............(0...&..X....i2.v.(,....s4...}.....s5...}....v.{.....r...p(...+.....o7.....0...........o8....+..o9......(...+&.o....-....,..o................."........{..........o:...&.......(.........0..L...

C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..ient_4b14c015c87c1ad8_0018.0001_none_b47bd9d9e77379ec\ScreenConnect.WindowsClient.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	598816
Entropy (8bit):	6.182781958456638
Encrypted:	false
SSDEEP:	6144:0ya9pDzjhf+YMojz3cZRzyyUs0Ny2rOfQyEAlVw72191BVi1NnHEQcYF2/R4IrNk:jajDzNZFjLcZRzyyh5/EA3wv19SYBH
MD5:	DBD7C0D2CF1BF5CEC608648F14DC8309
SHA1:	5241F5BEC67A5E6EC2EE009C4F2E0F6F049841CB
SHA-256:	1145FAC110C18D2CD228A545EC4FCB7D3AEDD3C072B19C559D6E7067F7CF3F5F
SHA-512:	CC14BD533C63791F885DEC7AEB75D4E0BC5B51299E8F09F98CCB2A03EE7877DAA42768585E0B824A842A2DF8E09F86AC483F970C17D6AE2D4BB4A28670A7C99D
Malicious:	false
Yara Hits:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..ient_4b14c015c87c1ad8_0018.0001_none_b47bd9d9e77379ec\ScreenConnect.WindowsClient.exe, Author: Joe Security Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..ient_4b14c015c87c1ad8_0018.0001_none_b47bd9d9e77379ec\ScreenConnect.WindowsClient.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....S}..........."...0.............".... ... ....@.. .......................`......2.....@.....................................O.... .................. )...@......$...8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......LC..X.............................................................{D.....{E...V.(F.....}D.....}E......0..A........u1.......4.,/(G....{D....{D...oH...,.(I....{E....{E...oJ...... }.o )UU.Z(G....{D...oK...X )UU.Z(I....{E...oL...X...0..b........r...p......%..{D......%q4....4...-.&.+...4...oM....%..{E......%q5....5...-.&.+...5...oM....(N.....{O.....{P...V.(F.....}O.....}P....0..A........u6.......4.,/(G....{O....{O...oH...,.(I....{P....{P...oJ...... 1.c. )UU.

C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..ient_4b14c015c87c1ad8_0018.0001_none_b47bd9d9e77379ec\ScreenConnect.WindowsClient.exe:Zone.Identifier

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:gAWY3n:qY3n
MD5:	FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA1:	D59FC84CDD5217C6CF74785703655F78DA6B582B
SHA-256:	EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
SHA-512:	AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
Malicious:	false
Preview:	[ZoneTransfer]..ZoneId=3..

C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..ient_4b14c015c87c1ad8_0018.0001_none_e94a5e880ddeece3\ScreenConnect.Client.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	197120
Entropy (8bit):	6.595882277108044
Encrypted:	false
SSDEEP:	3072:zS77Zz8NtrNOuJ7aFs2VUXEWcyzv/qu5zDvJXYU:k7OrJOuJc4XaMqu5G
MD5:	BDDFBA6105B88F0DF924D41E20A43EFB
SHA1:	73A0FFB39B4193EB9DB8B705B552019E91461D15
SHA-256:	A0FAFF6017E061386A7A161F6D97CCA3E935ECF1733D2CB999D1400E60E5EAF2
SHA-512:	4493DE052E1DAECCF8EC4661CCFC5C369014121EB730FB8AA4CEC789C5BB65B1AE74BB4928F6EA4FCC9D3359C52584B8E9C0FCD90994AF493A2A48EBF5BB71FE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0................. ... ....... .......................`............@.....................................O.... ..\|....................@......4...8............................................ ............... ..H............text...P.... ...................... ..`.rsrc...\|.... ......................@..@.reloc.......@......................@..B........................H.......................^................................................(......(....^.(...........%...}....:.(......}....:.(......}....:.(......}......{....:.(......}.....0..A........(....s....%.~'...%-.&~&.....y...s....%.'...(...+(...+o"...o........0..s.......~#.....2. ....+...j..... ......... ...............%.r...p.%.r...p............%.%...($....5..............s%....=.....0...........~)...%-.&~(.....\|...s&...%.)...(...+..~...%-.&~(.....}...s(...%.*...(...+.r9..

C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\43wurqpu.newcfg

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	585
Entropy (8bit):	5.026578360871898
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlf4Eb2uSl8+s/vXbAa3xT:2dL9hK6E46YPRf8uSVCvH
MD5:	CD4703A04F31942C136A56222A06B964
SHA1:	B601BD389C676C70E108B62D6F970589F0FA920C
SHA-256:	6D5DB5BA5CFFA4A1B25D08A11D69A10E0D1F87DA48A74B66FD572920BD971AA6
SHA-512:	4F671480B49E879831AF78E9F11B574AC1776E32C31BC7856A17CA252EF2E319BCE191BFB08E5C0FD6AEE14D47E331D791450B671219DA3FDED3A2ADA3A3B3BA
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-ss6pex-relay.screenconnect.com=145.40.109.216-03%2f07%2f2024%2013%3a34%3a46</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\5dd0qjev.newcfg

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	585
Entropy (8bit):	5.026578360871898
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlf4Eb2uSl8+S/vXbAa3xT:2dL9hK6E46YPRf8uSVYvH
MD5:	55E90294E934C8EE2388AA54F277CF92
SHA1:	35B0FCAA1B852B6D5782CF1045A8015B4E3FA160
SHA-256:	F85874567BBE64CB58FC9561900192C48E384EBCD1A519C454D5953B65BFE61E
SHA-512:	E56EE7C052493F233CFEA9E843A4F19CD2434D65020D2A222508E3D8232DB54876A4D979BB556FB83871CD23D8A4D54767AE3C5B24EDED081DF47C365461B1D6
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-ss6pex-relay.screenconnect.com=145.40.109.216-03%2f07%2f2024%2013%3a34%3a39</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\Client.Override.en-US.resources

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe
File Type:	data
Category:	dropped
Size (bytes):	426
Entropy (8bit):	4.829879116445817
Encrypted:	false
SSDEEP:	12:rHy2DLI4MWozmtEuAItfU49cAVUPDLASVrnSF2aS3:zHE4vvM2xVU78crncnm
MD5:	E78F7C7137D08CDF66080AF6E6CAEB99
SHA1:	3A5AE9DB10055DF4CC880415F8E2DE9593E58C18
SHA-256:	46804462ED2592A52383488CCA542CADDF027141757F7C45ECE6853F9F0D53B4
SHA-512:	E8D570AC0DACA62B829E14B28540F190959091D4F6CAF9FB81660D7AF5A35C030118E86A774B8D6D48B469C9B49A950C7FBEA4AB27DEE2E0EC85563A2F4AB7D0
Malicious:	false
Preview:	...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.2...n_Q2T}Z...5.......]...0A.p.p.l.i.c.a.t.i.o.n.D.i.r.e.c.t.o.r.y.N.a.m.e..... A.p.p.l.i.c.a.t.i.o.n.T.i.t.l.e.....2B.l.a.n.k.M.o.n.i.t.o.r.M.e.s.s.a.g.e.F.o.r.m.a.t.&.....BCL ScreenConnect..BCL ScreenConnect.%BCL ScreenConnect..Update in Progress

C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\Client.Override.resources

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe
File Type:	data
Category:	dropped
Size (bytes):	29283
Entropy (8bit):	7.908186098964646
Encrypted:	false
SSDEEP:	384:rWwJXE05V/MGGhyHmbrGj6GYJXE05uAVBYGFOJXE05V/uJXE05uAWJXE05V/Z:6s351MGGPVGk35uX351u35un351Z
MD5:	93D1A3F02EF88AF0AD0F1F388D7D5965
SHA1:	2334ABB2216ECDD20D275FA76AE976269CFF6330
SHA-256:	4E8175C915F92DD2A3988DA47A498E6D8EB0B0945BA96ADDC4AE1C7B1715A082
SHA-512:	93558DA52695400D6B2A7FC20147C39AEF653E5981FFBC801128BE1150C36C13E695FD8BD935B67A2CAB7BDED13AC977463B85D2FB6FF56C39DE9D9626D1EE82
Malicious:	false
Preview:	...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP....jF..../._.ks`.k.`.k.M6p....'.......w.......P..........."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.1.6.....$A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.2.5.6.@..."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.3.2..%.."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.4.8..8..,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.B.l.a.n.k.1.6..?..(A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.M.a.c.2.2.;N..,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.T.i.t.l.e.1.6..b.. ;....PNG........IHDR................a....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....

C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\Client.en-US.resources

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe
File Type:	data
Category:	dropped
Size (bytes):	49959
Entropy (8bit):	4.758252520953682
Encrypted:	false
SSDEEP:	1536:sdr6QF+gQpAfqiErOmOCqZUWi+JgJ0FQi9zwHLAhDKZ1HtRKekmrg9:sdr1F+gQOlErOmPqZUWi+JgJ0FQi9zw2
MD5:	511202ED0BA32D7F09EAB394C917D067
SHA1:	DBD611720FD1730198F72DEC09E8E23E6D6488F8
SHA-256:	F8398A235B29AF6569F2B116E0299B95512D042F5A4CD38C98C79729A5FBDB9D
SHA-512:	F04B08938F3EBF8CFA1A1157A94DA3AE4699494BDCE566619AFA5B13A8F6EBE556D522C064E5EA02E343B59A489343F77E3EA2BB2EA390AAE35A626F41CADC77
Malicious:	false
Preview:	...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.q...'..6....wp.......y....C\|.)>..Ldt..... $...X..........1$.../...2.%%3./>>...L.y.0.C._.........1Y..Qj.o....<....=...R..;...C....&.......1p2.r.x.u?Y..R...c......X.....I.5.2q..R...>.E.pw .@ ).w.l.....S...X..'.C.I......-.Y........4.J..P<.E..=c!.@To..#.._.2.....K.!..h...z......t......^..4...D...f..Q...:..%.z.<......^.....;<...r..yC.....Q........4_.Sns..z.......=..]t...X..<....8.e`}..n....S.H[..S@?.~....,...j.2..v.......B....A...a......D..c..w..K,..t...S.....v....7.6\|..&.....r....#....G......Y...i..'.............'.......Z.....#2e..........\|....)..%....A.....4{..u;N......&q...}.tD..x.....4...J...L......5.Q..M....K..3U..M..............5...........t.>.......lYu....3TY.?...r...'.......3.m........=.H...#.o.........n.....,4.~...<h..u...i.H...V......V/...P.$%..z...

C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\Client.resources

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe
File Type:	data
Category:	dropped
Size (bytes):	26722
Entropy (8bit):	7.7401940386372345
Encrypted:	false
SSDEEP:	384:rAClIRkKxFCQPZhNAmutHcRIfvVf6yMt+FRVoSVCdcDk6jO0n/uTYUq5ZplYKlBy:MV3PZrXgTf6vEVm6zjpGYUElerG49
MD5:	5CD580B22DA0C33EC6730B10A6C74932
SHA1:	0B6BDED7936178D80841B289769C6FF0C8EEAD2D
SHA-256:	DE185EE5D433E6CFBB2E5FCC903DBD60CC833A3CA5299F2862B253A41E7AA08C
SHA-512:	C2494533B26128FBF8149F7D20257D78D258ABFFB30E4E595CB9C6A742F00F1BF31B1EE202D4184661B98793B9909038CF03C04B563CE4ECA1E2EE2DEC3BF787
Malicious:	false
Preview:	...........lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP)...s^.J.....E.....(....jF.C...1P)...H..../..72J..I.J.a.K8c._.ks`.k.`.kK..m.M6p............b...P...........'...!...............K...............w.......P.......1......."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.1.6.....$A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.2.5.6....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.3.2....."A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.4.8.....,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.B.l.a.n.k.1.6.;...(A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.M.a.c.2.2.....0A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.O.p.a.q.u.e.1.9.2.8...,A.p.p.l.i.c.a.t.i.o.n.I.c.o.n.T.i.t.l.e.1.6.....6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.C.o.l.o.r.4...6B.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.:...DB.l.a.n.k.M.o.n.i.t.o.r.B.a.c.k.g.r.o.u.n.d.I.m.a.g.e.V.i.s.i.b.l.e.xb..B.l.a.n.k.M.o.n.i.t.o.r.T.e.x.t.C.o.l.o.r..b..D.a.r.k.T.h.e.m.e.B.a.r.B.a.s.e.C.o.l.o.r..b..<D.a.r.k.T.h.

C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\app.config

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	626
Entropy (8bit):	4.616309019251323
Encrypted:	false
SSDEEP:	12:dPa9yos26K9YG0a9yVXpxs26K9YG1lokVXpxOOmo/ENmjvPvXQOENmjvPvTVXpx5:k9iKN9qXp8K3XpRmo/dHvgOdHvxXp/
MD5:	D7EAAA7398F22B437EF5E5671A597C30
SHA1:	09683C863F80AD81BAC75CEFD7624D14EB06B2C8
SHA-256:	7DE3C2A916C59DFEB3F64FC0FA08EAE2399045D8F6F352F11A92C9229738119A
SHA-512:	74D4FF5F1367EA8D5CDD277057B946C80BD7DACD9927FFDB8EFF6A240DFAB47A8EA10AAC257DE51D86DE092B0EDE90952A01BA1BA149664728A7F958BF2953C2
Malicious:	false
Preview:	<configuration>.. <configSections>.. <section name="ScreenConnect.SystemSettings" type="System.Configuration.ClientSettingsSection" />.. <section name="ScreenConnect.UserInterfaceSettings" type="System.Configuration.ClientSettingsSection" />.. </configSections>.. <ScreenConnect.SystemSettings />.. <ScreenConnect.UserInterfaceSettings>.. <setting name="HideWallpaperOnConnect" serializeAs="String">.. <value>false</value>.. </setting>.. <setting name="ShowFeedbackSurveyForm" serializeAs="String">.. <value>false</value>.. </setting>.. </ScreenConnect.UserInterfaceSettings>..</configuration>

C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\bbvtadq5.newcfg

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	585
Entropy (8bit):	5.026578360871898
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlf4Eb2uSl8+P/vXbAa3xT:2dL9hK6E46YPRf8uSVXvH
MD5:	E9EFCF15F19B154799BF0CDD4ABE753B
SHA1:	EE5F28C617362DE66B92634AD2CF73B99419811A
SHA-256:	53C6A24BFF60FDDD2D95C4FA2807825233D85A90A08CB157CF716380945739F1
SHA-512:	2CB3FE70121DD23D3D32A097F3A92A880662AB27B4B8C78B41DB07A30ACD74086248D28F3CC4D137205886008510F54D933917274EEDDE7D0FFD049E01C3909F
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-ss6pex-relay.screenconnect.com=145.40.109.216-03%2f07%2f2024%2013%3a35%3a42</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\dphy0adj.newcfg

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	585
Entropy (8bit):	5.026165412290384
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlf4Eb2uSl8+v5/vXbAa3xT:2dL9hK6E46YPRf8uSVvRvH
MD5:	1CBC2B013790B3D4776B5D8F2A44B846
SHA1:	87F6100F101E6B3E54A35462A80305AA1BDB414C
SHA-256:	F1E451A7EFC16BE9F82FC564CE3EF00A0D165ABEDEE4B114AEFDF3F7D0FF9209
SHA-512:	BC7AD9814682C7B3A4818392980876E4266778D1B2672E09233B18E2A83B352F3729B75FB23CF1D12538CD88D367FC85351692FD4468ED90FD467AE9AC289B30
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-ss6pex-relay.screenconnect.com=145.40.109.216-03%2f07%2f2024%2013%3a35%3a31</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ec0ivzly.newcfg

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	585
Entropy (8bit):	5.026578360871898
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlf4Eb2uSl8+x/vXbAa3xT:2dL9hK6E46YPRf8uSVZvH
MD5:	3191307793C604E0E3633DB4FA332C0C
SHA1:	4E6A977ACE2AC7B0C10650D511AAD45F28DAF344
SHA-256:	7F4B57C6CDA77F6F25096BB7AD200B6E1FE31E5AB315F82756A934DFC75DAB98
SHA-512:	CDDBC4FBD242108F9057A685717AF087AD5F04BE1A917CCC4FF7FD01953D33C1DCC8CB83E3914DD700C12579E186682DBB2AD4DE0D2ACD98DEE2471903096092
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-ss6pex-relay.screenconnect.com=145.40.109.216-03%2f07%2f2024%2013%3a34%3a36</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\f0feuc05.newcfg

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	585
Entropy (8bit):	5.028607576269664
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlf4Eb2uSl8+n/vXbAa3xT:2dL9hK6E46YPRf8uSV/vH
MD5:	843DC9C8712BF55438C91C9659EE10F7
SHA1:	A4B830F4598C2B2FCBD3C72C3A40A729283711E1
SHA-256:	0E741F0302AC792783EAD1C0E382D243A4A2C785663A23DEDD260755DB0D9E52
SHA-512:	07A2649EF01D143223D8259E8AF7F4B0A4911177D6320A4C16816D7546493C303FF83135DCA0FBC6C6D34614EA2E3BDC23A3BC63E51249E0D87F06F6491004C1
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-ss6pex-relay.screenconnect.com=145.40.109.216-03%2f07%2f2024%2013%3a35%3a59</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\g4navqby.newcfg

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	585
Entropy (8bit):	5.025045716509094
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlf4Eb2uSl8+f/vXbAa3xT:2dL9hK6E46YPRf8uSVnvH
MD5:	644F68AE6F8AB2DF2EA990DFDC9AA9EB
SHA1:	C40DFA19BA1EC80BF16DAAD626F4F48CCCF1D2E0
SHA-256:	1FC21AA094916A66158B101FF55537A3F4BF1C0FD5CE22E0E5D4FC7233D05A9A
SHA-512:	F504FCDBAB838B72CA04ABE19B88A716660D3D6AF4A4D967045CEAAB1737EBA6367E5ADDE2B597C180E72F8F04A28EDB5E8E269C30CDAB770F5CD56DC74BAB49
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-ss6pex-relay.screenconnect.com=145.40.109.216-03%2f07%2f2024%2013%3a34%3a41</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\gkvz4jgc.newcfg

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	585
Entropy (8bit):	5.025811897597185
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlf4Eb2uSl8+9/vXbAa3xT:2dL9hK6E46YPRf8uSVVvH
MD5:	43DD83FCAB6F736086967908ABA4BC9D
SHA1:	EAE42E8CE1A99E8936AAA1612B4A9FDAD62699CA
SHA-256:	922738F5DC49B7445C17E39853B03D421AE40E85DCF816D929BC80011079D89E
SHA-512:	56268E4DE276E3A0BFB6320E633D8A53BB73A2EFDDA4FB6425692628D6B71C7C16DA635FA1E1E58EE056E99E70D26FE96DE758EC05440902DAFDE968AF9B016D
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-ss6pex-relay.screenconnect.com=145.40.109.216-03%2f07%2f2024%2013%3a35%3a22</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\user.config (copy)

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	585
Entropy (8bit):	5.026578360871898
Encrypted:	false
SSDEEP:	12:TMHdGGqq9yAas26K9YG6DLI4MWiNuGEAaORnYPENONlf4Eb2uSl8+x/vXbAa3xT:2dL9hK6E46YPRf8uSVZvH
MD5:	3191307793C604E0E3633DB4FA332C0C
SHA1:	4E6A977ACE2AC7B0C10650D511AAD45F28DAF344
SHA-256:	7F4B57C6CDA77F6F25096BB7AD200B6E1FE31E5AB315F82756A934DFC75DAB98
SHA-512:	CDDBC4FBD242108F9057A685717AF087AD5F04BE1A917CCC4FF7FD01953D33C1DCC8CB83E3914DD700C12579E186682DBB2AD4DE0D2ACD98DEE2471903096092
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <configSections>.. <section name="ScreenConnect.ApplicationSettings" type="System.Configuration.ClientSettingsSection, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />.. </configSections>.. <ScreenConnect.ApplicationSettings>.. <setting name="HostToAddressMap" serializeAs="String">.. <value>instance-ss6pex-relay.screenconnect.com=145.40.109.216-03%2f07%2f2024%2013%3a34%3a36</value>.. </setting>.. </ScreenConnect.ApplicationSettings>..</configuration>

C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..vice_4b14c015c87c1ad8_0018.0001_none_048898fe944efa4a\ScreenConnect.ClientService.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	68096
Entropy (8bit):	6.082254133651443
Encrypted:	false
SSDEEP:	1536:jxgIAw8rVbpcgOswatz8BnKyRIZMmQ9VIlxUBVb8EH:jw31b470Q9VAUNH
MD5:	D8EC66EFB7CE863D68931685039C9775
SHA1:	852C5332E22CFD720A0EA42CF69E602D397FA6A7
SHA-256:	DE8D8E97FB59C4F8E5CD936E566EC9D9423D270556CE5F005BFFF89AE2F45A45
SHA-512:	D1F2C8DEE56F26F6A2E7AD1075CD5E23A3E6A048A4B420FC9FFE06829DEE3BC677CF11098DBF1F1124B4413816728245095DA68EA63BF8909CA0C0B5C3AA94C0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C............." ..0..............!... ...@....... ...............................I....@.................................-!..O....@.......................`....... ..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................a!......H.......Po....................... ........................................(....^.(...........%...}....:.(......}....:.(......}....:.(......}.....~,...%-.&~+.....j...s....%.,...(...+vs....%.}Q.........s....(........0...........s....}.....s....}...........}.......('.....}.....(....&.(..........s....o.....(*...~-...%-.&~+.....k...s....%.-...o ....s!...}.....s"...}.....s#...}...... .... 0u.........s....s>...}....... ..6........s....s>...}.....((...($............o%........

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1373
Entropy (8bit):	5.369201792577388
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KaXE4qpAE4KKUNKKDE4KGKZI6KhPKIE4TKBGKoM:MxHKQ71qHGIs0HKEHmAHKKkKYHKGSI65
MD5:	1BF0A215F1599E3CEC10004DF6F37304
SHA1:	169E7E91AC3D25D07050284BB9A01CCC20159DE7
SHA-256:	D9D84A2280B6D61D60868F69899C549FA6E4536F83785BD81A62C485C3C40DB9
SHA-512:	68EE38EA384C8C5D9051C59A152367FA5E8F0B08EB48AA0CE16BCE2D2B31003A25CD72A4CF465E6B926155119DAB5775A57B6A6058B9E44C91BCED1ACCB086DB
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..2,"System.Deployment, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, Pu

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dfsvc.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1662
Entropy (8bit):	5.368796786510097
Encrypted:	false
SSDEEP:	48:M1H2HKQ71qHGIs0HKGAHKKkKYHKGSI6oPtHTH+JHvHlu:gWq+wmj0qxqKkKYqGSI6oPtzHIPQ
MD5:	F133699E2DFF871CA4DC666762B5A7FF
SHA1:	185FC7D230FC1F8AFC9FC2CF4899B8FFD21BCC57
SHA-256:	9BA0C7AEE39ACD102F7F44D289F73D94E2FD0FCD6005A767CD63A74848F19FC7
SHA-512:	8140CDCE2B3B92BF901BD143BFC8FB4FE8F9677036631939D30099C7B2BB382F1267A435E1F5C019EFFFF666D7389F77B06610489D73694FA31D16BD04CAF20A
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Deployment, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, Pu

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ScreenConnect.ClientService.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.345615485833535
Encrypted:	false
SSDEEP:	24:ML9E4KlKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKlYHKh3oPtHo6hAHKzeR
MD5:	EEEC189088CC5F1F69CEE62A3BE59EA2
SHA1:	250F25CE24458FC0C581FDDF59FAA26D557844C5
SHA-256:	5345D03A7E6C9436497BA4120DE1F941800F2522A21DE70CEA6DB1633D356E11
SHA-512:	2E017FD29A505BCAC78C659DE10E0D869C42CE3B057840680B23961DBCB1F82B1CC7094C87CEEB8FA14826C4D8CFED88DC647422A4A3FA36C4AAFD6430DAEFE5
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\B3V01X1N.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (641), with CRLF line terminators
Category:	dropped
Size (bytes):	15110
Entropy (8bit):	3.814150343716151
Encrypted:	false
SSDEEP:	96:t6BKndnt4pz0PdrBBaOy0lSdnt4pz0PmX2K/Z8h/kNLdnt4pz0PnsK9audPL5oIi:RutWdra3utWYVJutWJPLEv
MD5:	D0FAE005CF60105ECED599DB0F97F571
SHA1:	6E4F34CD579E00DC1C4C50BE0DFB378A74F999AA
SHA-256:	62985BDC9260A57383993DBB5121D940F9FB542647BB255E682A0D14DDD4C229
SHA-512:	2719B40F8EC919BD94A4619D69344955EA29FB5EF02C4AD4513EE0F8A2642D4501304A7EBAD82F3EF565310C9D83FC75BB3ED25D5E07F22254503164E279C4D9
Malicious:	false
Preview:	..P.L.A.T.F.O.R.M. .V.E.R.S.I.O.N. .I.N.F.O.......W.i.n.d.o.w.s. .......:. .1.0...0...1.9.0.4.5...0. .(.W.i.n.3.2.N.T.).......C.o.m.m.o.n. .L.a.n.g.u.a.g.e. .R.u.n.t.i.m.e. ...:. .4...0...3.0.3.1.9...4.2.0.0.0.......S.y.s.t.e.m...D.e.p.l.o.y.m.e.n.t...d.l.l. .....:. .4...8...4.2.7.0...0. .b.u.i.l.t. .b.y.:. .N.E.T.4.8.R.E.L.1.L.A.S.T._.C.......c.l.r...d.l.l. .......:. .4...8...4.5.1.5...0. .b.u.i.l.t. .b.y.:. .N.E.T.4.8.R.E.L.1.L.A.S.T._.C.......d.f.d.l.l...d.l.l. .......:. .4...8...4.2.7.0...0. .b.u.i.l.t. .b.y.:. .N.E.T.4.8.R.E.L.1.L.A.S.T._.C.......d.f.s.h.i.m...d.l.l. .......:. .1.0...0...1.9.0.4.1...3.0.0.0.0. .(.W.i.n.B.u.i.l.d...1.6.0.1.0.1...0.8.0.0.).........S.O.U.R.C.E.S.......D.e.p.l.o.y.m.e.n.t. .u.r.l.......:. .h.t.t.p.s.:././.b.c.l...s.c.r.e.e.n.c.o.n.n.e.c.t...c.o.m./.B.i.n./.S.c.r.e.e.n.C.o.n.n.e.c.t...C.l.i.e.n.t...a.p.p.l.i.c.a.t.i.o.n.?.h.=.i.n.s.t.a.n.c.e.-.s.s.6.p.e.x.-.r.e.l.a.y...s.c.r.e.e.n.c.o.n.n.e.c.t...c.o.m.&.p.=.4.4.3.&.k.=.B.g.I.A.A.A.C.k.A.A.B.S.U.0.E.x.

C:\Users\user\AppData\Local\Temp\Deployment\LE8RJV0O.0B9\JZR239YO.A4A.application

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (63849), with CRLF line terminators
Category:	dropped
Size (bytes):	154833
Entropy (8bit):	5.727289301680242
Encrypted:	false
SSDEEP:	3072:G0/vkX5kpILTnVNWfCXq9ymLHL2zMIg+bLPm2o9HuzhJOvP:3vw/VI1HLKzg+bLPmt8vOvP
MD5:	AED64BA55CAE1F1F1A54CE97CD52C22D
SHA1:	04DAD201E977D9816EE84BAD0B14F10D49898038
SHA-256:	45736D997CEDD615AAD1EEF88124C2948AB9C8F70D1E797A28CD26C5CAA8D7FF
SHA-512:	E08E5280CD170D29350F27D2E2E86A0835CA27C1A43B83ADE9AAF2339521A1AB0890EFDDAE94E9C35E80733D3BFFFCCBFF8410B32538D439E9D36853E84F6F07
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?><asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xrml="urn:mpeg:mpeg21:2003:01-REL-R-NS" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">.. <assemblyIdentity name="ScreenConnect.WindowsClient.application" version="24.1.7.8892" publicKeyToken="25b0fbb6ef7eb094" language="neutral" processorArchitecture="msil" xmlns="urn:schemas-microsoft-com:asm.v1" />.. <description asmv2:publisher="ScreenConnect Software" asmv2:product="ScreenConnect Client" xmlns="urn:schemas-microsoft-com:asm.v1" />.. <deployment install="false" trustURLParameters="tru

C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.Client.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	197120
Entropy (8bit):	6.595882277108044
Encrypted:	false
SSDEEP:	3072:zS77Zz8NtrNOuJ7aFs2VUXEWcyzv/qu5zDvJXYU:k7OrJOuJc4XaMqu5G
MD5:	BDDFBA6105B88F0DF924D41E20A43EFB
SHA1:	73A0FFB39B4193EB9DB8B705B552019E91461D15
SHA-256:	A0FAFF6017E061386A7A161F6D97CCA3E935ECF1733D2CB999D1400E60E5EAF2
SHA-512:	4493DE052E1DAECCF8EC4661CCFC5C369014121EB730FB8AA4CEC789C5BB65B1AE74BB4928F6EA4FCC9D3359C52584B8E9C0FCD90994AF493A2A48EBF5BB71FE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0................. ... ....... .......................`............@.....................................O.... ..\|....................@......4...8............................................ ............... ..H............text...P.... ...................... ..`.rsrc...\|.... ......................@..@.reloc.......@......................@..B........................H.......................^................................................(......(....^.(...........%...}....:.(......}....:.(......}....:.(......}......{....:.(......}.....0..A........(....s....%.~'...%-.&~&.....y...s....%.'...(...+(...+o"...o........0..s.......~#.....2. ....+...j..... ......... ...............%.r...p.%.r...p............%.%...($....5..............s%....=.....0...........~)...%-.&~(.....\|...s&...%.)...(...+..~...%-.&~(.....}...s(...%.*...(...+.r9..

C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.Client.dll.genman

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1039
Entropy (8bit):	5.1467712039224764
Encrypted:	false
SSDEEP:	12:MMHdF4XZ8i9o9olxbv5NEgVkP0A7R7vNxW57FpS+iENg49vNxW5NgMsNg49vNxWO:JdFYZ8h9onRigeP0A0vSkcyMWcVSkTo
MD5:	24AF083471952E5073014B7269B94D1D
SHA1:	3AA11476B34B771738DBD42F61FBD3FE16139064
SHA-256:	6FDB3834F278D039F8F36F875C1A842BE8143DF0547E9DB04AAF54B655DC2B3D
SHA-512:	C2A6FF6BA4C67A6F676E1BE4A639AA07F43D7848FAF0D24C04A4097D14C9BF371B15FE5E60B7E9FB747DD07FF2637A303C52A59BA9885317CEB66A97B2E56732
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Client" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.1.7.8892" />.. <file name="ScreenConnect.Client.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.1.7.8892" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependent

C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.ClientService.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	68096
Entropy (8bit):	6.082254133651443
Encrypted:	false
SSDEEP:	1536:jxgIAw8rVbpcgOswatz8BnKyRIZMmQ9VIlxUBVb8EH:jw31b470Q9VAUNH
MD5:	D8EC66EFB7CE863D68931685039C9775
SHA1:	852C5332E22CFD720A0EA42CF69E602D397FA6A7
SHA-256:	DE8D8E97FB59C4F8E5CD936E566EC9D9423D270556CE5F005BFFF89AE2F45A45
SHA-512:	D1F2C8DEE56F26F6A2E7AD1075CD5E23A3E6A048A4B420FC9FFE06829DEE3BC677CF11098DBF1F1124B4413816728245095DA68EA63BF8909CA0C0B5C3AA94C0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C............." ..0..............!... ...@....... ...............................I....@.................................-!..O....@.......................`....... ..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................a!......H.......Po....................... ........................................(....^.(...........%...}....:.(......}....:.(......}....:.(......}.....~,...%-.&~+.....j...s....%.,...(...+vs....%.}Q.........s....(........0...........s....}.....s....}...........}.......('.....}.....(....&.(..........s....o.....(*...~-...%-.&~+.....k...s....%.-...o ....s!...}.....s"...}.....s#...}...... .... 0u.........s....s>...}....... ..6........s....s>...}.....((...($............o%........

C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.ClientService.dll.genman

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1632
Entropy (8bit):	5.083221047941078
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onRzgeP0As+vSkcyMWcbEMWcuMWcVSkcf5bdTo:3FYZ8h9o9gI0AsCHMWTMW3MWGAXTo
MD5:	7D3BB8D33E0013B9BC19259D35631000
SHA1:	A274018BEF6F3BFF0CAE63D0706CBE94D5005362
SHA-256:	3E9C02C807AC20BD6C80A586BDC4C61BEB69F5D8576D7A1A34DB9681CCD92756
SHA-512:	D77A68BE6FE5755E4091694902A431F008241B4AC0BA0550E3E781BEBC1DC221A1EA507C363EC3D2EDDDD4631A18A82B0BE4AB10DDC5979677C85B725FBE7718
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.ClientService" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.1.7.8892" />.. <file name="ScreenConnect.ClientService.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.1.7.8892" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Windows" publicKeyToken="4b14c015c87c1ad8" version=

C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.ClientService.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	95520
Entropy (8bit):	6.504817871950198
Encrypted:	false
SSDEEP:	1536:Tg1s9pgbNBAklbZfe2+zRVdHeDxGXAorrCnBsWBcd6myJkg8U0HMN77px0:8hbNDxZGXfdHrX7rAc6myJkg8U0H2f8
MD5:	1B8110B335E144860E91F5E68CCDC8B3
SHA1:	4F1662C9F914776E22616D2619D6CD99DC4333A7
SHA-256:	DC326E95E7F778AA53F67B420C3F7621ED078EE33EF9BEB62D4907E90F55A389
SHA-512:	DBD21613450F61BE471BD4406847773CD96B3355B70BCB1CA74043D0FF102C0E782ABD185F9DBCFB6A07FB71F490F3D500AEA32056F2978CFBB106F4BADB373A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(..qF.qF.qF....qF.....qF....qF.<.B.qF.<.E.qF.<.C.qF....qF.#..qF.qG..qF.2.O.qF.2...qF.2.D.qF.Rich.qF.........................PE..L.....wc...............!.............!............@..................................@....@.................................p...x....`..P............L.. )...p......`!..p............................ ..@............................................text...:........................... ..`.rdata...f.......h..................@..@.data........@.......,..............@....rsrc...P....`.......6..............@..@.reloc.......p.......<..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.Core.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	546304
Entropy (8bit):	6.032887867306247
Encrypted:	false
SSDEEP:	6144:hAUz5UEsIXxk3QCLKSkGEexE77VcYbUinCLrDfElYzMsdqe1J6tMznSAiOzfw8qS:hK67tEshnkDfyt9MznZU8RTIPM
MD5:	5C259DA933C9261944AFB6AA9A7E858B
SHA1:	CAD0ECB9AC68694CC601A7C980F985D9C29AFA88
SHA-256:	0D04EF4B196E5CE3412E58474FF5303CCBDC0A2F32487946B382B0B672615833
SHA-512:	F7E6C778943771FA1830805021DC7E64E47A30895AB9D5BF3708D82ABD2BFCCABA58CA86CFED8D38C879DF9E41999054838ABD6B55E7DD400DAEC84480DC5041
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....F..........." ..0..N...........i... ........... ....................................@..................................h..O.......t...........................<h..8............................................ ............... ..H............text...@M... ...N.................. ..`.rsrc...t............P..............@..@.reloc...............T..............@..B.................i......H........@...&...................g........................................{:.....{;...V.(<.....}:.....};......0..A........u~.......4.,/(=....{:....{:...o>...,.(?....{;....{;...o@...... ... )UU.Z(=....{:...oA...X )UU.Z(?....{;...oB...X...0..b........r...p......%..{:......%q.........-.&.+.......oC....%..{;......%q.........-.&.+.......oC....(D.....{E.....{F...V.(<.....}E.....}F....0..A........u........4.,/(=....{E....{E...o>...,.(?....{F....{F...o@...... F.b# )UU.

C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.Core.dll.genman

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1215
Entropy (8bit):	5.130500697087904
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onR+geP0AYvSkcVSkcMKzpdciSkTo:3FYZ8h9o4gI0A0GVETDTo
MD5:	9E3FD8A2790F7D451F4D9B853EDB19CB
SHA1:	C4F26162B4666CF98DA7467F819140D6063565E2
SHA-256:	6244A07CF52244E257AC5E2CA1EB619CE9434B3ED0AEF6C93C9CFB258AED7AEB
SHA-512:	64A9A9FA4B45EBA7334444D87AA8B4A808FF5BBD3BC71CB205193BC9DE2B623D15E5FF6E3CE9D2ACF445ACA738749398A1C5249AFF09AF8EAEED6F465389010C
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Core" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.1.7.8892" />.. <file name="ScreenConnect.Core.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System.Configuration" publicKeyToken="b03f5f7f11d50a3a" version="2.0.0.0" />.. </dependentAssemb

C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.Windows.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1721344
Entropy (8bit):	6.638166859033057
Encrypted:	false
SSDEEP:	24576:fQBtbsFj+Ifz3zvnXj/zXzvAAkGz8mvgtX79S+2bfh+RfmT01krTFiH4SqfKPTs5:fqbsJkGYYpT0+TFiH7efP
MD5:	AB11C92301BD6B916F51EB3C6BA1F348
SHA1:	EDBCEA68F4D7B06AEF28A9E631FA0A5CFBB7889F
SHA-256:	EA86C15300B8CC311DE257456EA8B281AB7B5F231A4FCBCFF07E6F300E9ADE14
SHA-512:	9A42A8F6A71F55E8F85FF97593FFA2D3935FF80142CE6A57A9A104EE6D97043CF20C29F386007929DA31496E270EA9D5C0C7766D687D36D0E5523391E1B68E17
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....A..........." ..0..<..........Z[... ...`....... ..............................a.....@..................................[..O....`..\|...........................dZ..8............................................ ............... ..H............text...h;... ...<.................. ..`.rsrc...\|....`.......>..............@..@.reloc...............B..............@..B................;[......H.......,...................0....Y........................................()...^.()..........%...}....:.().....}....:.().....}....:.().....}......s.....s+...:.(,.....(-.....{...."..}....J.(/........(0...&:.(,.....(1.....{2..."..}2....0..(........(3......+.............(0...&..X....i2.v.(,....s4...}.....s5...}....v.{.....r...p(...+.....o7.....0...........o8....+..o9......(...+&.o....-....,..o................."........{..........o:...&.......(.........0..L...

C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.Windows.dll.genman

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1980
Entropy (8bit):	5.057630602870424
Encrypted:	false
SSDEEP:	24:JdFYZ8h9onRbggeP0A6vSkcyMWcVSkcHSkcf5bdcadccdcckdTo:3FYZ8h9oygI0AWHMWGQAXRTFgTo
MD5:	4AC5D03B56ACF6EC0969D4017745DF3A
SHA1:	585FB53CB3B99848572813A5DFE13F9F9A56866B
SHA-256:	A4D063C3BA3B9D1572DB0193C55EB23C2C4D500987D600A7641B82076F1A5E8F
SHA-512:	ED5EF6055A4EFEE57EB43306E1929F55EEEB2AFB8EA12D69BF1F575B0626F46E0EEEC8A16C48249639ACA5D2A6C0B8D1421B543888F09953D12B0C1B46BAF85E
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.Windows" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.1.7.8892" />.. <file name="ScreenConnect.Windows.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.1.7.8892" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </depende

C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.WindowsBackstageShell.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	61216
Entropy (8bit):	6.316183273231889
Encrypted:	false
SSDEEP:	1536:gAi+zmNzdj1bv8DtYQ4RE+TC37/ibto7IxTM:gUzmNgYQbbMoCM
MD5:	993C201D63C86C889385D0F50560ED77
SHA1:	E032E82C325BC00B4BA03E27C872307C41575A2E
SHA-256:	7596C3B6DFDC06320D31D2F7622766E66F3845BF11C75ACB3E356DB9CD530AF9
SHA-512:	798D94954D3E3796D860015CA99E5435259BB0FFA1E63C8CE00129A7AB9BE78E40B171B718D34345DBAF4743A576530F4DB159CF74CB832CCCCA834395D2C787
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...t............."...0................. ........@.. ....................... ............@.....................................O....... ............... )..............8............................................ ............... ..H............text...0.... ...................... ..`.rsrc... ...........................@..@.reloc..............................@..B........................H........S...............................................................(....^.(.......a...%...}....:.(......}....:.(......}....:.(......}........0..........(....(....(....(....r...p(....o....(....(....r...p..~....(....(....r9..p..~....(....(.....g~).....(....rY..p.(....&(.....(....s ...(!...s....(".....0...........(#.....($.....(%....s....%.o&...%.o'...%.o(...%s!...o)...%~....o...}......(....o+...o,....(-.....@...%..(.....o.....s/...}.....{...........s0...o1....s...

C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.WindowsBackstageShell.exe.config

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.WindowsClient.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	598816
Entropy (8bit):	6.182781958456638
Encrypted:	false
SSDEEP:	6144:0ya9pDzjhf+YMojz3cZRzyyUs0Ny2rOfQyEAlVw72191BVi1NnHEQcYF2/R4IrNk:jajDzNZFjLcZRzyyh5/EA3wv19SYBH
MD5:	DBD7C0D2CF1BF5CEC608648F14DC8309
SHA1:	5241F5BEC67A5E6EC2EE009C4F2E0F6F049841CB
SHA-256:	1145FAC110C18D2CD228A545EC4FCB7D3AEDD3C072B19C559D6E7067F7CF3F5F
SHA-512:	CC14BD533C63791F885DEC7AEB75D4E0BC5B51299E8F09F98CCB2A03EE7877DAA42768585E0B824A842A2DF8E09F86AC483F970C17D6AE2D4BB4A28670A7C99D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....S}..........."...0.............".... ... ....@.. .......................`......2.....@.....................................O.... .................. )...@......$...8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......LC..X.............................................................{D.....{E...V.(F.....}D.....}E......0..A........u1.......4.,/(G....{D....{D...oH...,.(I....{E....{E...oJ...... }.o )UU.Z(G....{D...oK...X )UU.Z(I....{E...oL...X...0..b........r...p......%..{D......%q4....4...-.&.+...4...oM....%..{E......%q5....5...-.&.+...5...oM....(N.....{O.....{P...V.(F.....}O.....}P....0..A........u6.......4.,/(G....{O....{O...oH...,.(I....{P....{P...oJ...... 1.c. )UU.

C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.WindowsClient.exe.config

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.WindowsClient.exe.genman

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	2569
Entropy (8bit):	5.0259568369832275
Encrypted:	false
SSDEEP:	48:3FYZ8h9o5gI0AtHMWAXQ3MWTMWRGTDBTo:1YiW4AWzvDm
MD5:	F9B14DF497B4C59141DD68827E7D6C2E
SHA1:	EB415A7B5A7784694458B4D8BA6CB30BF38C81FE
SHA-256:	0CAD8868B6947F86137E592308EC8BA46E318898DC338557B4FDCE0D056A5D9C
SHA-512:	5E0F9F2D89DCA27B9F89CC25C040B7C8E5F5A27230C1E1EA91FFD6E1B51EBD0C3E739C2F917FBCC63E125CF819E71FDF3DD27B47B03EC51A6D34CC7AA6F14FF2
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="ScreenConnect.WindowsClient" processorArchitecture="msil" publicKeyToken="4B14C015C87C1AD8" version="24.1.7.8892" />.. <file name="ScreenConnect.WindowsClient.exe" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="2.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="ScreenConnect.Core" publicKeyToken="4b14c015c87c1ad8" version="24.1.7.8892" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System.Drawing" publicKeyToken="b03f5f7f11d50a3a" version="2.0.0.

C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.WindowsClient.exe.manifest

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (10073), with CRLF line terminators
Category:	dropped
Size (bytes):	17858
Entropy (8bit):	5.957071882530624
Encrypted:	false
SSDEEP:	384:NeG1kKsjbVJcwaMHf6b/TX9SUT4X9FX9R/QPIYM7Y7:NIt6nX9SDX9FX9R/QPIN07
MD5:	F07208902A10A9CDDF338F6256FE6B11
SHA1:	FC7E577DEC034B680A80B51A6D188AF3B429E2F4
SHA-256:	ADD65D10A544D74CE772D5130EA11C1827B8521EA7B06B1FAE7251BD852C46E4
SHA-512:	A9DEE634EB94D01CC25FFE6E793E41CD7B49814B3A4BA4515719BAD15602BFE34BE2A7029ACCAEE123330D34CE39736FAE4F4F80BCD3F3FAE822653419733435
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">.. <asmv1:assemblyIdentity name="ScreenConnect.WindowsClient.exe" version="24.1.7.8892" publicKeyToken="25b0fbb6ef7eb094" language="neutral" processorArchitecture="msil" type="win32" />.. <application />.. <entryPoint>.. <assemblyIdentity name="ScreenConnect.WindowsClient" version="24.1.7.8892" publicKeyToken="4B14C015C87C1AD8" language="neutral" processorArchitecture="msil" />.. <commandLine file="ScreenConnect.WindowsClient.exe" parameter

C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.WindowsClient.exe:Zone.Identifier

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:gAWY3n:qY3n
MD5:	FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA1:	D59FC84CDD5217C6CF74785703655F78DA6B582B
SHA-256:	EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
SHA-512:	AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
Malicious:	false
Preview:	[ZoneTransfer]..ZoneId=3..

C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.WindowsFileManager.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	81696
Entropy (8bit):	5.861248336043749
Encrypted:	false
SSDEEP:	1536:ntyvl441zbUrI5kLP+VVVVVVVVVVVVVVVVVVVVVVVVVC7sg7FxKIT:kt6rukLdAg/
MD5:	D7AC4220C10C1474730546D15EDD1810
SHA1:	BB87E80B2132E0CE8591F772091E79EC640E8D16
SHA-256:	24138FE20AA06390F09FD8BD6ED78E35F6C33D60C0CCF66759100986C1607BE6
SHA-512:	DD5112B9BF4845D42E2D7F06DC7A053B3B78D7A2AE498A7C2DA445DF23E4D854A12BF4D6C215FAB885307477C0A431D6B1BFC54C01BB368F81229FEE56BB9E70
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0..@...........^... ...`....@.. .......................`............@..................................^..O....`.................. )...@.......]..8............................................ ............... ..H............text....>... ...@.................. ..`.rsrc........`.......B..............@..@.reloc.......@......................@..B.................^......H....... +..@2..................`]........................................(....^.(.......;...%...}....:.(......}....:.(......}....:.(......}........0..........s>....(....(....(....(....(.....(....(......s....}B....s....}C....~@...%-.&~?.....<...s ...%.@...o...+.....@...s ...o...+......A...s!...o...+}D.......B...s"...o...+.......(#...&......(#...& .... ...........($...&s....t......r...prs..p(%...(&...~>...%-.&...'...s(...%.>.....A...().......(........(+...o,...(-...t....

C:\Users\user\AppData\Local\Temp\Deployment\QJ5J9VPB.NK8\YJ9Q36NV.4Y7\ScreenConnect.WindowsFileManager.exe.config

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.842791478883622
Encrypted:	false
SSDEEP:	6:TMVBd1IffVKNC7VrfC7VNQpuAKr5KNZk2ygAyONO5W4QIT:TMHdG3VO+Qg9LNZoE0Oo4xT
MD5:	728175E20FFBCEB46760BB5E1112F38B
SHA1:	2421ADD1F3C9C5ED9C80B339881D08AB10B340E3
SHA-256:	87C640D3184C17D3B446A72D5F13D643A774B4ECC7AFBEDFD4E8DA7795EA8077
SHA-512:	FB9B57F4E6C04537E8FDB7CC367743C51BF2A0AD4C3C70DDDAB4EA0CF9FF42D5AEB9D591125E7331374F8201CEBF8D0293AD934C667C1394DC63CE96933124E7
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <generatePublisherEvidence enabled="false" />.. </runtime>..</configuration>

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\932a2db58c237abd381d22df4c63a04a_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	87
Entropy (8bit):	3.463057265798253
Encrypted:	false
SSDEEP:	3:/lqlhGXKRjgjkFmURueGvx2VTUz:4DRPAx2Kz
MD5:	D2DED43CE07BFCE4D1C101DFCAA178C8
SHA1:	CE928A1293EA2ACA1AC01B61A344857786AFE509
SHA-256:	8EEE9284E733B9D4F2E5C43F71B81E27966F5CD8900183EB3BB77A1F1160D050
SHA-512:	A05486D523556C75FAAEEFE09BB2F8159A111B1B3560142E19048E6E3898A506EE4EA27DD6A4412EE56A7CE7C21E8152B1CDD92804BAF9FAC43973FABE006A2F
Malicious:	false
Preview:	......../...............................Microsoft Enhanced Cryptographic Provider v1.0.

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

Download File

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	2464
Entropy (8bit):	3.246787984617127
Encrypted:	false
SSDEEP:	24:QOaqdmuF3rlkq3+kWReHgHttUKlDENh+pyMySn6tUKlDENh+pyMySwwIPVxcwIPc:FaqdF7Sq3+AAHdKoqKFxcxkFsqt
MD5:	A55EA1CD2898F8298728A8A444B75EFB
SHA1:	163E955AB5CC7F951A335B718B5DA03750B1DADE
SHA-256:	1EB23B72FEF5473D6EDB23B8D71EBF05CF62CAD13E05DA7C5EA4B3D33E1555EA
SHA-512:	D4991843662A1D8515337A5978CD69C1A2E2A6300D2EF3A07DAB1D6B8EA6C8C9C06BE0430381273E7E78BE0455DE5E2F6A1EA67C5855D6B007B564DD29370E04
Malicious:	false
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. W.e.d. .. J.u.l. .. 0.3. .. 2.0.2.4. .0.9.:.3.4.:.5.3.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e........................................ .W.S.C. .S.t.a.t.e. .I.n.f.o. ................................................................. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. ..............................d.i.s.p.l.a.y.N.a.m.e. .=. .[.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.].....p.a.t.h.T.o.S.i.g.n.e.d.P.r.o.d.u.c.t.E.x.e. .=. .[.w.i.n.d.o.w.s.d.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.277009644985907
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe
File size:	86'672 bytes
MD5:	cc4dd46308ebb24e27b340426f05056c
SHA1:	2e6339d284b125fd9872dd35ea2cbb8e926857c2
SHA256:	15a7081b1f16351979220fbf17d2f79579d216aac7a988d888b02706ddb1cf20
SHA512:	686c611aff0306be61ec200236675f1d1ad498d112895621b3e912c9b617ad314d02d7f4e53a5491f7eb8cbea77f9bf980861ec9e0532f2715123b261a5072f4
SSDEEP:	1536:vXn1JYSnExFkcgKKjxfmqshiKW5Xs/iYQqQJtsWFcdfRMvb+xWCuorimIN0:vE3x5KBDYiKWm/iSw0fRMvygC+i
TLSH:	F7837C43B4D29871E9B21D3115B1C9615E3FBA211E348EBB2398026E5F741D0AE36F7B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<-.A]CQA]CQA]CQ...QH]CQ...Q9]CQ...QY]CQ/.@PP]CQ/.FP\]CQ/.GPP]CQH%.QF]CQA]BQ%]CQ..KP@]CQ...Q@]CQ..AP@]CQRichA]CQ...............

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4016e7
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x573C933C [Wed May 18 16:07:24 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	1273eaec87da7c0a308253f29e7857eb

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	02/02/2016 01:00:00 02/02/2019 00:59:59
Subject Chain	CN=ScreenConnect Software, O=ScreenConnect Software, POBox=33634, STREET="4110 George Road, Suite 200", L=Tampa, S=Florida, PostalCode=33634, C=US
Version:	3
Thumbprint MD5:	453790B6149CC23B1C9EC2AC9D3ED2B5
Thumbprint SHA-1:	A41A37D0270D8433C3CD0220248AD84A5A6A1A26
Thumbprint SHA-256:	13D9A6CFC0F321B47CD391EAEB23B4B7C840C8D41B6AC4292F18A4AD321707E7
Serial:	04A03DBCE32C5A34420A419FB740AA1A

Entrypoint Preview

Instruction
call 00007FC614E4B7A5h
jmp 00007FC614E4B275h
push ebp
mov ebp, esp
push 00000000h
call dword ptr [0040C054h]
push dword ptr [ebp+08h]
call dword ptr [0040C050h]
push C0000409h
call dword ptr [0040C058h]
push eax
call dword ptr [0040C05Ch]
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call 00007FC614E54518h
test eax, eax
je 00007FC614E4B3F7h
push 00000002h
pop ecx
int 29h
mov dword ptr [004128C0h], eax
mov dword ptr [004128BCh], ecx
mov dword ptr [004128B8h], edx
mov dword ptr [004128B4h], ebx
mov dword ptr [004128B0h], esi
mov dword ptr [004128ACh], edi
mov word ptr [004128D8h], ss
mov word ptr [004128CCh], cs
mov word ptr [004128A8h], ds
mov word ptr [004128A4h], es
mov word ptr [004128A0h], fs
mov word ptr [0041289Ch], gs
pushfd
pop dword ptr [004128D0h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [004128C4h], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [004128C8h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [004128D4h], eax
mov eax, dword ptr [ebp-00000324h]
mov dword ptr [00412810h], 00010001h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729
[RES] VS2015 UPD1 build 23506
[LNK] VS2015 UPD1 build 23506

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1133c	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x15000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x12800	0x2a90
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x16000	0xe10	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x10a80	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x10af0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xc000	0x14c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xaa97	0xac00	d848ee0b99f8b09b2eb3404bd599f204	False	0.5839162427325582	data	6.614299663924634	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xc000	0x5ae8	0x5c00	3682f04d1dfb637ffc6d6744c60942e6	False	0.422554347826087	OpenPGP Public Key	4.907687067654073	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x12000	0x11e0	0x800	e43936ff24211648aa39f5558d648c0d	False	0.1787109375	data	2.129178187302198	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.gfids	0x14000	0xb4	0x200	e4273988acc191fcb3d5336b25341398	False	0.283203125	data	1.4773023907442473	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x15000	0x1e0	0x200	d1b97645795a058db19c32388b97fab2	False	0.525390625	data	4.7046807430404	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x16000	0xe10	0x1000	90a429778b66415560f11e9c987b5e59	False	0.736083984375	data	6.166749947864908	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x15060	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
CRYPT32.dll	CertOpenSystemStoreA, CryptMsgClose, CertFreeCertificateContext, CertDeleteCertificateFromStore, CryptQueryObject, CertCloseStore, CryptMsgGetParam, CertAddCertificateContextToStore, CertCreateCertificateContext
KERNEL32.dll	SetFilePointer, LocalAlloc, CreateFileW, Sleep, LoadLibraryA, CloseHandle, GetProcAddress, LocalFree, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, GetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, RtlUnwind, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, GetStdHandle, WriteFile, GetModuleFileNameW, MultiByteToWideChar, WideCharToMultiByte, ExitProcess, GetModuleHandleExW, GetACP, HeapFree, HeapAlloc, FindClose, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, SetStdHandle, GetFileType, GetStringTypeW, GetProcessHeap, HeapSize, HeapReAlloc, FlushFileBuffers, GetConsoleCP, GetConsoleMode, SetFilePointerEx, WriteConsoleW, DecodePointer, RaiseException, ReadFile, GetModuleFileNameA
ADVAPI32.dll	SystemFunction036

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 3, 2024 14:33:20.645826101 CEST	49704	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:20.645853043 CEST	443	49704	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:20.645924091 CEST	49704	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:20.663918972 CEST	49704	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:20.663938999 CEST	443	49704	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:21.898752928 CEST	443	49704	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:21.898818970 CEST	49704	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:21.904625893 CEST	49704	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:21.904633999 CEST	443	49704	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:21.904858112 CEST	443	49704	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:21.958780050 CEST	49704	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:21.965833902 CEST	49704	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:22.008493900 CEST	443	49704	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:22.385443926 CEST	443	49704	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:22.385469913 CEST	443	49704	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:22.385477066 CEST	443	49704	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:22.385518074 CEST	443	49704	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:22.385536909 CEST	443	49704	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:22.385550022 CEST	443	49704	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:22.385557890 CEST	49704	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:22.385565042 CEST	443	49704	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:22.385639906 CEST	49704	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:22.385639906 CEST	49704	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:22.515902996 CEST	443	49704	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:22.515928030 CEST	443	49704	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:22.516006947 CEST	49704	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:22.516020060 CEST	443	49704	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:22.516509056 CEST	49704	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:22.735615015 CEST	443	49704	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:22.735630035 CEST	443	49704	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:22.735672951 CEST	443	49704	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:22.735692024 CEST	49704	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:22.735697985 CEST	443	49704	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:22.735723019 CEST	49704	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:22.735743999 CEST	49704	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:22.736995935 CEST	443	49704	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:22.737014055 CEST	443	49704	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:22.737051964 CEST	49704	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:22.737056971 CEST	443	49704	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:22.737113953 CEST	49704	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:22.738579988 CEST	443	49704	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:22.738600016 CEST	443	49704	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:22.738713980 CEST	49704	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:22.738718987 CEST	443	49704	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:22.738873959 CEST	49704	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:22.953130007 CEST	443	49704	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:22.953145027 CEST	443	49704	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:22.953228951 CEST	49704	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:22.953243971 CEST	443	49704	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:22.953387976 CEST	49704	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:22.954022884 CEST	443	49704	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:22.954040051 CEST	443	49704	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:22.954132080 CEST	49704	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:22.954132080 CEST	49704	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:22.954143047 CEST	443	49704	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:22.954236031 CEST	49704	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:22.955231905 CEST	443	49704	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:22.955250025 CEST	443	49704	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:22.955388069 CEST	49704	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:22.955388069 CEST	49704	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:22.955399036 CEST	443	49704	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:22.955487967 CEST	49704	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:22.958003998 CEST	443	49704	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:22.958020926 CEST	443	49704	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:22.958079100 CEST	49704	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:22.958084106 CEST	443	49704	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:22.958105087 CEST	49704	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:22.958128929 CEST	49704	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:22.958148003 CEST	443	49704	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:22.958206892 CEST	49704	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:22.958219051 CEST	443	49704	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:22.958233118 CEST	443	49704	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:22.958273888 CEST	49704	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:22.962649107 CEST	49704	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:23.409667015 CEST	49706	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:23.409704924 CEST	443	49706	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:23.409879923 CEST	49706	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:23.410160065 CEST	49706	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:23.410172939 CEST	443	49706	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:24.305996895 CEST	443	49706	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:24.308873892 CEST	49706	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:24.308906078 CEST	443	49706	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:25.093575954 CEST	443	49706	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:25.093600035 CEST	443	49706	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:25.093616009 CEST	443	49706	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:25.093715906 CEST	49706	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:25.093766928 CEST	443	49706	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:25.093825102 CEST	49706	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:25.094408989 CEST	443	49706	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:25.094458103 CEST	443	49706	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:25.094548941 CEST	49706	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:25.094945908 CEST	49706	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:32.364763021 CEST	49716	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:32.364798069 CEST	443	49716	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:32.364872932 CEST	49716	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:32.365644932 CEST	49716	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:32.365663052 CEST	443	49716	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:33.267537117 CEST	443	49716	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:33.297923088 CEST	49716	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:33.297940016 CEST	443	49716	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:34.057848930 CEST	443	49716	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:34.057874918 CEST	443	49716	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:34.057889938 CEST	443	49716	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:34.061907053 CEST	49716	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:34.061924934 CEST	443	49716	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:34.061939001 CEST	443	49716	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:34.062666893 CEST	49716	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:34.270889997 CEST	443	49716	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:34.270915031 CEST	443	49716	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:34.271012068 CEST	49716	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:34.271012068 CEST	49716	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:34.271035910 CEST	443	49716	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:34.271835089 CEST	443	49716	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:34.271857023 CEST	443	49716	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:34.271876097 CEST	49716	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:34.271883965 CEST	443	49716	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:34.271897078 CEST	49716	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:34.271943092 CEST	49716	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:34.271944046 CEST	49716	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:34.273663998 CEST	443	49716	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:34.273684978 CEST	443	49716	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:34.273755074 CEST	49716	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:34.273755074 CEST	49716	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:34.273766041 CEST	443	49716	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:34.277892113 CEST	49716	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:34.484088898 CEST	443	49716	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:34.484148026 CEST	443	49716	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:34.484194040 CEST	49716	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:34.484216928 CEST	443	49716	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:34.484265089 CEST	49716	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:34.484302998 CEST	443	49716	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:34.484334946 CEST	49716	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:34.484500885 CEST	49716	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:34.485915899 CEST	49716	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:34.518919945 CEST	49717	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:34.518975973 CEST	443	49717	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:34.519079924 CEST	49717	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:34.519330025 CEST	49717	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:34.519345999 CEST	443	49717	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:35.455878973 CEST	443	49717	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:35.457601070 CEST	49717	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:35.457629919 CEST	443	49717	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:36.243828058 CEST	443	49717	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:36.243855953 CEST	443	49717	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:36.243872881 CEST	443	49717	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:36.243947029 CEST	49717	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:36.243979931 CEST	443	49717	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:36.244035006 CEST	49717	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:36.245409966 CEST	443	49717	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:36.245429993 CEST	443	49717	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:36.245498896 CEST	49717	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:36.245515108 CEST	443	49717	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:36.286907911 CEST	49717	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:36.459947109 CEST	443	49717	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:36.459975004 CEST	443	49717	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:36.460052967 CEST	49717	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:36.460079908 CEST	443	49717	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:36.460383892 CEST	49717	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:36.460671902 CEST	443	49717	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:36.460711956 CEST	443	49717	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:36.460720062 CEST	49717	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:36.460728884 CEST	443	49717	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:36.460747004 CEST	49717	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:36.460781097 CEST	443	49717	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:36.460815907 CEST	49717	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:36.462152958 CEST	49717	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:36.476934910 CEST	49718	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:36.476979971 CEST	443	49718	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:36.477039099 CEST	49718	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:36.477248907 CEST	49718	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:36.477262020 CEST	443	49718	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:37.387222052 CEST	443	49718	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:37.388537884 CEST	49718	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:37.388569117 CEST	443	49718	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:37.972532988 CEST	443	49718	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:37.972605944 CEST	443	49718	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:37.972815990 CEST	49718	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:37.973732948 CEST	49718	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:37.978815079 CEST	49719	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:37.978873014 CEST	443	49719	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:37.978955984 CEST	49719	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:37.979181051 CEST	49719	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:37.979208946 CEST	443	49719	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:38.899054050 CEST	443	49719	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:38.901211977 CEST	49719	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:38.901230097 CEST	443	49719	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:39.465472937 CEST	443	49719	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:39.465679884 CEST	443	49719	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:39.465816021 CEST	49719	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:39.466797113 CEST	49719	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:39.471589088 CEST	49720	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:39.471621990 CEST	443	49720	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:39.471684933 CEST	49720	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:39.471939087 CEST	49720	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:39.471949100 CEST	443	49720	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:41.082910061 CEST	443	49720	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:41.084357023 CEST	49720	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:41.084363937 CEST	443	49720	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:41.406889915 CEST	443	49720	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:41.406964064 CEST	443	49720	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:41.407111883 CEST	49720	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:41.408179998 CEST	49720	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:41.413373947 CEST	49721	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:41.413422108 CEST	443	49721	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:41.413499117 CEST	49721	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:41.413681030 CEST	49721	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:41.413697958 CEST	443	49721	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:43.092924118 CEST	443	49721	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:43.094347000 CEST	49721	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:43.094372034 CEST	443	49721	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:43.857347965 CEST	443	49721	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:43.857367039 CEST	443	49721	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:43.857379913 CEST	443	49721	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:43.857466936 CEST	49721	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:43.857491970 CEST	443	49721	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:43.857507944 CEST	49721	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:43.857547045 CEST	49721	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:43.858994007 CEST	443	49721	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:43.859009981 CEST	443	49721	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:43.859071970 CEST	49721	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:43.859078884 CEST	443	49721	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:43.911948919 CEST	49721	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:44.073019028 CEST	443	49721	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:44.073028088 CEST	443	49721	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:44.073118925 CEST	443	49721	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:44.073144913 CEST	49721	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:44.073179007 CEST	443	49721	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:44.073194027 CEST	49721	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:44.073215961 CEST	49721	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:44.074943066 CEST	443	49721	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:44.074958086 CEST	443	49721	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:44.075016022 CEST	49721	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:44.075022936 CEST	443	49721	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:44.075061083 CEST	49721	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:44.075922966 CEST	443	49721	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:44.075936079 CEST	443	49721	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:44.075988054 CEST	49721	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:44.075995922 CEST	443	49721	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:44.076035023 CEST	49721	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:44.076069117 CEST	443	49721	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:44.076113939 CEST	443	49721	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:44.076153040 CEST	49721	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:44.092116117 CEST	49721	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:44.256652117 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:44.256686926 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:44.256772995 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:44.257246971 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:44.257260084 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:45.133615971 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:45.134922028 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:45.134943962 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:45.916053057 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:45.916079044 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:45.916093111 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:45.916150093 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:45.916177988 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:45.916228056 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:45.917944908 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:45.917959929 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:45.918030977 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:45.918036938 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:45.958832979 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.129391909 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.129422903 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.129455090 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.129475117 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.129556894 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.129602909 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.130851984 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.130872965 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.130918026 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.130958080 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.130961895 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.131006002 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.215512991 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.215536118 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.215648890 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.215667963 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.215775967 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.344120026 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.344151020 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.344225883 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.344238997 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.344300032 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.344300032 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.345421076 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.345448017 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.345524073 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.345529079 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.346504927 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.346733093 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.346752882 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.347018957 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.347023964 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.347583055 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.348304033 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.348324060 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.348495007 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.348495007 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.348500967 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.348759890 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.557606936 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.557630062 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.557761908 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.557780027 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.557857990 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.558587074 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.558603048 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.558669090 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.558676004 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.558717012 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.559446096 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.559459925 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.559518099 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.559523106 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.559545040 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.560023069 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.560043097 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.560098886 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.560098886 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.560106039 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.560190916 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.561309099 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.561322927 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.561379910 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.561383963 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.561403990 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.562053919 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.562069893 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.563031912 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.563076973 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.563076973 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.563076973 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.563085079 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.563106060 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.563234091 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.564209938 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.564228058 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.564290047 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.564290047 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.564296961 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.615094900 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.771991014 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.772018909 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.772061110 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.772083044 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.772125959 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.772160053 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.772408962 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.772428989 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.772463083 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.772469044 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.772500038 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.772511959 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.773643970 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.773663044 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.773814917 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.773822069 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.773888111 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.774616957 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.774633884 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.774686098 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.774693012 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.774723053 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.774749041 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.777141094 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.777158976 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.777225018 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.777234077 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.777262926 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.777318954 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.777893066 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.777909040 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.777977943 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.777977943 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.777986050 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.778167009 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.779479027 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.779500008 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.779542923 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.779548883 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.779571056 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.779592991 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.779650927 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.779655933 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.779731989 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.779731989 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.858750105 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.858774900 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.858843088 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.858859062 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.858930111 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.859695911 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.859711885 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.859772921 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.859778881 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.859832048 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.860270023 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.860285044 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.860392094 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.860392094 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.860398054 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.860436916 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.861021996 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.861040115 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.861108065 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.861108065 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.861114025 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.861162901 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.862215996 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.862235069 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.862328053 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.862334013 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.862376928 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.862673044 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.992295027 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.992341995 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.992468119 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.992468119 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:46.992491961 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:46.992532969 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.007777929 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.007808924 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.007889986 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.007900000 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.007956028 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.008119106 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.008136988 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.008192062 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.008197069 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.008297920 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.009031057 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.009048939 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.009155989 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.009155989 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.009162903 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.009202957 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.010082960 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.010099888 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.010168076 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.010174990 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.010251045 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.010869026 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.010886908 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.010937929 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.010946035 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.010977983 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.011781931 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.011801004 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.011826038 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.011831999 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.011904001 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.012728930 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.012748003 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.012814045 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.012820959 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.012871981 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.113358021 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.113384962 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.113430977 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.113471031 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.113500118 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.113521099 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.113537073 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.113634109 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.113648891 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.113688946 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.113697052 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.113724947 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.114469051 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.114485979 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.114566088 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.114566088 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.114577055 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.115447998 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.115463018 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.115545988 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.115545988 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.115556002 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.116400003 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.116416931 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.116461039 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.116467953 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.116496086 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.117336988 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.117351055 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.117430925 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.117440939 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.118204117 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.118227959 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.118267059 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.118274927 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.118311882 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.161973000 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.206207037 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.206224918 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.206290960 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.206307888 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.206345081 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.207057953 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.207072973 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.207119942 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.207127094 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.207164049 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.207793951 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.207808018 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.207859039 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.207865000 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.207897902 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.209352016 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.209367037 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.209413052 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.209420919 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.209454060 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.210228920 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.210242987 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.210285902 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.210292101 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.210338116 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.211158037 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.211172104 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.211240053 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.211240053 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.211246967 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.211283922 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.212090015 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.212104082 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.212153912 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.212161064 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.212197065 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.212985992 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.213001013 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.213032007 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.213038921 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.213114977 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.213211060 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.213557005 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.213572979 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.213606119 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.213613033 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.213640928 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.213659048 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.293999910 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.294028997 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.294075966 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.294107914 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.294123888 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.294148922 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.294678926 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.294694901 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.294743061 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.294754982 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.294795990 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.295259953 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.295274973 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.295321941 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.295337915 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.295373917 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.296006918 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.296021938 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.296053886 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.296066046 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.296091080 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.296108961 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.296956062 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.296972036 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.297005892 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.297019005 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.297059059 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.297075987 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.297951937 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.297971964 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.298011065 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.298019886 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.298053026 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.298075914 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.298727989 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.298746109 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.298784971 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.298795938 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.298821926 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.298837900 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.299614906 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.299635887 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.299688101 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.299700022 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.299711943 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.299730062 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.380707979 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.380733013 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.380779028 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.380811930 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.380825996 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.380852938 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.424891949 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.424911022 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.424962044 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.424985886 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.425003052 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.425023079 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.425720930 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.425745010 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.425789118 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.425805092 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.425825119 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.425839901 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.426304102 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.426320076 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.426362038 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.426369905 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.426393986 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.426414013 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.426973104 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.426989079 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.427027941 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.427037001 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.427072048 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.427079916 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.427934885 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.427951097 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.427985907 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.427999020 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.428020954 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.428039074 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.428859949 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.428877115 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.428930998 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.428945065 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.428982973 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.467180014 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.467202902 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.467251062 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.467273951 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.467287064 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.467313051 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.512063026 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.512096882 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.512150049 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.512160063 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.512195110 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.512211084 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.512514114 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.512531996 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.512587070 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.512593985 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.512635946 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.513201952 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.513217926 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.513266087 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.513272047 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.513312101 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.514031887 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.514049053 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.514091969 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.514096975 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.514122963 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.514139891 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.514940023 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.514961958 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.515011072 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.515017033 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.515057087 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.515934944 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.515954018 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.515990019 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.515995026 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.516021013 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.516067028 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.516841888 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.516863108 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.516912937 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.516920090 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.516957045 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.554052114 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.554078102 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.554141998 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.554153919 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.554191113 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.602384090 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.602405071 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.602475882 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.602504015 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.602543116 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.603277922 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.603292942 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.603344917 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.603353024 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.603394985 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.603818893 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.603832960 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.603887081 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.603893042 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.603913069 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.603936911 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.604585886 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.604600906 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.604660988 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.604667902 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.604707956 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.605601072 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.605616093 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.605676889 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.605684042 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.605722904 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.607224941 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.607238054 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.607285023 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.607291937 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.607331038 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.607356071 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.607369900 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.607414007 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.607420921 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.607456923 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.642585039 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.642611027 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.642688036 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.642709017 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.642750025 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.689826012 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.689845085 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.690026999 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.690040112 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.690088987 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.690475941 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.690490007 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.690542936 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.690551043 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.690594912 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.691032887 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.691047907 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.691098928 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.691104889 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.691150904 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.692214966 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.692229033 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.692274094 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.692280054 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.692303896 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.692347050 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.693017960 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.693031073 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.693079948 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.693085909 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.693109989 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.693135977 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.693172932 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.693188906 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.693223000 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.693229914 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.693253994 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.693272114 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.694750071 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.694762945 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.694813967 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.694819927 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.694860935 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.727933884 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.727951050 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.728008986 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.728018999 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.728063107 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.777043104 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.777074099 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.777160883 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.777173042 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.777199984 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.777216911 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.777812958 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.777829885 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.777889967 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.777896881 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.777939081 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.778845072 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.778868914 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.778911114 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.778915882 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.778944969 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.778971910 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.779604912 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.779620886 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.779676914 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.779683113 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.779730082 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.780365944 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.780388117 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.780447006 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.780455112 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.780498028 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.781012058 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.781038046 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.781073093 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.781078100 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.781106949 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.781131029 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.781896114 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.781914949 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.781980991 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.781986952 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.782037973 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.815097094 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.815121889 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.815171957 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.815181971 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.815202951 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.815218925 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.864202976 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.864233017 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.864283085 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.864296913 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.864322901 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.864337921 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.864964962 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.864981890 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.865031004 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.865056992 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.865063906 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.865094900 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.865118027 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.866225958 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.866236925 CEST	443	51653	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.866251945 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.866281033 CEST	51653	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.985997915 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.986043930 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:47.986102104 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.986360073 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:47.986376047 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:48.893671989 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:48.895004988 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:48.895021915 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:49.685792923 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:49.685813904 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:49.685827971 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:49.685925961 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:49.685956001 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:49.686007023 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:49.687547922 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:49.687563896 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:49.687635899 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:49.687645912 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:49.740083933 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:49.901715994 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:49.901741028 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:49.901781082 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:49.901796103 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:49.901807070 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:49.901832104 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:49.903229952 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:49.903245926 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:49.903286934 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:49.903291941 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:49.903321981 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:49.903340101 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:49.905165911 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:49.905184031 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:49.905225992 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:49.905230999 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:49.905265093 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:49.905286074 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.117892027 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.117917061 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.118000984 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.118029118 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.118069887 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.119556904 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.119575024 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.119647980 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.119653940 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.119693995 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.120750904 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.120768070 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.120832920 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.120839119 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.120878935 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.121321917 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.121342897 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.121387005 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.121392965 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.121419907 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.121438980 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.333674908 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.333695889 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.333808899 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.333822012 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.333880901 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.335040092 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.335055113 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.335139036 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.335144043 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.335194111 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.336215973 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.336230993 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.336307049 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.336313009 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.336353064 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.337454081 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.337467909 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.337546110 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.337551117 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.337591887 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.338884115 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.338897943 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.338979006 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.338979006 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.338984966 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.339035034 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.340030909 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.340065956 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.340181112 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.340186119 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.340229034 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.549871922 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.549881935 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.549909115 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.549937010 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.549948931 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.549967051 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.549985886 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.550473928 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.550489902 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.550533056 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.550538063 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.550555944 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.550595045 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.551177979 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.551197052 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.551256895 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.551256895 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.551263094 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.551316023 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.552218914 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.552233934 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.552290916 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.552294970 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.552352905 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.553138971 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.553158045 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.553200960 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.553203106 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.553215027 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.553241968 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.553257942 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.553280115 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.553283930 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.553297043 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.553352118 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.554619074 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.554631948 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.554729939 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.554734945 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.554775953 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.555541039 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.555553913 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.555619955 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.555625916 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.555663109 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.640809059 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.640825987 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.640959024 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.640966892 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.641021013 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.764676094 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.764693975 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.764803886 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.764811993 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.764859915 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.765324116 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.765338898 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.765465975 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.765470982 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.765537024 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.766149044 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.766165018 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.766251087 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.766256094 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.766323090 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.767188072 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.767203093 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.767281055 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.767287016 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.767335892 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.767625093 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.767644882 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.767704010 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.767709017 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.767765999 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.771111012 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.771126986 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.771198034 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.771202087 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.771248102 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.771720886 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.771737099 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.771830082 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.771835089 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.771891117 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.772294044 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.772309065 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.772377014 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.772381067 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.772418976 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.772418976 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.772489071 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.772510052 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.772583008 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.772583008 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.772588968 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.772667885 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.855716944 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.855803967 CEST	443	51657	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.855834007 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.855851889 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.856199026 CEST	51657	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.876739979 CEST	51658	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.876774073 CEST	443	51658	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:50.876888990 CEST	51658	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.877094984 CEST	51658	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:50.877109051 CEST	443	51658	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:51.769649982 CEST	443	51658	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:51.770776033 CEST	51658	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:51.770800114 CEST	443	51658	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:52.554229021 CEST	443	51658	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:52.554254055 CEST	443	51658	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:52.554270983 CEST	443	51658	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:52.554389954 CEST	51658	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:52.554414988 CEST	443	51658	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:52.554467916 CEST	51658	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:52.565284967 CEST	443	51658	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:52.565304041 CEST	443	51658	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:52.565413952 CEST	51658	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:52.565422058 CEST	443	51658	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:52.615233898 CEST	51658	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:52.767493963 CEST	443	51658	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:52.767524004 CEST	443	51658	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:52.767595053 CEST	51658	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:52.767621994 CEST	443	51658	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:52.767640114 CEST	51658	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:52.767699003 CEST	51658	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:52.769210100 CEST	443	51658	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:52.769226074 CEST	443	51658	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:52.769308090 CEST	51658	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:52.769320965 CEST	443	51658	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:52.769972086 CEST	51658	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:52.771689892 CEST	443	51658	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:52.771704912 CEST	443	51658	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:52.771775961 CEST	51658	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:52.771794081 CEST	443	51658	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:52.772061110 CEST	51658	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:52.984592915 CEST	443	51658	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:52.984617949 CEST	443	51658	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:52.984678030 CEST	51658	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:52.984693050 CEST	443	51658	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:52.984704971 CEST	51658	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:52.984740973 CEST	51658	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:52.985179901 CEST	443	51658	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:52.985197067 CEST	443	51658	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:52.985255003 CEST	51658	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:52.985260963 CEST	443	51658	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:52.985301971 CEST	51658	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:52.985966921 CEST	443	51658	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:52.985981941 CEST	443	51658	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:52.986042976 CEST	51658	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:52.986048937 CEST	443	51658	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:52.986093998 CEST	51658	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:52.986424923 CEST	443	51658	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:52.986439943 CEST	443	51658	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:52.986489058 CEST	51658	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:52.986495018 CEST	443	51658	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:52.986534119 CEST	51658	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:52.986534119 CEST	51658	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:53.193013906 CEST	443	51658	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:53.193038940 CEST	443	51658	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:53.193105936 CEST	51658	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:53.193131924 CEST	443	51658	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:53.193197012 CEST	51658	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:53.193824053 CEST	443	51658	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:53.193840027 CEST	443	51658	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:53.193880081 CEST	51658	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:53.193888903 CEST	443	51658	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:53.193917990 CEST	51658	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:53.193938017 CEST	51658	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:53.194633007 CEST	443	51658	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:53.194648027 CEST	443	51658	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:53.194689989 CEST	51658	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:53.194695950 CEST	443	51658	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:53.194705963 CEST	443	51658	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:53.194720030 CEST	51658	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:53.194761992 CEST	51658	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:53.194780111 CEST	443	51658	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:53.194839001 CEST	51658	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:53.199668884 CEST	51658	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:53.216039896 CEST	51659	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:53.216088057 CEST	443	51659	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:53.216160059 CEST	51659	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:53.216344118 CEST	51659	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:53.216363907 CEST	443	51659	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:54.115125895 CEST	443	51659	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:54.118552923 CEST	51659	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:54.118592024 CEST	443	51659	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:54.915608883 CEST	443	51659	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:54.915632963 CEST	443	51659	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:54.915647030 CEST	443	51659	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:54.915760040 CEST	51659	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:54.915812016 CEST	443	51659	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:54.915863037 CEST	51659	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:54.916920900 CEST	443	51659	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:54.916939020 CEST	443	51659	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:54.917010069 CEST	51659	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:54.917018890 CEST	443	51659	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:54.958909988 CEST	51659	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:55.131057978 CEST	443	51659	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:55.131079912 CEST	443	51659	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:55.131175041 CEST	51659	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:55.131226063 CEST	443	51659	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:55.131270885 CEST	51659	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:55.132072926 CEST	443	51659	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:55.132086992 CEST	443	51659	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:55.132144928 CEST	51659	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:55.132153034 CEST	443	51659	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:55.132186890 CEST	51659	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:55.132868052 CEST	443	51659	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:55.132922888 CEST	51659	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:55.132930994 CEST	443	51659	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:55.132942915 CEST	443	51659	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:55.132991076 CEST	51659	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:55.133563042 CEST	51659	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:55.146596909 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:55.146641970 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:55.146759987 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:55.147018909 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:55.147032976 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:56.043958902 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:56.045536041 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:56.045583010 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:56.836961031 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:56.836987972 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:56.837003946 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:56.837127924 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:56.837162971 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:56.837183952 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:56.837220907 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:56.838774920 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:56.838793039 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:56.838881016 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:56.838887930 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:56.880839109 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.050600052 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.050615072 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.050673962 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.050703049 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.050753117 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.050764084 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.050815105 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.052256107 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.052272081 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.052373886 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.052382946 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.052509069 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.054728031 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.054743052 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.054814100 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.054821014 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.054879904 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.263971090 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.263987064 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.264029980 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.264056921 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.264095068 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.264111042 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.264154911 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.264893055 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.264909983 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.264950037 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.264955997 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.264981985 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.265007973 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.265830040 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.265844107 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.265901089 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.265908003 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.265938044 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.265952110 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.266911983 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.266927958 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.266969919 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.266976118 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.267010927 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.267020941 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.268378973 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.268394947 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.268450022 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.268459082 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.268508911 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.477895975 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.477910042 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.477977037 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.478017092 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.478039980 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.478064060 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.478081942 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.478650093 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.478672028 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.478720903 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.478729010 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.478765965 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.479517937 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.479538918 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.479593992 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.479600906 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.479634047 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.479648113 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.480184078 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.480201006 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.480261087 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.480268002 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.480309010 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.481153965 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.481169939 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.481237888 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.481245041 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.481298923 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.481899977 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.481915951 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.481973886 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.481981039 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.482017994 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.482822895 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.482837915 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.482887030 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.482892990 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.482932091 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.693036079 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.693048954 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.693085909 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.693289995 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.693320036 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.693411112 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.693873882 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.693891048 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.693948030 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.693958044 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.693990946 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.694015026 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.694574118 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.694593906 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.694643021 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.694649935 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.694664955 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.694691896 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.695676088 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.695691109 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.695759058 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.695769072 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.695811033 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.696403980 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.696419954 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.696476936 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.696489096 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.696574926 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.697521925 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.697535992 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.697587967 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.697597980 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.697635889 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.701239109 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.701258898 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.701304913 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.701311111 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.701325893 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.701342106 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.702049017 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.702064991 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.702116966 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.702124119 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.702173948 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.702603102 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.702625036 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.702661991 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.702668905 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.702687025 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.702713013 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.783099890 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.783117056 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.783176899 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.783190966 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.783215046 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.783236027 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.783495903 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.783514023 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.783556938 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.783565044 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.783586025 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.783597946 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.784498930 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.784521103 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.784564972 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.784571886 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.784585953 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.784603119 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.784640074 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.784656048 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.784684896 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.784691095 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.784722090 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.785434961 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.905055046 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.905077934 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.905168056 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.905185938 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.905939102 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.905963898 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.906007051 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.906013966 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.906029940 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.906059027 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.906434059 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.906449080 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.906500101 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.906507969 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.907294035 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.907311916 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.907357931 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.907362938 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.907409906 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.908375025 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.908390045 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.908463955 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.908469915 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.908622026 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.909496069 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.909514904 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.909544945 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.909548998 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.909578085 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.909584045 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.912308931 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.912373066 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.912379026 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.912393093 CEST	443	51660	145.40.109.218	192.168.2.7
Jul 3, 2024 14:33:57.912431002 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:33:57.912763119 CEST	51660	443	192.168.2.7	145.40.109.218
Jul 3, 2024 14:34:04.908049107 CEST	51662	443	192.168.2.7	145.40.109.216
Jul 3, 2024 14:34:04.908083916 CEST	443	51662	145.40.109.216	192.168.2.7
Jul 3, 2024 14:34:04.908210039 CEST	51662	443	192.168.2.7	145.40.109.216
Jul 3, 2024 14:34:05.585566998 CEST	51662	443	192.168.2.7	145.40.109.216
Jul 3, 2024 14:34:05.585597038 CEST	443	51662	145.40.109.216	192.168.2.7
Jul 3, 2024 14:34:05.585665941 CEST	443	51662	145.40.109.216	192.168.2.7
Jul 3, 2024 14:34:07.811348915 CEST	51663	443	192.168.2.7	145.40.109.216
Jul 3, 2024 14:34:07.811394930 CEST	443	51663	145.40.109.216	192.168.2.7
Jul 3, 2024 14:34:07.811465979 CEST	51663	443	192.168.2.7	145.40.109.216
Jul 3, 2024 14:34:07.830607891 CEST	51663	443	192.168.2.7	145.40.109.216
Jul 3, 2024 14:34:07.830636024 CEST	443	51663	145.40.109.216	192.168.2.7
Jul 3, 2024 14:34:07.830678940 CEST	443	51663	145.40.109.216	192.168.2.7
Jul 3, 2024 14:34:10.304764032 CEST	51664	443	192.168.2.7	145.40.109.216
Jul 3, 2024 14:34:10.304794073 CEST	443	51664	145.40.109.216	192.168.2.7
Jul 3, 2024 14:34:10.304872990 CEST	51664	443	192.168.2.7	145.40.109.216
Jul 3, 2024 14:34:10.307418108 CEST	51664	443	192.168.2.7	145.40.109.216
Jul 3, 2024 14:34:10.307432890 CEST	443	51664	145.40.109.216	192.168.2.7
Jul 3, 2024 14:34:10.307487011 CEST	443	51664	145.40.109.216	192.168.2.7
Jul 3, 2024 14:34:15.107177973 CEST	51665	443	192.168.2.7	145.40.109.216
Jul 3, 2024 14:34:15.107211113 CEST	443	51665	145.40.109.216	192.168.2.7
Jul 3, 2024 14:34:15.107280016 CEST	51665	443	192.168.2.7	145.40.109.216
Jul 3, 2024 14:34:15.112138033 CEST	51665	443	192.168.2.7	145.40.109.216
Jul 3, 2024 14:34:15.112154007 CEST	443	51665	145.40.109.216	192.168.2.7
Jul 3, 2024 14:34:15.112206936 CEST	443	51665	145.40.109.216	192.168.2.7
Jul 3, 2024 14:34:21.260200977 CEST	51666	443	192.168.2.7	145.40.109.216
Jul 3, 2024 14:34:21.260246038 CEST	443	51666	145.40.109.216	192.168.2.7
Jul 3, 2024 14:34:21.260310888 CEST	51666	443	192.168.2.7	145.40.109.216
Jul 3, 2024 14:34:21.262589931 CEST	51666	443	192.168.2.7	145.40.109.216
Jul 3, 2024 14:34:21.262603998 CEST	443	51666	145.40.109.216	192.168.2.7
Jul 3, 2024 14:34:21.262656927 CEST	443	51666	145.40.109.216	192.168.2.7
Jul 3, 2024 14:34:29.681567907 CEST	51667	443	192.168.2.7	145.40.109.216
Jul 3, 2024 14:34:29.681616068 CEST	443	51667	145.40.109.216	192.168.2.7
Jul 3, 2024 14:34:29.681689024 CEST	51667	443	192.168.2.7	145.40.109.216
Jul 3, 2024 14:34:29.683829069 CEST	51667	443	192.168.2.7	145.40.109.216
Jul 3, 2024 14:34:29.683840990 CEST	443	51667	145.40.109.216	192.168.2.7
Jul 3, 2024 14:34:29.683888912 CEST	443	51667	145.40.109.216	192.168.2.7
Jul 3, 2024 14:34:40.753393888 CEST	51668	443	192.168.2.7	145.40.109.216
Jul 3, 2024 14:34:40.753444910 CEST	443	51668	145.40.109.216	192.168.2.7
Jul 3, 2024 14:34:40.753535032 CEST	51668	443	192.168.2.7	145.40.109.216
Jul 3, 2024 14:34:40.756057024 CEST	51668	443	192.168.2.7	145.40.109.216
Jul 3, 2024 14:34:40.756073952 CEST	443	51668	145.40.109.216	192.168.2.7
Jul 3, 2024 14:34:40.756145000 CEST	443	51668	145.40.109.216	192.168.2.7
Jul 3, 2024 14:34:57.992043018 CEST	51669	443	192.168.2.7	145.40.109.216
Jul 3, 2024 14:34:57.992094040 CEST	443	51669	145.40.109.216	192.168.2.7
Jul 3, 2024 14:34:57.992157936 CEST	51669	443	192.168.2.7	145.40.109.216
Jul 3, 2024 14:34:57.994429111 CEST	51669	443	192.168.2.7	145.40.109.216
Jul 3, 2024 14:34:57.994440079 CEST	443	51669	145.40.109.216	192.168.2.7
Jul 3, 2024 14:34:57.994488955 CEST	443	51669	145.40.109.216	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 3, 2024 14:33:18.443027020 CEST	61280	53	192.168.2.7	1.1.1.1
Jul 3, 2024 14:33:20.611721039 CEST	61811	53	192.168.2.7	1.1.1.1
Jul 3, 2024 14:33:20.640753031 CEST	53	61811	1.1.1.1	192.168.2.7
Jul 3, 2024 14:33:43.316988945 CEST	53	63304	162.159.36.2	192.168.2.7
Jul 3, 2024 14:33:43.788341999 CEST	60821	53	192.168.2.7	1.1.1.1
Jul 3, 2024 14:33:43.799959898 CEST	53	60821	1.1.1.1	192.168.2.7
Jul 3, 2024 14:33:47.953670979 CEST	55664	53	192.168.2.7	1.1.1.1
Jul 3, 2024 14:33:47.982327938 CEST	53	55664	1.1.1.1	192.168.2.7
Jul 3, 2024 14:34:04.850486994 CEST	50947	53	192.168.2.7	1.1.1.1
Jul 3, 2024 14:34:04.879522085 CEST	53	50947	1.1.1.1	192.168.2.7
Jul 3, 2024 14:34:40.686734915 CEST	64943	53	192.168.2.7	1.1.1.1
Jul 3, 2024 14:34:40.733889103 CEST	53	64943	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 3, 2024 14:33:18.443027020 CEST	192.168.2.7	1.1.1.1	0x872e	Standard query (0)	time.windows.com	A (IP address)	IN (0x0001)	false
Jul 3, 2024 14:33:20.611721039 CEST	192.168.2.7	1.1.1.1	0x102	Standard query (0)	bcl.screenconnect.com	A (IP address)	IN (0x0001)	false
Jul 3, 2024 14:33:43.788341999 CEST	192.168.2.7	1.1.1.1	0x2e	Standard query (0)	18.31.95.13.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Jul 3, 2024 14:33:47.953670979 CEST	192.168.2.7	1.1.1.1	0x2d09	Standard query (0)	bcl.screenconnect.com	A (IP address)	IN (0x0001)	false
Jul 3, 2024 14:34:04.850486994 CEST	192.168.2.7	1.1.1.1	0xd1f3	Standard query (0)	instance-ss6pex-relay.screenconnect.com	A (IP address)	IN (0x0001)	false
Jul 3, 2024 14:34:40.686734915 CEST	192.168.2.7	1.1.1.1	0xda25	Standard query (0)	instance-ss6pex-relay.screenconnect.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 3, 2024 14:33:18.455846071 CEST	1.1.1.1	192.168.2.7	0x872e	No error (0)	time.windows.com	twc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 3, 2024 14:33:20.640753031 CEST	1.1.1.1	192.168.2.7	0x102	No error (0)	bcl.screenconnect.com	server-nixc4ced126-web.screenconnect.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 3, 2024 14:33:20.640753031 CEST	1.1.1.1	192.168.2.7	0x102	No error (0)	server-nixc4ced126-web.screenconnect.com		145.40.109.218	A (IP address)	IN (0x0001)	false
Jul 3, 2024 14:33:25.270159960 CEST	1.1.1.1	192.168.2.7	0x97b8	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Jul 3, 2024 14:33:25.270159960 CEST	1.1.1.1	192.168.2.7	0x97b8	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Jul 3, 2024 14:33:25.800183058 CEST	1.1.1.1	192.168.2.7	0x96e8	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 3, 2024 14:33:25.800183058 CEST	1.1.1.1	192.168.2.7	0x96e8	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Jul 3, 2024 14:33:27.723629951 CEST	1.1.1.1	192.168.2.7	0xb0c3	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 3, 2024 14:33:27.723629951 CEST	1.1.1.1	192.168.2.7	0xb0c3	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Jul 3, 2024 14:33:41.088001966 CEST	1.1.1.1	192.168.2.7	0x3b3	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 3, 2024 14:33:41.088001966 CEST	1.1.1.1	192.168.2.7	0x3b3	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Jul 3, 2024 14:33:43.799959898 CEST	1.1.1.1	192.168.2.7	0x2e	Name error (3)	18.31.95.13.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Jul 3, 2024 14:33:47.982327938 CEST	1.1.1.1	192.168.2.7	0x2d09	No error (0)	bcl.screenconnect.com	server-nixc4ced126-web.screenconnect.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 3, 2024 14:33:47.982327938 CEST	1.1.1.1	192.168.2.7	0x2d09	No error (0)	server-nixc4ced126-web.screenconnect.com		145.40.109.218	A (IP address)	IN (0x0001)	false
Jul 3, 2024 14:33:58.024564981 CEST	1.1.1.1	192.168.2.7	0xd8cb	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Jul 3, 2024 14:33:58.024564981 CEST	1.1.1.1	192.168.2.7	0xd8cb	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Jul 3, 2024 14:34:04.879522085 CEST	1.1.1.1	192.168.2.7	0xd1f3	No error (0)	instance-ss6pex-relay.screenconnect.com	server-nixc4ced126-relay.screenconnect.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 3, 2024 14:34:04.879522085 CEST	1.1.1.1	192.168.2.7	0xd1f3	No error (0)	server-nixc4ced126-relay.screenconnect.com		145.40.109.216	A (IP address)	IN (0x0001)	false
Jul 3, 2024 14:34:40.733889103 CEST	1.1.1.1	192.168.2.7	0xda25	No error (0)	instance-ss6pex-relay.screenconnect.com	server-nixc4ced126-relay.screenconnect.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 3, 2024 14:34:40.733889103 CEST	1.1.1.1	192.168.2.7	0xda25	No error (0)	server-nixc4ced126-relay.screenconnect.com		145.40.109.216	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

bcl.screenconnect.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49704	145.40.109.218	443	5408	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-03 12:33:21 UTC	647	OUT	GET /Bin/ScreenConnect.Client.application?h=instance-ss6pex-relay.screenconnect.com&p=443&k=BgIAAACkAABSU0ExAAgAAAEAAQBdjPB2q8wjCfbSeYamY%2F1I8rI%2FJv32GQaD4DfyMmJGNmo%2F%2FRNg83nebcxkKC9J9fnvQipaIXrQUsxpppQnPKZ7juxo8OMg%2FgQWhvcJ843vxr8g3Su6i%2BOQ19Uh%2B6nNu4Mvd5N1Gn7gmJQP8LmLFqcM4XdqaWncXy3DTwTAm6za8sn0Nrpx%2FR7Jc98i2Kg%2Bl%2FjkHFH9my9cD1Qp8bY32WV4Poh8SZJEDL3RX7M1gNCxhAy6Of%2Bu4Ov%2F99l3%2BbDBAOICkjlLTBAUBYzj9YiB5Zym8VEMCtI%2B7OFy%2Bv0PXxtCiizxlfv251D4ovL7mdH2HWE5l%2FwdqfUZx0u617T5JnSJ&s=e409b2f5-1e44-4489-a8a4-30f0588f10c9&i=Ily&e=Support&y=Guest&r= HTTP/1.1 Host: bcl.screenconnect.com Accept-Encoding: gzip Connection: Keep-Alive
2024-07-03 12:33:22 UTC	273	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 154833 Content-Type: application/x-ms-application; charset=utf-8 Server: ScreenConnect/24.1.7.8892-2977050628 Microsoft-HTTPAPI/2.0 X-Robots-Tag: noindex Date: Wed, 03 Jul 2024 12:33:21 GMT Connection: close
2024-07-03 12:33:22 UTC	16111	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 61 73 6d 76 31 3a 61 73 73 65 6d 62 6c 79 20 78 73 69 3a 73 63 68 65 6d 61 4c 6f 63 61 74 69 6f 6e 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 31 20 61 73 73 65 6d 62 6c 79 2e 61 64 61 70 74 69 76 65 2e 78 73 64 22 20 6d 61 6e 69 66 65 73 74 56 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 78 6d 6c 6e 73 3a 61 73 6d 76 31 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 31 22 20 78 6d 6c 6e 73 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 32 22 20 78 6d 6c 6e 73 3a 61 73 6d 76 32 3d Data Ascii: <?xml version="1.0" encoding="utf-8"?><asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2=
2024-07-03 12:33:22 UTC	16384	IN	Data Raw: 41 41 42 49 55 41 41 41 75 5a 51 41 41 6d 6d 51 41 41 41 5a 6b 41 41 43 37 4a 77 41 41 54 6a 63 41 41 4b 4d 56 41 41 43 4f 62 77 41 41 68 67 67 41 41 46 4a 43 41 41 42 69 62 67 41 41 50 79 67 41 41 44 56 5a 41 41 43 44 61 77 41 41 2b 44 30 41 41 41 4e 47 41 41 41 34 54 51 41 41 6a 55 59 41 41 43 6f 73 41 41 42 32 45 77 41 41 38 41 34 41 41 45 70 63 41 41 42 46 47 77 41 41 46 47 77 41 41 42 38 5a 41 41 42 53 47 51 41 41 2b 55 4d 41 41 49 6c 41 41 41 42 51 4c 67 41 41 6e 44 49 41 41 43 51 39 41 41 44 50 4b 77 41 41 32 42 30 41 41 4c 63 35 41 41 43 41 59 77 41 41 4d 46 49 41 41 50 77 59 41 41 43 45 56 51 41 41 50 48 4d 41 41 48 77 50 41 41 44 46 45 67 41 41 7a 42 55 41 41 50 59 36 41 41 41 37 42 77 41 41 4c 6c 67 41 41 4d 59 37 41 41 41 6a 54 67 41 41 50 31 Data Ascii: AABIUAAAuZQAAmmQAAAZkAAC7JwAATjcAAKMVAACObwAAhggAAFJCAABibgAAPygAADVZAACDawAA+D0AAANGAAA4TQAAjUYAACosAAB2EwAA8A4AAEpcAABFGwAAFGwAAB8ZAABSGQAA+UMAAIlAAABQLgAAnDIAACQ9AADPKwAA2B0AALc5AACAYwAAMFIAAPwYAACEVQAAPHMAAHwPAADFEgAAzBUAAPY6AAA7BwAALlgAAMY7AAAjTgAAP1
2024-07-03 12:33:22 UTC	16384	IN	Data Raw: 41 51 77 42 68 41 48 41 41 64 41 42 31 41 48 49 41 5a 51 42 55 41 47 6b 41 64 41 42 73 41 47 55 41 4a 77 38 41 41 46 5a 44 41 47 38 41 62 67 42 30 41 48 49 41 62 77 42 73 41 46 41 41 59 51 42 75 41 47 55 41 62 41 42 54 41 47 55 41 62 41 42 6c 41 47 4d 41 64 41 42 42 41 47 34 41 62 67 42 76 41 48 51 41 59 51 42 30 41 47 6b 41 62 77 42 75 41 45 30 41 62 77 42 6b 41 47 55 41 52 41 42 6c 41 48 4d 41 59 77 42 79 41 47 6b 41 63 41 42 30 41 47 6b 41 62 77 42 75 41 44 63 50 41 41 42 4b 51 77 42 76 41 47 34 41 64 41 42 79 41 47 38 41 62 41 42 51 41 47 45 41 62 67 42 6c 41 47 77 41 55 77 42 6c 41 47 77 41 5a 51 42 6a 41 48 51 41 51 51 42 75 41 47 34 41 62 77 42 30 41 47 45 41 64 41 42 70 41 47 38 41 62 67 42 4e 41 47 38 41 5a 41 42 6c 41 46 51 41 61 51 42 30 41 47 Data Ascii: AQwBhAHAAdAB1AHIAZQBUAGkAdABsAGUAJw8AAFZDAG8AbgB0AHIAbwBsAFAAYQBuAGUAbABTAGUAbABlAGMAdABBAG4AbgBvAHQAYQB0AGkAbwBuAE0AbwBkAGUARABlAHMAYwByAGkAcAB0AGkAbwBuADcPAABKQwBvAG4AdAByAG8AbABQAGEAbgBlAGwAUwBlAGwAZQBjAHQAQQBuAG4AbwB0AGEAdABpAG8AbgBNAG8AZABlAFQAaQB0AG
2024-07-03 12:33:22 UTC	16384	IN	Data Raw: 55 41 47 55 41 65 41 42 30 41 4f 41 32 41 41 41 6f 54 51 42 6c 41 48 4d 41 63 77 42 68 41 47 63 41 5a 51 42 7a 41 46 51 41 65 51 42 77 41 47 6b 41 62 67 42 6e 41 45 59 41 62 77 42 79 41 47 30 41 59 51 42 30 41 50 67 32 41 41 42 61 54 67 42 76 41 48 51 41 61 51 42 6d 41 47 6b 41 59 77 42 68 41 48 51 41 61 51 42 76 41 47 34 41 51 51 42 6b 41 47 30 41 61 51 42 75 41 47 6b 41 63 77 42 30 41 48 49 41 59 51 42 30 41 47 6b 41 64 67 42 6c 41 45 77 41 62 77 42 6e 41 47 38 41 62 67 42 53 41 47 55 41 63 51 42 31 41 47 55 41 63 77 42 30 41 45 30 41 5a 51 42 7a 41 48 4d 41 59 51 42 6e 41 47 55 41 43 6a 63 41 41 45 35 4f 41 47 38 41 64 41 42 70 41 47 59 41 61 51 42 6a 41 47 45 41 64 41 42 70 41 47 38 41 62 67 42 43 41 47 45 41 62 67 42 75 41 47 55 41 63 67 42 44 41 47 Data Ascii: UAGUAeAB0AOA2AAAoTQBlAHMAcwBhAGcAZQBzAFQAeQBwAGkAbgBnAEYAbwByAG0AYQB0APg2AABaTgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AQQBkAG0AaQBuAGkAcwB0AHIAYQB0AGkAdgBlAEwAbwBnAG8AbgBSAGUAcQB1AGUAcwB0AE0AZQBzAHMAYQBnAGUACjcAAE5OAG8AdABpAGYAaQBjAGEAdABpAG8AbgBCAGEAbgBuAGUAcgBDAG
2024-07-03 12:33:22 UTC	16384	IN	Data Raw: 6c 63 58 56 6c 63 33 52 6c 5a 43 34 4e 43 67 30 4b 55 47 78 6c 59 58 4e 6c 49 48 4e 30 59 57 35 6b 59 6e 6b 67 64 47 38 67 59 58 64 68 61 58 51 67 59 58 42 77 63 6d 39 32 59 57 77 75 41 53 35 54 64 57 4a 74 61 58 52 30 61 57 35 6e 49 48 4a 6c 63 58 56 6c 63 33 51 67 5a 6d 39 79 49 47 46 6b 62 57 6c 75 61 58 4e 30 63 6d 46 30 61 58 5a 6c 49 47 78 76 5a 32 39 75 4c 69 34 75 41 52 64 53 5a 58 46 31 5a 58 4e 30 49 45 78 76 5a 32 39 75 49 45 46 6e 59 57 6c 75 49 4f 4b 65 6f 51 47 65 41 56 52 6f 5a 53 42 7a 65 58 4e 30 5a 57 30 67 61 47 46 7a 49 47 4a 6c 59 32 39 74 5a 53 42 31 62 6d 46 32 59 57 6c 73 59 57 4a 73 5a 53 34 67 56 47 68 70 63 79 42 6a 62 33 56 73 5a 43 42 69 5a 53 42 6b 64 57 55 67 64 47 38 67 59 53 42 75 5a 58 52 33 62 33 4a 72 49 47 4e 76 62 6d Data Ascii: lcXVlc3RlZC4NCg0KUGxlYXNlIHN0YW5kYnkgdG8gYXdhaXQgYXBwcm92YWwuAS5TdWJtaXR0aW5nIHJlcXVlc3QgZm9yIGFkbWluaXN0cmF0aXZlIGxvZ29uLi4uARdSZXF1ZXN0IExvZ29uIEFnYWluIOKeoQGeAVRoZSBzeXN0ZW0gaGFzIGJlY29tZSB1bmF2YWlsYWJsZS4gVGhpcyBjb3VsZCBiZSBkdWUgdG8gYSBuZXR3b3JrIGNvbm
2024-07-03 12:33:22 UTC	16384	IN	Data Raw: 69 33 79 7a 37 41 7a 37 66 4e 51 43 77 61 6a 34 42 65 35 45 74 71 46 31 6a 41 2f 5a 4c 4a 78 42 59 64 4d 44 69 39 77 41 41 38 72 74 76 77 64 51 6f 43 41 4f 41 61 49 50 68 7a 33 66 2f 37 7a 2f 39 52 36 41 6c 41 49 42 6d 53 5a 4a 78 41 41 42 65 52 43 51 75 56 4d 71 7a 50 38 63 49 41 41 42 45 6f 49 45 71 73 45 45 62 39 4d 45 59 4c 4d 41 47 48 4d 45 46 33 4d 45 4c 2f 47 41 32 68 45 49 6b 78 4d 4a 43 45 45 49 4b 5a 49 41 63 63 6d 41 70 72 49 4a 43 4b 49 62 4e 73 42 30 71 59 43 2f 55 51 42 30 30 77 46 46 6f 68 70 4e 77 44 69 37 43 56 62 67 4f 50 58 41 50 2b 6d 45 49 6e 73 45 6f 76 49 45 4a 42 45 48 49 43 42 4e 68 49 64 71 49 41 57 4b 4b 57 43 4f 4f 43 42 65 5a 68 66 67 68 77 55 67 45 45 6f 73 6b 49 4d 6d 49 46 46 45 69 53 35 45 31 53 44 46 53 69 6c 51 67 56 55 Data Ascii: i3yz7Az7fNQCwaj4Be5EtqF1jA/ZLJxBYdMDi9wAA8rtvwdQoCAOAaIPhz3f/7z/9R6AlAIBmSZJxAABeRCQuVMqzP8cIAABEoIEqsEEb9MEYLMAGHMEF3MEL/GA2hEIkxMJCEEIKZIAccmAprIJCKIbNsB0qYC/UQB00wFFohpNwDi7CVbgOPXAP+mEInsEovIEJBEHICBNhIdqIAWKKWCOOCBeZhfghwUgEEoskIMmIFFEiS5E1SDFSilQgVU
2024-07-03 12:33:22 UTC	16384	IN	Data Raw: 6a 45 42 68 63 59 73 31 4a 36 70 35 57 31 50 79 71 6c 4d 45 48 70 37 6e 77 54 43 65 66 31 72 35 66 38 73 63 47 6a 57 46 37 61 6b 38 6a 49 6f 38 71 67 72 43 6e 38 47 38 64 4a 37 2f 62 4d 36 4c 6a 76 38 6c 54 70 65 33 52 6e 6a 31 52 4e 69 46 5a 54 59 4c 31 54 2f 66 51 39 39 64 71 57 6f 6f 76 7a 50 44 39 78 73 75 67 69 37 30 57 6b 7a 56 38 39 61 56 62 75 4d 30 2f 78 36 74 48 4f 68 6a 6a 56 4d 6d 68 68 67 44 4e 39 74 53 65 52 67 45 59 46 50 59 46 42 67 39 6e 43 54 61 66 45 78 39 42 31 47 63 39 33 30 58 68 45 63 4c 71 53 75 41 65 62 57 55 74 43 6b 55 4e 48 56 63 56 62 6f 59 76 70 69 6a 43 2b 52 41 55 69 69 57 73 59 52 45 72 30 47 54 66 58 4d 36 4b 37 71 57 55 72 74 7a 4d 63 6c 70 4c 33 6d 30 34 4b 30 72 45 70 72 48 48 66 32 59 51 76 67 78 67 79 52 67 44 74 49 Data Ascii: jEBhcYs1J6p5W1PyqlMEHp7nwTCef1r5f8scGjWF7ak8jIo8qgrCn8G8dJ7/bM6Ljv8lTpe3Rnj1RNiFZTYL1T/fQ99dqWoovzPD9xsugi70WkzV89aVbuM0/x6tHOhjjVMmhhgDN9tSeRgEYFPYFBg9nCTafEx9B1Gc930XhEcLqSuAebWUtCkUNHVcVboYvpijC+RAUiiWsYREr0GTfXM6K7qWUrtzMclpL3m04K0rEprHHf2YQvgxgyRgDtI
2024-07-03 12:33:22 UTC	16384	IN	Data Raw: 76 5a 6d 6c 73 5a 51 41 41 65 4e 71 64 55 32 64 55 55 2b 6b 57 50 66 66 65 39 45 4a 4c 69 49 43 55 53 32 39 53 46 51 67 67 55 6b 4b 4c 67 42 53 52 4a 69 6f 68 43 52 42 4b 69 43 47 68 32 52 56 52 77 52 46 46 52 51 51 62 79 4b 43 49 41 34 36 4f 67 49 77 56 55 53 77 4d 69 67 72 59 42 2b 51 68 6f 6f 36 44 6f 34 69 4b 79 76 76 68 65 36 4e 72 31 72 7a 33 35 73 33 2b 74 64 63 2b 35 36 7a 7a 6e 62 50 50 42 38 41 49 44 4a 5a 49 4d 31 45 31 67 41 79 70 51 68 34 52 34 49 50 48 78 4d 62 68 35 43 35 41 67 51 6f 6b 63 41 41 51 43 4c 4e 6b 49 58 50 39 49 77 45 41 2b 48 34 38 50 43 73 69 77 41 65 2b 41 41 46 34 30 77 73 49 41 4d 42 4e 6d 38 41 77 48 49 66 2f 44 2b 70 43 6d 56 77 42 67 49 51 42 77 48 53 52 4f 45 73 49 67 42 51 41 51 48 71 4f 51 71 59 41 51 45 59 42 67 4a Data Ascii: vZmlsZQAAeNqdU2dUU+kWPffe9EJLiICUS29SFQggUkKLgBSRJiohCRBKiCGh2RVRwRFFRQQbyKCIA46OgIwVUSwMigrYB+Qhoo6Do4iKyvvhe6Nr1rz35s3+tdc+56zznbPPB8AIDJZIM1E1gAypQh4R4IPHxMbh5C5AgQokcAAQCLNkIXP9IwEA+H48PCsiwAe+AAF40wsIAMBNm8AwHIf/D+pCmVwBgIQBwHSROEsIgBQAQHqOQqYAQEYBgJ
2024-07-03 12:33:22 UTC	16384	IN	Data Raw: 4f 39 5a 71 74 42 51 70 68 5a 63 48 77 68 39 70 51 6e 59 30 59 57 31 71 6f 65 41 61 63 59 43 41 50 42 6d 70 42 6e 72 38 35 59 79 43 71 36 63 46 78 58 49 4f 31 2b 65 75 62 34 35 43 51 4a 65 30 61 6b 4c 69 79 41 59 41 47 42 53 48 6e 6f 34 43 48 37 38 30 56 4b 48 79 31 4f 70 6b 65 2f 46 6d 65 63 37 6b 79 44 67 48 63 56 76 4a 43 51 49 42 67 43 59 4d 77 6a 2b 55 79 45 44 57 35 57 4c 75 70 53 61 72 31 76 61 57 62 4b 41 74 64 6d 46 52 52 41 4d 41 4f 43 50 6b 55 72 77 70 79 31 4c 4b 51 65 58 68 44 71 34 65 4e 71 64 39 4c 56 55 45 37 42 6a 46 39 59 74 6e 51 78 4d 45 41 77 41 34 4d 58 47 37 6e 41 61 57 69 30 44 74 2b 50 67 30 36 49 67 39 35 37 35 65 30 63 53 42 4f 7a 6f 77 6e 70 6b 32 77 54 42 41 41 41 6d 4d 44 77 54 66 48 66 50 55 6f 37 47 65 54 33 4d 6e 4c 4e 2f Data Ascii: O9ZqtBQphZcHwh9pQnY0YW1qoeAacYCAPBmpBnr85YyCq6cFxXIO1+eub45CQJe0akLiyAYAGBSHno4CH780VKHy1Opke/Fmec7kyDgHcVvJCQIBgCYMwj+UyEDW5WLupSar1vaWbKAtdmFRRAMAOCPkUrwpy1LKQeXhDq4eNqd9LVUE7BjF9YtnQxMEAwA4MXG7nAaWi0Dt+Pg06Ig9575e0cSBOzownpk2wTBAAAmMDwTfHfPUo7GeT3MnLN/
2024-07-03 12:33:22 UTC	7650	IN	Data Raw: 70 37 56 30 4b 64 47 42 74 69 4c 4a 4d 44 52 41 32 77 49 44 46 44 68 49 4c 69 57 61 65 6a 48 48 51 58 2b 55 59 44 54 43 50 43 62 74 69 45 77 51 4e 4d 48 77 63 4d 2f 39 66 38 59 57 49 41 72 38 62 54 34 48 46 62 62 68 73 41 41 6a 52 38 45 64 2b 35 46 36 76 45 78 73 41 44 48 44 37 41 68 4d 45 44 32 67 2b 44 72 66 54 38 47 46 75 41 45 41 6d 77 49 44 4a 44 39 49 50 68 61 76 37 75 42 42 62 67 53 4b 38 57 6e 73 4e 77 32 42 41 61 49 72 2f 49 39 77 56 31 37 6b 61 34 4a 63 43 78 4c 78 59 65 77 31 44 59 45 42 6b 68 68 45 44 78 56 63 59 48 33 52 76 6f 37 46 46 71 41 55 77 69 77 49 54 42 41 44 51 6b 65 71 2b 38 78 38 4d 67 70 41 63 34 6a 77 49 62 41 41 44 57 6f 65 42 36 36 36 7a 48 77 76 41 42 48 73 56 78 38 42 43 39 37 2b 34 56 48 76 68 63 41 4e 51 79 43 4a 32 70 37 Data Ascii: p7V0KdGBtiLJMDRA2wIDFDhILiWaejHHQX+UYDTCPCbtiEwQNMHwcM/9f8YWIAr8bT4HFbbhsAAjR8Ed+5F6vExsADHD7AhMED2g+DrfT8GFuAEAmwIDJD9IPhav7uBBbgSK8WnsNw2BAaIr/I9wV17ka4JcCxLxYew1DYEBkhhEDxVcYH3Rvo7FFqAUwiwITBADQkeq+8x8MgpAc4jwIbAADWoeB666zHwvABHsVx8BC97+4VHvhcANQyCJ2p7

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49706	145.40.109.218	443	5408	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-03 12:33:24 UTC	103	OUT	GET /Bin/ScreenConnect.Client.manifest HTTP/1.1 Host: bcl.screenconnect.com Accept-Encoding: gzip
2024-07-03 12:33:25 UTC	238	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 17858 Content-Type: text/html Server: ScreenConnect/24.1.7.8892-2977050628 Microsoft-HTTPAPI/2.0 X-Robots-Tag: noindex Date: Wed, 03 Jul 2024 12:33:24 GMT Connection: close
2024-07-03 12:33:25 UTC	16146	IN	Data Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 61 73 6d 76 31 3a 61 73 73 65 6d 62 6c 79 20 78 73 69 3a 73 63 68 65 6d 61 4c 6f 63 61 74 69 6f 6e 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 31 20 61 73 73 65 6d 62 6c 79 2e 61 64 61 70 74 69 76 65 2e 78 73 64 22 20 6d 61 6e 69 66 65 73 74 56 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 78 6d 6c 6e 73 3a 61 73 6d 76 31 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 31 22 20 78 6d 6c 6e 73 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 32 22 20 78 6d 6c 6e 73 3a 61 73 6d 76 Data Ascii: <?xml version="1.0" encoding="utf-8"?><asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv
2024-07-03 12:33:25 UTC	1712	IN	Data Raw: 73 4c 30 70 36 4d 44 44 6e 53 6c 72 7a 6d 32 71 32 41 53 34 2b 6a 57 75 66 63 78 34 64 79 74 35 42 69 67 32 4d 45 6a 52 30 65 7a 6f 51 39 75 6f 36 74 74 6d 41 61 44 47 37 64 71 5a 79 33 53 76 55 51 61 6b 68 43 42 6a 37 41 37 43 64 66 48 6d 7a 4a 61 77 76 39 71 59 46 53 4c 53 63 47 54 37 65 47 30 58 4f 42 76 36 79 62 35 6a 4e 57 79 2b 54 67 51 35 75 72 4f 6b 66 57 2b 30 2f 74 76 6b 32 45 30 58 4c 79 54 52 53 69 44 4e 69 70 6d 4b 46 2b 77 63 38 36 4c 4a 69 55 47 73 6f 50 55 58 50 59 56 47 55 7a 74 59 75 42 65 4d 2f 4c 6f 36 4f 77 4b 70 37 41 44 4b 35 47 79 4e 6e 6d 2b 39 36 30 49 48 6e 57 6d 5a 63 79 37 34 30 68 51 38 33 65 52 47 76 37 62 55 4b 4a 47 79 47 46 59 6d 50 56 38 41 68 59 38 67 79 69 74 4f 59 62 73 31 4c 63 4e 55 39 44 34 52 2b 5a 31 4d 49 33 73 Data Ascii: sL0p6MDDnSlrzm2q2AS4+jWufcx4dyt5Big2MEjR0ezoQ9uo6ttmAaDG7dqZy3SvUQakhCBj7A7CdfHmzJawv9qYFSLScGT7eG0XOBv6yb5jNWy+TgQ5urOkfW+0/tvk2E0XLyTRSiDNipmKF+wc86LJiUGsoPUXPYVGUztYuBeM/Lo6OwKp7ADK5GyNnm+960IHnWmZcy740hQ83eRGv7bUKJGyGFYmPV8AhY8gyitOYbs1LcNU9D4R+Z1MI3s

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49716	145.40.109.218	443	5408	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-03 12:33:33 UTC	129	OUT	GET /Bin/ScreenConnect.ClientService.exe HTTP/1.1 Host: bcl.screenconnect.com Accept-Encoding: gzip Connection: Keep-Alive
2024-07-03 12:33:34 UTC	238	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 95520 Content-Type: text/html Server: ScreenConnect/24.1.7.8892-2977050628 Microsoft-HTTPAPI/2.0 X-Robots-Tag: noindex Date: Wed, 03 Jul 2024 12:33:33 GMT Connection: close
2024-07-03 12:33:34 UTC	16146	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 f8 10 28 a3 bc 71 46 f0 bc 71 46 f0 bc 71 46 f0 08 ed b7 f0 b6 71 46 f0 08 ed b5 f0 c6 71 46 f0 08 ed b4 f0 a4 71 46 f0 3c 0a 42 f1 ad 71 46 f0 3c 0a 45 f1 a8 71 46 f0 3c 0a 43 f1 96 71 46 f0 b5 09 d5 f0 b6 71 46 f0 a2 23 d5 f0 bf 71 46 f0 bc 71 47 f0 cc 71 46 f0 32 0a 4f f1 bd 71 46 f0 32 0a b9 f0 bd 71 46 f0 32 0a 44 f1 bd 71 46 f0 52 69 63 68 bc 71 46 f0 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$(qFqFqFqFqFqF<BqF<EqF<CqFqF#qFqGqF2OqF2qF2DqFRichqF
2024-07-03 12:33:34 UTC	16384	IN	Data Raw: 74 dd 40 00 68 7c dd 40 00 6a 02 e8 85 fe ff ff 83 c4 10 8b f0 ff 75 08 85 f6 74 0c 8b ce ff 15 88 d1 40 00 ff d6 eb 06 ff 15 e4 d0 40 00 5e 5d c3 55 8b ec 56 68 90 dd 40 00 68 88 dd 40 00 68 90 dd 40 00 6a 03 e8 4a fe ff ff 83 c4 10 8b f0 ff 75 0c ff 75 08 85 f6 74 0c 8b ce ff 15 88 d1 40 00 ff d6 eb 06 ff 15 e8 d0 40 00 5e 5d c3 55 8b ec 56 68 a4 dd 40 00 68 9c dd 40 00 68 a4 dd 40 00 6a 04 e8 0c fe ff ff 8b f0 83 c4 10 85 f6 74 15 ff 75 10 8b ce ff 75 0c ff 75 08 ff 15 88 d1 40 00 ff d6 eb 0c ff 75 0c ff 75 08 ff 15 60 d0 40 00 5e 5d c3 56 e8 56 ed ff ff 8b 70 04 85 f6 74 0a 8b ce ff 15 88 d1 40 00 ff d6 e8 de 15 00 00 cc 55 8b ec 8b 45 10 8b 4d 08 81 78 04 80 00 00 00 7f 06 0f be 41 08 5d c3 8b 41 08 5d c3 55 8b ec 8b 45 08 8b 4d 10 89 48 08 5d c3 53 Data Ascii: t@h\|@jut@@^]UVh@h@h@jJuut@@^]UVh@h@h@jtuuu@uu`@^]VVpt@UEMxA]A]UEMH]S
2024-07-03 12:33:34 UTC	16384	IN	Data Raw: 0c 8b 48 7c 85 c9 74 03 f0 ff 01 8b 88 84 00 00 00 85 c9 74 03 f0 ff 01 8b 88 80 00 00 00 85 c9 74 03 f0 ff 01 8b 88 8c 00 00 00 85 c9 74 03 f0 ff 01 56 6a 06 8d 48 28 5e 81 79 f8 38 46 41 00 74 09 8b 11 85 d2 74 03 f0 ff 02 83 79 f4 00 74 0a 8b 51 fc 85 d2 74 03 f0 ff 02 83 c1 10 83 ee 01 75 d6 ff b0 9c 00 00 00 e8 4e 01 00 00 59 5e 5d c3 8b ff 55 8b ec 51 53 56 8b 75 08 57 8b 86 88 00 00 00 85 c0 74 6c 3d 48 46 41 00 74 65 8b 46 7c 85 c0 74 5e 83 38 00 75 59 8b 86 84 00 00 00 85 c0 74 18 83 38 00 75 13 50 e8 30 d9 ff ff ff b6 88 00 00 00 e8 28 fb ff ff 59 59 8b 86 80 00 00 00 85 c0 74 18 83 38 00 75 13 50 e8 0e d9 ff ff ff b6 88 00 00 00 e8 04 fc ff ff 59 59 ff 76 7c e8 f9 d8 ff ff ff b6 88 00 00 00 e8 ee d8 ff ff 59 59 8b 86 8c 00 00 00 85 c0 74 45 83 Data Ascii: H\|ttttVjH(^y8FAttytQtuNY^]UQSVuWtl=HFAteF\|t^8uYt8uP0(YYt8uPYYv\|YYtE
2024-07-03 12:33:34 UTC	16384	IN	Data Raw: 41 14 0f b7 59 06 83 c0 18 03 c1 85 db 74 1b 8b 7d 0c 8b 70 0c 3b fe 72 09 8b 48 08 03 ce 3b f9 72 0a 42 83 c0 28 3b d3 72 e8 33 c0 5f 5e 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 6a fe 68 20 2e 41 00 68 80 36 40 00 64 a1 00 00 00 00 50 83 ec 08 53 56 57 a1 04 40 41 00 31 45 f8 33 c5 50 8d 45 f0 64 a3 00 00 00 00 89 65 e8 c7 45 fc 00 00 00 00 68 00 00 40 00 e8 7c 00 00 00 83 c4 04 85 c0 74 54 8b 45 08 2d 00 00 40 00 50 68 00 00 40 00 e8 52 ff ff ff 83 c4 08 85 c0 74 3a 8b 40 24 c1 e8 1f f7 d0 83 e0 01 c7 45 fc fe ff ff ff 8b 4d f0 64 89 0d 00 00 00 00 59 5f 5e 5b 8b e5 5d c3 8b 45 ec 8b 00 33 c9 81 38 05 00 00 c0 0f 94 c1 8b c1 c3 8b 65 e8 c7 45 fc fe ff ff ff 33 c0 8b 4d f0 64 89 0d 00 00 00 00 59 5f 5e 5b 8b e5 5d c3 cc cc cc cc cc cc 55 Data Ascii: AYt}p;rH;rB(;r3_^[]Ujh .Ah6@dPSVW@A1E3PEdeEh@\|tTE-@Ph@Rt:@$EMdY_^[]E38eE3MdY_^[]U
2024-07-03 12:33:34 UTC	16384	IN	Data Raw: 79 00 2d 00 67 00 62 00 00 00 64 00 61 00 2d 00 64 00 6b 00 00 00 64 00 65 00 2d 00 61 00 74 00 00 00 64 00 65 00 2d 00 63 00 68 00 00 00 64 00 65 00 2d 00 64 00 65 00 00 00 64 00 65 00 2d 00 6c 00 69 00 00 00 64 00 65 00 2d 00 6c 00 75 00 00 00 64 00 69 00 76 00 2d 00 6d 00 76 00 00 00 00 00 65 00 6c 00 2d 00 67 00 72 00 00 00 65 00 6e 00 2d 00 61 00 75 00 00 00 65 00 6e 00 2d 00 62 00 7a 00 00 00 65 00 6e 00 2d 00 63 00 61 00 00 00 65 00 6e 00 2d 00 63 00 62 00 00 00 65 00 6e 00 2d 00 67 00 62 00 00 00 65 00 6e 00 2d 00 69 00 65 00 00 00 65 00 6e 00 2d 00 6a 00 6d 00 00 00 65 00 6e 00 2d 00 6e 00 7a 00 00 00 65 00 6e 00 2d 00 70 00 68 00 00 00 65 00 6e 00 2d 00 74 00 74 00 00 00 65 00 6e 00 2d 00 75 00 73 00 00 00 65 00 6e 00 2d 00 7a 00 61 00 00 00 65 Data Ascii: y-gbda-dkde-atde-chde-dede-lide-ludiv-mvel-gren-auen-bzen-caen-cben-gben-ieen-jmen-nzen-phen-tten-usen-zae
2024-07-03 12:33:34 UTC	13838	IN	Data Raw: 61 32 91 32 a0 32 b6 32 cc 32 e3 32 ea 32 f6 32 09 33 0e 33 1a 33 1f 33 30 33 9a 33 a1 33 b3 33 bc 33 04 34 16 34 1e 34 28 34 31 34 42 34 54 34 6f 34 af 34 c1 34 c7 34 db 34 2f 35 39 35 3f 35 45 35 b0 35 b9 35 f2 35 fd 35 f2 37 25 38 2a 38 50 39 68 39 95 39 b0 39 c0 39 c5 39 cf 39 d4 39 df 39 ea 39 fe 39 4f 3a f6 3a 17 3b 70 3b 7b 3b ca 3b e2 3b 2c 3c c2 3c d9 3c 57 3d 9b 3d ad 3d e3 3d e8 3d f5 3d 01 3e 17 3e 2a 3e 5d 3e 6c 3e 71 3e 82 3e 88 3e 93 3e 9b 3e a6 3e ac 3e b7 3e bd 3e cb 3e d4 3e d9 3e e6 3e eb 3e f8 3e 06 3f 0d 3f 15 3f 2e 3f 40 3f 4c 3f 54 3f 6c 3f 91 3f a2 3f ab 3f f2 3f 00 60 00 00 18 01 00 00 26 30 4d 30 67 30 be 30 cb 30 d6 30 e0 30 e6 30 fa 30 06 31 7f 31 88 31 b4 31 bd 31 c5 31 e2 31 07 32 19 32 35 32 59 32 74 32 7f 32 25 33 d8 33 e1 Data Ascii: a222222223333033333444(414B4T4o44444/595?5E555557%88P9h9999999999O::;p;{;;;,<<<W======>>>]>l>q>>>>>>>>>>>>>>>???.?@?L?T?l?????`&0M0g000000011111112252Y2t22%33

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49717	145.40.109.218	443	5408	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-03 12:33:35 UTC	137	OUT	GET /Bin/ScreenConnect.WindowsBackstageShell.exe HTTP/1.1 Host: bcl.screenconnect.com Accept-Encoding: gzip Connection: Keep-Alive
2024-07-03 12:33:36 UTC	238	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 61216 Content-Type: text/html Server: ScreenConnect/24.1.7.8892-2977050628 Microsoft-HTTPAPI/2.0 X-Robots-Tag: noindex Date: Wed, 03 Jul 2024 12:33:35 GMT Connection: close
2024-07-03 12:33:36 UTC	16146	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 74 ed ec fa 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 ba 00 00 00 0a 00 00 00 00 00 00 2a d8 00 00 00 20 00 00 00 e0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 01 00 00 02 00 00 b2 9a 01 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELt"0* @ @
2024-07-03 12:33:36 UTC	16384	IN	Data Raw: 7b 0e 36 00 59 28 7b 0e 36 00 4c 27 7b 0e 01 00 39 0c 65 0e 16 00 8b 16 7f 0e 16 00 58 0d 87 0e 36 00 6d 08 8f 0e 16 00 01 00 93 0e 06 00 ef 10 22 0a 06 00 60 10 22 0a 06 00 53 26 7b 0e 06 00 fa 1d 68 0e 06 00 31 0f 4b 00 06 00 04 1b 9d 0e 06 00 64 1f a1 0e 06 00 8a 27 a6 0e 06 00 95 18 22 0a 36 00 6d 08 aa 0e 16 00 9b 00 af 0e 16 00 b4 00 af 0e 16 00 29 03 af 0e 36 00 6d 08 b9 0e 16 00 37 01 af 0e 06 00 d0 1c be 0e 16 00 b9 1a c3 0e 36 00 6d 08 d0 0e 16 00 25 00 d5 0e 16 00 47 19 87 0e 36 00 6d 08 e7 0e 16 00 ff 07 ec 0e 16 00 36 08 f7 0e 06 00 20 2f 01 0f 06 00 62 20 57 0e 06 00 d7 19 06 0f 06 00 e9 19 06 0f 06 00 81 19 0b 0f 16 00 b9 1a c3 0e 36 00 6d 08 10 0f 16 00 e7 00 15 0f 16 00 46 03 1e 0f 16 00 d4 05 29 0f 16 00 c1 06 34 0f 16 00 6b 07 34 0f 16 Data Ascii: {6Y({6L'{9eX6m"`"S&{h1Kd'"6m)6m76m%G6m6 /b W6mF)4k4
2024-07-03 12:33:36 UTC	16384	IN	Data Raw: 6c 6f 62 61 6c 00 67 65 74 5f 56 65 72 74 69 63 61 6c 00 4d 61 72 73 68 61 6c 00 67 65 74 5f 48 6f 72 69 7a 6f 6e 74 61 6c 00 70 69 64 6c 00 73 65 61 72 63 68 42 6f 78 49 6e 70 75 74 4c 65 6e 67 74 68 54 68 72 65 73 68 6f 6c 64 4c 61 62 65 6c 00 53 79 73 74 65 6d 2e 43 6f 6d 70 6f 6e 65 6e 74 4d 6f 64 65 6c 00 61 64 64 5f 4d 6f 75 73 65 57 68 65 65 6c 00 50 6f 70 75 6c 61 74 65 50 61 6e 65 6c 00 65 6d 70 74 79 52 65 73 75 6c 74 73 50 61 6e 65 6c 00 72 65 73 75 6c 74 73 50 61 6e 65 6c 00 70 61 6e 65 6c 00 53 65 6c 65 63 74 41 6c 6c 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 57 69 6e 64 6f 77 73 42 61 63 6b 73 74 61 67 65 53 68 65 6c 6c 00 73 65 74 5f 41 75 74 6f 53 63 72 6f 6c 6c 00 41 73 73 65 72 74 4e 6f 6e 4e 75 6c 6c 00 67 65 74 5f 43 6f 6e 74 72 6f Data Ascii: lobalget_VerticalMarshalget_HorizontalpidlsearchBoxInputLengthThresholdLabelSystem.ComponentModeladd_MouseWheelPopulatePanelemptyResultsPanelresultsPanelpanelSelectAllScreenConnect.WindowsBackstageShellset_AutoScrollAssertNonNullget_Contro
2024-07-03 12:33:36 UTC	12302	IN	Data Raw: 6d 00 65 00 00 00 53 00 63 00 72 00 65 00 65 00 6e 00 43 00 6f 00 6e 00 6e 00 65 00 63 00 74 00 2e 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 42 00 61 00 63 00 6b 00 73 00 74 00 61 00 67 00 65 00 53 00 68 00 65 00 6c 00 6c 00 2e 00 65 00 78 00 65 00 00 00 3c 00 0e 00 01 00 50 00 72 00 6f 00 64 00 75 00 63 00 74 00 4e 00 61 00 6d 00 65 00 00 00 00 00 53 00 63 00 72 00 65 00 65 00 6e 00 43 00 6f 00 6e 00 6e 00 65 00 63 00 74 00 00 00 3c 00 0c 00 01 00 50 00 72 00 6f 00 64 00 75 00 63 00 74 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 00 00 32 00 34 00 2e 00 31 00 2e 00 37 00 2e 00 38 00 38 00 39 00 32 00 00 00 40 00 0c 00 01 00 41 00 73 00 73 00 65 00 6d 00 62 00 6c 00 79 00 20 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 00 00 32 00 34 00 2e 00 31 00 2e Data Ascii: meScreenConnect.WindowsBackstageShell.exe<ProductNameScreenConnect<ProductVersion24.1.7.8892@Assembly Version24.1.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49718	145.40.109.218	443	5408	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-03 12:33:37 UTC	141	OUT	GET /Bin/ScreenConnect.WindowsFileManager.exe.config HTTP/1.1 Host: bcl.screenconnect.com Accept-Encoding: gzip Connection: Keep-Alive
2024-07-03 12:33:37 UTC	236	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 266 Content-Type: text/html Server: ScreenConnect/24.1.7.8892-2977050628 Microsoft-HTTPAPI/2.0 X-Robots-Tag: noindex Date: Wed, 03 Jul 2024 12:33:37 GMT Connection: close
2024-07-03 12:33:37 UTC	266	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 3e 0d 0a 20 20 3c 73 74 61 72 74 75 70 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 34 2e 30 22 20 2f 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 32 2e 30 2e 35 30 37 32 37 22 20 2f 3e 0d 0a 20 20 3c 2f 73 74 61 72 74 75 70 3e 0d 0a 20 20 3c 72 75 6e 74 69 6d 65 3e 0d 0a 20 20 20 20 3c 67 65 6e 65 72 61 74 65 50 75 62 6c 69 73 68 65 72 45 76 69 64 65 6e 63 65 20 65 6e 61 62 6c 65 64 3d 22 66 61 6c 73 65 22 20 2f 3e 0d 0a 20 20 3c 2f 72 75 6e 74 69 6d 65 3e 0d 0a 3c 2f 63 6f 6e Data Ascii: <?xml version="1.0" encoding="utf-8"?><configuration> <startup> <supportedRuntime version="v4.0" /> <supportedRuntime version="v2.0.50727" /> </startup> <runtime> <generatePublisherEvidence enabled="false" /> </runtime></con

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49719	145.40.109.218	443	5408	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-03 12:33:38 UTC	112	OUT	GET /Bin/ScreenConnect.WindowsClient.exe.config HTTP/1.1 Host: bcl.screenconnect.com Accept-Encoding: gzip
2024-07-03 12:33:39 UTC	236	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 266 Content-Type: text/html Server: ScreenConnect/24.1.7.8892-2977050628 Microsoft-HTTPAPI/2.0 X-Robots-Tag: noindex Date: Wed, 03 Jul 2024 12:33:38 GMT Connection: close
2024-07-03 12:33:39 UTC	266	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 3e 0d 0a 20 20 3c 73 74 61 72 74 75 70 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 34 2e 30 22 20 2f 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 32 2e 30 2e 35 30 37 32 37 22 20 2f 3e 0d 0a 20 20 3c 2f 73 74 61 72 74 75 70 3e 0d 0a 20 20 3c 72 75 6e 74 69 6d 65 3e 0d 0a 20 20 20 20 3c 67 65 6e 65 72 61 74 65 50 75 62 6c 69 73 68 65 72 45 76 69 64 65 6e 63 65 20 65 6e 61 62 6c 65 64 3d 22 66 61 6c 73 65 22 20 2f 3e 0d 0a 20 20 3c 2f 72 75 6e 74 69 6d 65 3e 0d 0a 3c 2f 63 6f 6e Data Ascii: <?xml version="1.0" encoding="utf-8"?><configuration> <startup> <supportedRuntime version="v4.0" /> <supportedRuntime version="v2.0.50727" /> </startup> <runtime> <generatePublisherEvidence enabled="false" /> </runtime></con

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49720	145.40.109.218	443	5408	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-03 12:33:41 UTC	144	OUT	GET /Bin/ScreenConnect.WindowsBackstageShell.exe.config HTTP/1.1 Host: bcl.screenconnect.com Accept-Encoding: gzip Connection: Keep-Alive
2024-07-03 12:33:41 UTC	236	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 266 Content-Type: text/html Server: ScreenConnect/24.1.7.8892-2977050628 Microsoft-HTTPAPI/2.0 X-Robots-Tag: noindex Date: Wed, 03 Jul 2024 12:33:41 GMT Connection: close
2024-07-03 12:33:41 UTC	266	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 3e 0d 0a 20 20 3c 73 74 61 72 74 75 70 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 34 2e 30 22 20 2f 3e 0d 0a 20 20 20 20 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 32 2e 30 2e 35 30 37 32 37 22 20 2f 3e 0d 0a 20 20 3c 2f 73 74 61 72 74 75 70 3e 0d 0a 20 20 3c 72 75 6e 74 69 6d 65 3e 0d 0a 20 20 20 20 3c 67 65 6e 65 72 61 74 65 50 75 62 6c 69 73 68 65 72 45 76 69 64 65 6e 63 65 20 65 6e 61 62 6c 65 64 3d 22 66 61 6c 73 65 22 20 2f 3e 0d 0a 20 20 3c 2f 72 75 6e 74 69 6d 65 3e 0d 0a 3c 2f 63 6f 6e Data Ascii: <?xml version="1.0" encoding="utf-8"?><configuration> <startup> <supportedRuntime version="v4.0" /> <supportedRuntime version="v2.0.50727" /> </startup> <runtime> <generatePublisherEvidence enabled="false" /> </runtime></con

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49721	145.40.109.218	443	5408	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-03 12:33:43 UTC	110	OUT	GET /Bin/ScreenConnect.WindowsFileManager.exe HTTP/1.1 Host: bcl.screenconnect.com Accept-Encoding: gzip
2024-07-03 12:33:43 UTC	238	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 81696 Content-Type: text/html Server: ScreenConnect/24.1.7.8892-2977050628 Microsoft-HTTPAPI/2.0 X-Robots-Tag: noindex Date: Wed, 03 Jul 2024 12:33:43 GMT Connection: close
2024-07-03 12:33:43 UTC	16146	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 9d 1e ea db 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 40 00 00 00 d4 00 00 00 00 00 00 e6 5e 00 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 01 00 00 02 00 00 98 e1 01 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL"0@^ `@ `@
2024-07-03 12:33:43 UTC	16384	IN	Data Raw: 30 36 66 00 00 29 01 00 24 39 37 33 35 31 30 64 62 2d 37 64 37 66 2d 34 35 32 62 2d 38 39 37 35 2d 37 34 61 38 35 38 32 38 64 33 35 34 00 00 13 01 00 02 00 00 00 04 54 65 78 74 05 53 74 61 74 65 00 00 08 01 00 0b 00 00 00 00 00 00 00 aa 07 bb 52 e2 7f b6 1a 16 70 39 62 99 10 da 25 20 03 f8 b1 0c 16 76 b0 87 b5 03 15 be 82 3b e7 4d ae 95 84 a0 9c a0 f3 97 a0 e9 31 eb ec 1a 5a 42 b4 95 29 66 1e 3d 25 30 b1 71 7e 0e 3b dc 51 50 01 c4 f5 e2 a8 d4 94 55 83 aa f3 3a 82 04 50 40 8f 31 bc 77 88 37 d6 ee e0 33 bd ee 7a 00 62 18 29 c6 ae 8d 1c 37 ba 64 0c e6 fb e5 52 62 9a d8 73 05 ba 33 d4 84 5a 4a 80 2c ea 2a 6d 84 8f 00 00 00 00 30 b7 b5 c8 00 00 00 00 02 00 00 00 7b 00 00 00 18 5e 00 00 18 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 Data Ascii: 06f)$973510db-7d7f-452b-8975-74a85828d354TextStateRp9b% v;M1ZB)f=%0q~;QPU:P@1w73zb)7dRbs3ZJ,*m0{^@
2024-07-03 12:33:44 UTC	16384	IN	Data Raw: f4 ff 51 cc f8 ff 52 ce fa ff 53 d0 fd ff 54 d1 fe ff 54 d2 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 d2 ff ff 55 d1 fe ff 54 d0 fd ff 53 cf fb ff 52 cc f8 ff 51 c9 f4 ff 50 c6 f0 ff 4e c2 eb ff 4c bc e5 ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff dd 96 3a ff 4c bc e5 ff 4e c2 eb ff 50 c6 f0 ff 51 Data Ascii: QRSTTUUTSRQPNL::::::::::::::::::::::::::::::::::::::LNPQ
2024-07-03 12:33:44 UTC	16384	IN	Data Raw: ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 66 d7 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 d8 ff ff 67 Data Ascii: ffffffffffffffffffffgggggggggggggggggggggggggggggggggggggg
2024-07-03 12:33:44 UTC	16384	IN	Data Raw: ff ff 00 00 00 00 00 00 00 00 00 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 00 9a dc ff 6e cd f3 ff 85 e0 ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 80 df ff ff 9a e5 ff ef 00 00 00 00 00 00 00 00 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 cf 00 9f e0 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9f e0 ef 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 ff 00 9f e0 cf 00 9f e0 10 00 00 00 00 00 00 00 00 00 Data Ascii: n
2024-07-03 12:33:44 UTC	14	IN	Data Raw: c0 4f 41 15 20 0e e0 10 3b 00 00 00 00 00 Data Ascii: OA ;

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	51653	145.40.109.218	443	5408	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-03 12:33:45 UTC	123	OUT	GET /Bin/ScreenConnect.Windows.dll HTTP/1.1 Host: bcl.screenconnect.com Accept-Encoding: gzip Connection: Keep-Alive
2024-07-03 12:33:45 UTC	240	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 1721344 Content-Type: text/html Server: ScreenConnect/24.1.7.8892-2977050628 Microsoft-HTTPAPI/2.0 X-Robots-Tag: noindex Date: Wed, 03 Jul 2024 12:33:45 GMT Connection: close
2024-07-03 12:33:45 UTC	16144	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 e3 02 41 f8 00 00 00 00 00 00 00 00 e0 00 22 20 0b 01 30 00 00 3c 1a 00 00 06 00 00 00 00 00 00 5a 5b 1a 00 00 20 00 00 00 60 1a 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 1a 00 00 02 00 00 61 0b 1b 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELA" 0<Z[ ` a@
2024-07-03 12:33:45 UTC	16384	IN	Data Raw: 12 01 d0 a9 00 00 02 28 51 00 00 0a 28 fc 01 00 0a 7d 60 03 00 04 12 01 20 41 01 00 00 7d 61 03 00 04 07 0a 02 03 04 16 fe 01 12 00 e0 28 bc 01 00 06 2d 0a 12 02 fe 15 52 00 00 1b 08 2a 12 00 06 7b 6a 03 00 04 17 58 18 5a 28 fd 01 00 0a 7d 69 03 00 04 12 00 7c 6a 03 00 04 25 4a 17 58 54 02 03 04 16 fe 01 12 00 e0 28 bc 01 00 06 26 06 7b 69 03 00 04 28 fe 01 00 0a 06 7b 62 03 00 04 06 7b 63 03 00 04 73 ff 01 00 0a 73 00 02 00 0a 0c de 0c 06 7b 69 03 00 04 28 9e 01 00 0a dc 08 2a 00 00 00 01 10 00 00 02 00 68 00 33 9b 00 0c 00 00 00 00 13 30 05 00 69 00 00 00 08 00 00 11 73 01 02 00 0a 25 04 7d 02 02 00 0a 25 03 7d 03 02 00 0a 25 02 7d 04 02 00 0a 25 7c 05 02 00 0a fe 15 cb 00 00 01 25 25 fe 06 06 02 00 0a 73 82 03 00 06 7d 07 02 00 0a 25 7b 07 02 00 0a 28 Data Ascii: (Q(}` A}a(-R{jXZ(}i\|j%JXT(&{i({b{css{i(h30is%}%}%}%\|%%s}%{(
2024-07-03 12:33:46 UTC	16384	IN	Data Raw: d3 28 84 00 00 0a 2d c3 16 2a 1e 02 7b fc 00 00 04 2a 1a 73 7b 01 00 0a 7a 32 02 7b fc 00 00 04 8c cb 00 00 01 2a 00 00 13 30 02 00 3c 00 00 00 89 00 00 11 02 7b fb 00 00 04 1f fe 33 1d 02 7b fd 00 00 04 28 46 03 00 0a 6f 47 03 00 0a 33 0b 02 16 7d fb 00 00 04 02 0a 2b 07 16 73 4e 03 00 06 0a 06 02 7b ff 00 00 04 7d fe 00 00 04 06 2a 1e 02 28 54 03 00 06 2a 7a 02 28 2c 00 00 0a 02 03 7d 01 01 00 04 02 28 46 03 00 0a 6f 47 03 00 0a 7d 03 01 00 04 2a 06 2a 00 00 00 13 30 05 00 d5 00 00 00 8a 00 00 11 02 7b 01 01 00 04 0a 06 2c 09 06 17 3b 8d 00 00 00 16 2a 02 15 7d 01 01 00 04 1f 09 0b 02 17 07 25 17 58 0b 1f 1f 5f 62 8d d8 00 00 01 7d 04 01 00 04 02 7b 04 01 00 04 8e 69 d0 d8 00 00 01 28 51 00 00 0a 28 fc 01 00 0a 5a 0c 02 7b 04 01 00 04 08 12 03 28 70 01 Data Ascii: (-{s{z2{0<{3{(FoG3}+sN{}(Tz(,}(FoG}0{,;}%X_b}{i(Q(Z{(p
2024-07-03 12:33:46 UTC	16384	IN	Data Raw: a0 02 06 00 41 a7 3f 22 06 00 3c cc 3f 22 06 00 5d 54 3f 22 06 00 a0 90 3f 22 06 00 ac a3 3f 22 06 00 7e aa 3f 22 06 00 cb cf 42 22 06 00 6e 45 42 22 06 00 06 46 3f 22 06 00 ad 58 3f 22 06 00 86 bf 3f 22 06 00 a3 69 3f 22 06 00 75 9f 3f 22 06 00 a4 60 3f 22 06 00 1c cf 3f 22 06 00 b0 5f 3f 22 06 00 a0 51 e6 24 06 00 b3 be 3f 22 06 00 2b be 3f 22 06 10 f1 50 b8 25 06 06 1f 30 af 08 56 80 45 c8 bc 25 56 80 2e c8 bc 25 06 06 1f 30 af 08 56 80 1b 9d c1 25 06 06 1f 30 af 08 56 80 10 27 c6 25 56 80 3e 29 c6 25 56 80 15 0e c6 25 56 80 34 29 c6 25 06 06 1f 30 3f 22 56 80 cb 38 cb 25 56 80 5c c8 cb 25 56 80 fe 38 cb 25 56 80 30 bd cb 25 56 80 f1 9b cb 25 56 80 02 c1 cb 25 56 80 2b 7f cb 25 56 80 21 c8 cb 25 56 80 cd 9b cb 25 56 80 90 88 cb 25 56 80 6c 6c cb 25 56 Data Ascii: A?"<?"]T?"?"?"~?"B"nEB"F?"X?"?"i?"u?"`?"?"_?"Q$?"+?"P%0VE%V.%0V%0V'%V>)%V%V4)%0?"V8%V\%V8%V0%V%V%V+%V!%V%V%Vll%V
2024-07-03 12:33:46 UTC	16384	IN	Data Raw: 86 18 d3 98 01 00 12 07 42 a5 00 00 00 00 83 00 ea 07 ba 3a 12 07 55 a5 00 00 00 00 91 18 fe 98 d2 26 13 07 61 a5 00 00 00 00 86 18 d3 98 01 00 13 07 69 a5 00 00 00 00 83 00 6d 02 d8 3a 13 07 71 a5 00 00 00 00 83 00 6b 0a d8 3a 14 07 79 a5 00 00 00 00 86 18 d3 98 05 00 15 07 98 a5 00 00 00 00 e1 01 52 58 01 00 16 07 d0 a5 00 00 00 00 e1 01 07 c2 3d 00 16 07 9c a7 00 00 00 00 81 00 f1 0d 01 00 16 07 b8 a7 00 00 00 00 e1 09 a0 bb 86 18 16 07 c0 a7 00 00 00 00 e1 01 e3 b5 01 00 16 07 c7 a7 00 00 00 00 e1 09 66 bc 4e 00 16 07 d0 a7 00 00 00 00 e1 01 a3 97 df 3a 16 07 24 a8 00 00 00 00 e1 01 6f 98 64 00 16 07 00 00 01 00 2b 6b 00 00 01 00 a1 a5 00 00 01 00 2b 6b 00 00 01 00 b2 5e 00 00 01 00 a1 a5 00 00 01 00 b2 5e 00 00 01 00 81 74 00 00 01 00 3b a7 00 00 01 Data Ascii: B:U&aim:qk:yRX=fN:$od+k+k^^t;
2024-07-03 12:33:46 UTC	16384	IN	Data Raw: 99 02 54 6a 7c 04 99 02 ce 58 0c 1b 99 07 8d 6a 3d 0b 4c 04 8e 98 5b 00 54 04 85 bc 49 00 44 02 c7 0d d9 00 08 00 14 00 f6 1b 08 00 18 00 fb 1b 08 00 1c 00 00 1c 08 00 20 00 05 1c 08 00 b8 00 0a 1c 0e 00 bc 00 0f 1c 0e 00 c0 00 22 1c 0e 00 c4 00 33 1c 08 00 c8 00 46 1c 08 00 cc 00 4b 1c 0e 00 d0 00 50 1c 0e 00 d4 00 5f 1c 0e 00 d8 00 6e 1c 0e 00 e0 00 97 1c 08 00 f0 00 35 1d 08 00 f4 00 3a 1d 08 00 f8 00 3f 1d 08 00 1c 01 f6 1b 08 00 20 01 fb 1b 08 00 24 01 00 1c 09 00 28 01 fb 1b 09 00 2c 01 00 1c 09 00 30 01 44 1d 09 00 34 01 49 1d 09 00 38 01 fb 1b 09 00 3c 01 00 1c 09 00 40 01 fb 1b 09 00 44 01 00 1c 09 00 48 01 44 1d 09 00 4c 01 49 1d 09 00 50 01 4e 1d 09 00 54 01 53 1d 09 00 58 01 58 1d 09 00 5c 01 5d 1d 09 00 60 01 62 1d 09 00 64 01 67 1d 09 00 68 Data Ascii: Tj\|Xj=L[TID "3FKP_n5:? $(,0D4I8<@DHDLIPNTSXX\]`bdgh
2024-07-03 12:33:46 UTC	16384	IN	Data Raw: 65 43 6f 6e 74 65 78 74 4d 65 6e 75 53 74 72 69 70 49 74 65 6d 73 3e 62 5f 5f 38 5f 31 00 55 53 45 52 5f 49 4e 46 4f 5f 31 00 3c 52 65 70 6c 61 63 65 57 6e 64 50 72 6f 63 3e 62 5f 5f 31 00 3c 52 75 6e 43 6f 6d 6d 61 6e 64 4c 69 6e 65 50 72 6f 67 72 61 6d 3e 62 5f 5f 31 00 3c 47 65 74 44 65 73 6b 74 6f 70 57 69 6e 64 6f 77 48 61 6e 64 6c 65 73 3e 62 5f 5f 31 00 3c 47 65 74 57 69 6e 64 6f 77 48 61 6e 64 6c 65 73 3e 62 5f 5f 31 00 3c 47 65 74 44 65 73 63 65 6e 64 65 6e 74 57 69 6e 64 6f 77 48 61 6e 64 6c 65 73 3e 62 5f 5f 31 00 3c 47 65 74 57 69 6e 64 6f 77 53 74 61 74 69 6f 6e 4e 61 6d 65 73 3e 62 5f 5f 31 00 3c 47 65 74 44 65 73 6b 74 6f 70 4e 61 6d 65 73 3e 62 5f 5f 31 00 3c 3e 63 5f 5f 44 69 73 70 6c 61 79 43 6c 61 73 73 31 36 30 5f 30 60 31 00 3c 3e 63 Data Ascii: eContextMenuStripItems>b__8_1USER_INFO_1<ReplaceWndProc>b__1<RunCommandLineProgram>b__1<GetDesktopWindowHandles>b__1<GetWindowHandles>b__1<GetDescendentWindowHandles>b__1<GetWindowStationNames>b__1<GetDesktopNames>b__1<>c__DisplayClass160_0`1<>c
2024-07-03 12:33:46 UTC	16384	IN	Data Raw: 72 65 65 43 6f 6e 73 6f 6c 65 00 77 42 69 74 73 50 65 72 53 61 6d 70 6c 65 00 6c 70 54 69 74 6c 65 00 41 64 64 41 63 63 65 73 73 52 75 6c 65 00 46 69 6c 65 53 79 73 74 65 6d 41 63 63 65 73 73 52 75 6c 65 00 53 65 74 41 63 63 65 73 73 52 75 6c 65 00 6c 70 68 4d 6f 64 75 6c 65 00 67 65 74 5f 4d 61 69 6e 4d 6f 64 75 6c 65 00 50 72 6f 63 65 73 73 4d 6f 64 75 6c 65 00 44 6f 63 6b 53 74 79 6c 65 00 64 77 53 74 79 6c 65 00 64 77 45 78 53 74 79 6c 65 00 67 65 74 5f 4e 61 6d 65 00 6a 6f 62 4e 61 6d 65 00 70 44 6f 63 4e 61 6d 65 00 6c 70 50 72 6f 63 4e 61 6d 65 00 6c 70 53 76 63 4e 61 6d 65 00 64 6d 44 65 76 69 63 65 4e 61 6d 65 00 6c 70 73 7a 44 65 76 69 63 65 4e 61 6d 65 00 73 65 72 76 69 63 65 4e 61 6d 65 00 72 65 73 6f 75 72 63 65 4e 61 6d 65 00 50 61 63 6b 61 Data Ascii: reeConsolewBitsPerSamplelpTitleAddAccessRuleFileSystemAccessRuleSetAccessRulelphModuleget_MainModuleProcessModuleDockStyledwStyledwExStyleget_NamejobNamepDocNamelpProcNamelpSvcNamedmDeviceNamelpszDeviceNameserviceNameresourceNamePacka
2024-07-03 12:33:46 UTC	16384	IN	Data Raw: 74 61 72 74 73 57 69 74 68 43 68 61 72 00 43 6f 6e 76 65 72 74 42 6f 74 68 53 6c 61 73 68 65 73 54 6f 43 68 61 72 00 44 69 72 65 63 74 6f 72 79 53 65 70 61 72 61 74 6f 72 43 68 61 72 00 70 72 6f 70 76 61 72 00 65 5f 63 70 61 72 68 64 72 00 49 73 4d 65 6d 62 65 72 00 6d 61 67 69 63 4e 75 6d 62 65 72 00 64 77 42 75 69 6c 64 4e 75 6d 62 65 72 00 46 69 6c 65 48 65 61 64 65 72 00 77 61 76 65 49 6e 50 72 65 70 61 72 65 48 65 61 64 65 72 00 77 61 76 65 4f 75 74 50 72 65 70 61 72 65 48 65 61 64 65 72 00 77 61 76 65 49 6e 55 6e 70 72 65 70 61 72 65 48 65 61 64 65 72 00 77 61 76 65 4f 75 74 55 6e 70 72 65 70 61 72 65 48 65 61 64 65 72 00 62 6d 69 48 65 61 64 65 72 00 53 69 7a 65 4f 66 4f 70 74 69 6f 6e 61 6c 48 65 61 64 65 72 00 73 65 63 74 69 6f 6e 48 65 61 64 65 Data Ascii: tartsWithCharConvertBothSlashesToCharDirectorySeparatorCharpropvare_cparhdrIsMembermagicNumberdwBuildNumberFileHeaderwaveInPrepareHeaderwaveOutPrepareHeaderwaveInUnprepareHeaderwaveOutUnprepareHeaderbmiHeaderSizeOfOptionalHeadersectionHeade
2024-07-03 12:33:46 UTC	16384	IN	Data Raw: 72 65 65 4c 69 62 72 61 72 79 00 49 4e 61 74 69 76 65 4c 69 62 72 61 72 79 00 54 72 79 4c 6f 61 64 4e 61 74 69 76 65 4c 69 62 72 61 72 79 00 54 72 79 46 72 65 65 4e 61 74 69 76 65 4c 69 62 72 61 72 79 00 57 69 6e 64 6f 77 73 44 69 73 6b 4e 61 74 69 76 65 4c 69 62 72 61 72 79 00 57 69 6e 64 6f 77 73 4d 65 6d 6f 72 79 4e 61 74 69 76 65 4c 69 62 72 61 72 79 00 4f 62 6a 65 63 74 51 75 65 72 79 00 53 65 6c 65 63 74 51 75 65 72 79 00 64 77 4b 65 79 46 72 61 6d 65 45 76 65 72 79 00 64 77 49 6e 74 65 72 6c 65 61 76 65 45 76 65 72 79 00 70 74 73 45 78 70 69 72 79 00 57 54 53 46 72 65 65 4d 65 6d 6f 72 79 00 43 6f 6d 70 61 72 65 4d 65 6d 6f 72 79 00 61 76 61 69 6c 61 62 6c 65 50 68 79 73 69 63 61 6c 4d 65 6d 6f 72 79 00 74 6f 74 61 6c 50 68 79 73 69 63 61 6c 4d 65 Data Ascii: reeLibraryINativeLibraryTryLoadNativeLibraryTryFreeNativeLibraryWindowsDiskNativeLibraryWindowsMemoryNativeLibraryObjectQuerySelectQuerydwKeyFrameEverydwInterleaveEveryptsExpiryWTSFreeMemoryCompareMemoryavailablePhysicalMemorytotalPhysicalMe

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.7	51657	145.40.109.218	443	5408	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-03 12:33:48 UTC	120	OUT	GET /Bin/ScreenConnect.Core.dll HTTP/1.1 Host: bcl.screenconnect.com Accept-Encoding: gzip Connection: Keep-Alive
2024-07-03 12:33:49 UTC	239	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 546304 Content-Type: text/html Server: ScreenConnect/24.1.7.8892-2977050628 Microsoft-HTTPAPI/2.0 X-Robots-Tag: noindex Date: Wed, 03 Jul 2024 12:33:48 GMT Connection: close
2024-07-03 12:33:49 UTC	16145	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 fc a7 46 cc 00 00 00 00 00 00 00 00 e0 00 22 20 0b 01 30 00 00 4e 08 00 00 06 00 00 00 00 00 00 2e 69 08 00 00 20 00 00 00 80 08 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 08 00 00 02 00 00 13 8a 08 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELF" 0N.i @
2024-07-03 12:33:49 UTC	16384	IN	Data Raw: 00 00 11 03 2d 0a 12 01 fe 15 81 00 00 1b 07 2a 02 03 28 6f 01 00 0a 0a 03 6f 04 07 00 06 02 7b 6e 01 00 0a fe 01 06 5f 2c 42 02 7b 70 01 00 0a 8c 81 00 00 1b 2c 18 02 28 71 01 00 0a 02 fe 06 72 01 00 0a 73 73 01 00 0a 28 2c 00 00 2b 26 02 15 7d 6e 01 00 0a 02 7c 70 01 00 0a fe 15 81 00 00 1b 12 01 fe 15 81 00 00 1b 07 2a 03 6f 04 07 00 06 02 7b 6e 01 00 0a 33 07 02 7b 70 01 00 0a 2a 06 2c 43 02 7b 74 01 00 0a 8c 81 00 00 1b 2c 18 02 28 71 01 00 0a 02 fe 06 75 01 00 0a 73 73 01 00 0a 28 2c 00 00 2b 26 02 03 6f 04 07 00 06 7d 76 01 00 0a 02 28 2d 00 00 2b 7d 74 01 00 0a 02 7b 74 01 00 0a 2a 03 6f 04 07 00 06 02 7b 76 01 00 0a 33 57 02 7b 70 01 00 0a 8c 81 00 00 1b 2c 18 02 28 71 01 00 0a 02 fe 06 78 01 00 0a 73 73 01 00 0a 28 2c 00 00 2b 26 02 02 7b 76 01 Data Ascii: -(oo{n_,B{p,(qrss(,+&}n\|po{n3{p,C{t,(quss(,+&o}v(-+}t{to{v3W{p,(qxss(,+&{v
2024-07-03 12:33:49 UTC	16384	IN	Data Raw: 30 01 00 25 00 00 00 1d 00 00 11 02 28 c4 02 00 0a 2d 0a 12 00 fe 15 8e 00 00 1b 06 2a 00 03 6f 00 02 00 0a 0a de 07 02 28 2b 01 00 0a dc 06 2a 00 00 00 01 10 00 00 02 00 13 00 09 1c 00 07 00 00 00 00 3a 02 03 28 d8 04 00 06 28 7f 00 00 2b 26 2a 00 1b 30 01 00 1a 00 00 00 74 00 00 11 02 0a 06 28 2a 01 00 0a 03 6f 00 02 00 0a 0b de 07 06 28 2b 01 00 0a dc 07 2a 00 00 01 10 00 00 02 00 08 00 09 11 00 07 00 00 00 00 3a 02 03 28 d8 04 00 06 28 80 00 00 2b 26 2a 1a 02 47 02 03 52 2a 26 02 4a 02 02 4a 03 58 54 2a b2 73 c5 02 00 0a 25 02 19 28 c6 02 00 0a 7d c7 02 00 0a 03 02 16 28 c8 02 00 0a df fe 06 c9 02 00 0a 73 66 09 00 06 73 a7 03 00 06 2a 00 00 00 13 30 02 00 19 00 00 00 08 00 00 11 02 2d 02 14 2a 02 6f 1d 01 00 0a 0a 12 00 72 2b 0d 00 70 28 ca 02 00 0a Data Ascii: 0%(-o(+:((+&0t(o(+:((+&GR&JJXTs%(}(sfs0-or+p(
2024-07-03 12:33:49 UTC	16384	IN	Data Raw: 04 00 0a 25 02 7d 2f 04 00 0a 2a b2 02 7e 30 04 00 0a 25 2d 13 26 14 fe 06 d3 00 00 2b 73 2c 04 00 0a 25 80 30 04 00 0a 28 d6 00 00 2b 28 44 05 00 06 28 d4 00 00 2b 2a 00 00 00 1b 30 02 00 2d 00 00 00 d0 00 00 11 16 6a 0a 02 6f 31 04 00 0a 0b 2b 0b 07 6f 32 04 00 0a 0c 06 08 60 0a 07 6f 11 00 00 0a 2d ed de 0a 07 2c 06 07 6f 10 00 00 0a dc 06 2a 00 00 00 01 10 00 00 02 00 0a 00 17 21 00 0a 00 00 00 00 1e 02 6f 00 02 00 0a 2a 13 30 02 00 40 00 00 00 61 00 00 11 03 d0 43 00 00 01 28 3a 01 00 0a 33 16 02 75 b8 00 00 01 0a 06 2c 0c 06 73 8b 01 00 0a 8c 43 00 00 01 2a 03 28 b3 09 00 06 2c 0d 03 02 28 33 04 00 0a 28 34 04 00 0a 2a 02 03 28 35 04 00 0a 2a 5a 02 d0 8e 00 00 1b 28 3a 01 00 0a 28 46 05 00 06 a5 8e 00 00 1b 2a 00 13 30 02 00 4c 00 00 00 d1 00 00 11 Data Ascii: %}/~0%-&+s,%0(+(D(+0-jo1+o2`o-,o!o0@aC(:3u,sC(,(3(4(5Z(:(F0L
2024-07-03 12:33:49 UTC	16384	IN	Data Raw: 00 00 11 02 28 59 07 00 06 72 fa 14 00 70 02 28 61 07 00 06 0a 12 00 28 94 01 00 0a 28 4d 01 00 0a 2a 1e 02 28 5a 07 00 06 2a 1e 02 7b a5 02 00 04 2a 22 02 03 7d a5 02 00 04 2a 13 30 03 00 25 00 00 00 1c 01 00 11 02 28 63 07 00 06 72 18 15 00 70 02 28 65 07 00 06 0a 12 00 fe 16 2e 01 00 02 6f 43 00 00 0a 28 4d 01 00 0a 2a 1e 02 28 64 07 00 06 2a 1e 02 7b a6 02 00 04 2a 22 02 03 7d a6 02 00 04 2a 1e 02 28 42 07 00 06 2a 1e 02 28 3c 00 00 0a 2a 1e 02 7b a7 02 00 04 2a 22 02 03 7d a7 02 00 04 2a 1e 02 7b a8 02 00 04 2a 22 02 03 7d a8 02 00 04 2a 1e 02 28 6c 07 00 06 2a 1e 02 28 6c 07 00 06 2a 1e 02 7b ae 02 00 04 2a 22 02 03 7d ae 02 00 04 2a 1e 02 28 6c 07 00 06 2a 1e 02 7b af 02 00 04 2a 22 02 03 7d af 02 00 04 2a 1e 02 7b b0 02 00 04 2a 22 02 03 7d b0 02 Data Ascii: (Yrp(a((M(Z{"}0%(crp(e.oC(M(d{"}(B(<{"}{"}(l(l{"}(l{"}{"}
2024-07-03 12:33:50 UTC	16384	IN	Data Raw: 03 0e 04 58 10 01 11 08 05 32 ce 14 13 04 02 6f 89 04 00 0a 2a 42 02 03 04 28 2c 0a 00 06 02 05 7d d9 03 00 04 2a 5a 02 03 28 61 01 00 0a 03 2c 0b 02 7b d9 03 00 04 28 0d 04 00 06 2a 42 02 02 7b d9 03 00 04 03 04 05 28 f1 01 00 06 2a 00 13 30 09 00 40 00 00 00 4e 01 00 11 02 04 28 2f 0a 00 06 0a 02 06 16 28 28 0a 00 06 25 0c 2c 05 08 8e 69 2d 05 16 e0 0b 2b 09 08 16 8f b9 00 00 01 e0 0b 02 03 04 05 0e 04 07 06 02 28 2e 0a 00 06 16 fe 03 6f 38 0a 00 06 14 0c 2a 0a 1c 2a 0e 1f 1c 2a 0e 1f 14 2a 00 13 30 03 00 5d 01 00 00 00 00 00 00 03 45 17 00 00 00 05 00 00 00 13 00 00 00 22 00 00 00 37 00 00 00 45 00 00 00 f5 00 00 00 f5 00 00 00 f5 00 00 00 28 00 00 00 f5 00 00 00 f5 00 00 00 df 00 00 00 e7 00 00 00 ee 00 00 00 53 00 00 00 62 00 00 00 70 00 00 00 f5 00 Data Ascii: X2oB(,}Z(a,{(B{(0@N(/((%,i-+(.o8****0]E"7E(Sbp
2024-07-03 12:33:50 UTC	16384	IN	Data Raw: 6f b2 0b 00 06 2a 32 28 10 07 00 0a 02 6f b1 0b 00 06 2a 2e 73 3c 00 00 0a 80 0f 07 00 0a 2a 0a 17 2a 0a 16 2a 0a 17 2a 1a 73 68 01 00 0a 7a 1a 73 68 01 00 0a 7a 1a 73 68 01 00 0a 7a 1a 73 68 01 00 0a 7a 1a 73 68 01 00 0a 7a 1e 02 28 13 07 00 0a 2a 0a 16 2a 1a 73 68 01 00 0a 7a 1e 02 28 12 0c 00 06 2a 0a 16 2a 1a 73 68 01 00 0a 7a 1a 73 68 01 00 0a 7a 1e 02 28 12 0c 00 06 2a 6a 02 28 21 0c 00 06 02 03 7d 3f 04 00 04 02 04 6f 14 07 00 0a 7d 40 04 00 04 2a a6 02 03 04 05 28 1f 0c 00 06 02 7b 3f 04 00 04 03 04 05 6f 67 01 00 0a 02 7b 40 04 00 04 03 04 05 14 16 6f 15 07 00 0a 26 2a 32 02 7b 3f 04 00 04 6f 89 04 00 0a 2a 82 02 7b 40 04 00 04 16 8d b9 00 00 01 16 16 6f 16 07 00 0a 26 02 7b 40 04 00 04 6f 17 07 00 0a 2a 1e 02 7b 41 04 00 04 2a 42 02 02 7b 41 04 Data Ascii: o2(o.s<**shzshzshzshzshz(shz(*shzshz(j(!}?o}@({?og{@o&2{?o{@o&{@o{A*B{A
2024-07-03 12:33:50 UTC	16384	IN	Data Raw: 02 7b 36 05 00 04 03 6f 46 02 00 06 2a 00 00 13 30 03 00 1b 00 00 00 ae 01 00 11 02 7b 36 05 00 04 03 16 28 2f 00 00 2b 0a 12 00 28 8e 01 00 0a 6f 48 02 00 06 2a 36 02 7b 36 05 00 04 03 6f 40 02 00 06 2a 1e 02 28 3c 00 00 0a 2a 00 00 00 13 30 03 00 27 00 00 00 af 01 00 11 02 7b 37 05 00 04 03 12 00 28 ed 01 00 2b 2d 0b 12 01 fe 15 00 01 00 1b 07 2b 06 06 73 a5 01 00 0a 6f 62 02 00 06 2a 00 13 30 03 00 27 00 00 00 b0 01 00 11 02 7b 37 05 00 04 03 12 00 28 ee 01 00 2b 2d 0b 12 01 fe 15 fb 00 00 1b 07 2b 06 06 73 a6 01 00 0a 6f 64 02 00 06 2a 2e 73 bb 0d 00 06 80 38 05 00 04 2a 1e 02 28 3c 00 00 0a 2a 32 03 6f 6f 08 00 0a 6f 70 08 00 0a 2a 1e 03 8e 69 1c fe 01 2a 1e 02 28 3c 00 00 0a 2a e2 02 7b 3b 05 00 04 17 6f 71 08 00 0a 28 62 01 00 0a 02 7b 3b 05 00 04 Data Ascii: {6oF0{6(/+(oH6{6o@(<0'{7(+-+sob0'{7(+-+sod.s8(<2ooopi(<*{;oq(b{;
2024-07-03 12:33:50 UTC	16384	IN	Data Raw: 2f 10 00 06 80 36 07 00 04 2a 1e 02 28 3c 00 00 0a 2a 2a 03 28 b4 09 00 06 16 fe 01 2a 2e 73 32 10 00 06 80 38 07 00 04 2a 1e 02 28 3c 00 00 0a 2a 1e 03 6f 2f 0a 00 0a 2a 2e 73 30 0a 00 0a 80 31 0a 00 0a 2a 1e 02 28 3c 00 00 0a 2a 00 00 13 30 01 00 07 00 00 00 52 00 00 11 03 73 32 0a 00 0a 7a 1e 02 28 3c 00 00 0a 2a 4a 02 7b 3c 07 00 04 02 7b 3d 07 00 04 6f 33 0a 00 0a 2a 1e 02 28 3c 00 00 0a 2a 4a 02 7b 3e 07 00 04 25 2d 02 26 2a 18 28 34 0a 00 0a 2a 1e 02 28 3c 00 00 0a 2a 32 02 7b 3f 07 00 04 6f 10 00 00 0a 2a 2e 73 35 0a 00 0a 80 52 05 00 0a 2a 1e 02 28 3c 00 00 0a 2a 22 0f 01 28 5c 05 00 0a 2a 22 0f 01 28 5d 05 00 0a 2a 7a 0f 01 28 36 0a 00 0a a5 81 00 00 1b 0f 01 28 37 0a 00 0a a5 82 00 00 1b 28 17 02 00 2b 2a 2e 73 43 10 00 06 80 44 07 00 04 2a 1e Data Ascii: /6(<(.s28(<o/.s01(<0Rs2z(<J{<{=o3(<J{>%-&(4(<2{?o.s5R(<"(\"(]z(6(7(+.sCD
2024-07-03 12:33:50 UTC	16384	IN	Data Raw: 01 df 03 81 00 10 00 1b 48 00 00 55 3c 01 00 35 00 bd 01 95 05 01 00 10 00 15 48 00 00 55 3c 01 00 60 03 bd 01 a1 05 01 00 10 00 fc 47 00 00 55 3c 01 00 60 03 bf 01 ac 05 81 00 10 00 fd 92 00 00 55 3c 01 00 35 00 c1 01 b5 05 01 00 10 00 4d 67 01 00 55 3c 01 00 35 00 c2 01 b8 05 01 00 10 00 f0 92 00 00 55 3c 01 00 35 00 c6 01 c1 05 01 00 10 00 11 93 00 00 55 3c 01 00 35 00 c9 01 c5 05 a1 00 10 00 fb 01 01 00 55 3c 01 00 00 00 cd 01 d5 05 81 01 10 00 3b 2b 01 00 55 3c 01 00 35 00 cd 01 d6 05 01 00 10 00 0d a9 00 00 55 3c 01 00 35 00 cd 01 e6 05 81 01 10 00 26 2b 01 00 55 3c 01 00 35 00 cd 01 ea 05 01 00 10 00 e8 fd 00 00 55 3c 01 00 24 07 cd 01 14 06 01 00 10 00 f1 fc 00 00 55 3c 01 00 28 07 d0 01 16 06 09 01 10 00 1f 81 00 00 55 3c 01 00 6d 00 d0 01 18 06 Data Ascii: HU<5HU<`GU<`U<5MgU<5U<5U<5U<;+U<5U<5&+U<5U<$U<(U<m

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.7	51658	145.40.109.218	443	5408	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-03 12:33:51 UTC	122	OUT	GET /Bin/ScreenConnect.Client.dll HTTP/1.1 Host: bcl.screenconnect.com Accept-Encoding: gzip Connection: Keep-Alive
2024-07-03 12:33:52 UTC	239	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 197120 Content-Type: text/html Server: ScreenConnect/24.1.7.8892-2977050628 Microsoft-HTTPAPI/2.0 X-Robots-Tag: noindex Date: Wed, 03 Jul 2024 12:33:52 GMT Connection: close
2024-07-03 12:33:52 UTC	16145	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 86 0a e4 db 00 00 00 00 00 00 00 00 e0 00 22 20 0b 01 30 00 00 fa 02 00 00 06 00 00 00 00 00 00 2a 18 03 00 00 20 00 00 00 20 03 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 03 00 00 02 00 00 d9 fe 03 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL" 0* `@
2024-07-03 12:33:52 UTC	16384	IN	Data Raw: 00 00 00 0c 00 00 11 73 75 00 00 0a 0a 06 72 8f 0f 00 70 6f 76 00 00 0a 26 06 72 59 01 00 70 6f 76 00 00 0a 26 02 06 28 f6 02 00 06 2c 09 06 1f 20 6f 77 00 00 0a 26 06 1f 7d 6f 77 00 00 0a 26 06 6f 29 00 00 0a 2a 0a 16 2a 2e 02 03 28 f8 02 00 06 16 fe 01 2a 26 0f 00 03 28 fb 02 00 06 2a 0a 16 2a 5e 03 75 77 00 00 02 2c 0d 02 03 a5 77 00 00 02 28 fb 02 00 06 2a 16 2a 0a 17 2a 00 13 30 02 00 40 00 00 00 0c 00 00 11 73 75 00 00 0a 0a 06 72 c3 0f 00 70 6f 76 00 00 0a 26 06 72 59 01 00 70 6f 76 00 00 0a 26 02 06 28 fd 02 00 06 2c 09 06 1f 20 6f 77 00 00 0a 26 06 1f 7d 6f 77 00 00 0a 26 06 6f 29 00 00 0a 2a 0a 16 2a 2e 02 03 28 ff 02 00 06 16 fe 01 2a 26 0f 00 03 28 02 03 00 06 2a 0a 16 2a 5e 03 75 78 00 00 02 2c 0d 02 03 a5 78 00 00 02 28 02 03 00 06 2a 16 2a Data Ascii: surpov&rYpov&(, ow&}ow&o)*.(&(^uw,w(0@surpov&rYpov&(, ow&}ow&o).(&(^ux,x(
2024-07-03 12:33:52 UTC	16384	IN	Data Raw: 15 04 00 06 72 b7 17 00 70 18 28 2e 02 00 0a 26 02 28 da 00 00 0a 7d 04 01 00 04 02 7e 2c 02 00 0a 7d 05 01 00 04 02 15 7d 06 01 00 04 02 28 ef 00 00 0a 6f 2f 02 00 0a 7d 03 01 00 04 02 7b 03 01 00 04 03 06 7b 6a 01 00 04 6f 30 02 00 0a 06 7b 6a 01 00 04 6f 31 02 00 0a 6f 32 02 00 0a 02 7b 03 01 00 04 05 0e 04 6f 33 02 00 0a 02 7b 03 01 00 04 16 16 06 7b 6a 01 00 04 6f 30 02 00 0a 06 7b 6a 01 00 04 6f 31 02 00 0a 73 95 01 00 0a 06 fe 06 b5 04 00 06 73 34 02 00 0a 28 35 02 00 0a de 10 26 02 28 14 04 00 06 fe 1a 07 28 bd 00 00 0a dc 2a 00 00 00 01 1c 00 00 00 00 66 00 76 dc 00 09 16 00 00 01 02 00 1a 00 cb e5 00 07 00 00 00 00 1b 30 03 00 42 00 00 00 25 00 00 11 02 7b 02 01 00 04 0a 06 28 b8 00 00 0a 02 28 15 04 00 06 72 cb 17 00 70 18 28 36 02 00 0a 26 02 Data Ascii: rp(.&(}~,}}(o/}{{jo0{jo1o2{o3{{jo0{jo1ss4(5&((*fv0B%{((rp(6&
2024-07-03 12:33:52 UTC	16384	IN	Data Raw: 00 75 38 39 1f 16 00 81 38 39 1f 36 00 56 0a 43 1f 16 00 e1 01 48 1f 16 00 f6 03 59 1f 16 00 30 07 6a 1f 16 00 ab 08 48 1f 16 00 30 04 72 1f 16 00 4d 07 7c 1f 16 00 01 00 86 1f 16 00 3b 03 86 1f 06 00 9c 72 8f 1f 06 00 95 5c 9e 1d 06 00 9c 72 8f 1f 06 00 73 75 8f 1d 01 00 b1 74 94 1f 01 00 11 5a aa 10 01 00 5b 37 9a 1f 36 00 56 0a 9f 1f 16 00 8a 02 a4 1f 36 00 56 0a b0 1f 16 00 a0 00 a4 1f 36 00 56 0a e7 11 16 00 70 00 dd 11 16 00 94 03 53 12 06 00 c0 80 64 07 06 00 32 63 b5 11 06 00 49 6d 10 11 06 00 9c 72 ba 11 06 00 6b 32 c7 11 06 00 6a 79 cc 11 06 00 3e 83 a7 10 06 00 d5 62 2d 13 06 00 9c 72 ba 11 06 00 19 0d 58 04 06 00 f4 76 b5 1f 06 00 9c 72 ba 1f 06 00 d8 65 7b 1e 06 00 a9 5d cc 11 36 00 56 0a bf 1f 16 00 6c 01 c4 1f 06 00 9c 72 d6 1f 06 00 c0 80 Data Ascii: u89896VCHY0jH0rM\|;r\rsutZ[76V6V6VpSd2cImrk2jy>b-rXvre{]6Vlr
2024-07-03 12:33:52 UTC	16384	IN	Data Raw: 6e a3 21 e8 03 00 00 00 00 00 00 c6 05 11 0c b1 04 e8 03 70 b2 00 00 00 00 c4 01 18 2a cf 2b e8 03 90 b2 00 00 00 00 94 00 86 3e d9 2b e9 03 00 00 00 00 00 00 c4 05 6e 64 e3 2b ea 03 33 b3 00 00 00 00 81 00 8a 71 e3 2b eb 03 54 b3 00 00 00 00 c4 00 58 10 d2 21 ec 03 a4 b9 00 00 00 00 81 00 7b 2a ea 2b ed 03 0c ba 00 00 00 00 91 00 00 0f f9 2b f0 03 a4 ba 00 00 00 00 81 00 6a 09 09 2c f4 03 c4 ba 00 00 00 00 91 18 c3 66 ab 20 f5 03 d0 ba 00 00 00 00 86 18 bd 66 01 00 f5 03 d8 ba 00 00 00 00 83 00 87 01 10 2c f5 03 f7 ba 00 00 00 00 91 18 c3 66 ab 20 f6 03 03 bb 00 00 00 00 86 18 bd 66 01 00 f6 03 0b bb 00 00 00 00 83 00 3a 00 21 2c f6 03 13 bb 00 00 00 00 83 00 74 03 28 2c f7 03 1b bb 00 00 00 00 83 00 a3 01 79 29 f8 03 2e bb 00 00 00 00 86 18 bd 66 01 00 Data Ascii: n!p+>+nd+3q+TX!{++j,f f,f f:!,t(,y).f
2024-07-03 12:33:52 UTC	16384	IN	Data Raw: 00 a1 1c 20 13 6b 00 a1 1c 21 13 6b 00 a1 1c 41 13 6b 00 a1 1c 60 13 6b 00 a1 1c 61 13 1a 00 dc 2e 61 13 6b 00 a1 1c 80 13 6b 00 a1 1c a3 13 6b 00 a1 1c c3 13 6b 00 a1 1c e1 13 6b 00 a1 1c e3 13 6b 00 a1 1c 01 14 6b 00 a1 1c 03 14 6b 00 a1 1c 21 14 6b 00 a1 1c 41 14 6b 00 a1 1c 60 14 6b 00 a1 1c 61 14 6b 00 a1 1c 63 14 6b 00 a1 1c 81 14 6b 00 a1 1c 83 14 6b 00 a1 1c a0 14 6b 00 a1 1c a1 14 6b 00 a1 1c c1 14 6b 00 a1 1c c3 14 6b 00 a1 1c e1 14 6b 00 a1 1c e3 14 6b 00 a1 1c 01 15 6b 00 a1 1c 03 15 6b 00 a1 1c 21 15 6b 00 a1 1c 23 15 6b 00 a1 1c 41 15 1a 00 5d 2f 41 15 6b 00 a1 1c 44 15 c2 05 a1 1c 61 15 6b 00 a1 1c 63 15 6b 00 a1 1c 80 15 6b 00 a1 1c 81 15 6b 00 a1 1c 83 15 6b 00 a1 1c a0 15 6b 00 a1 1c a1 15 1a 00 dc 2e a1 15 6b 00 a1 1c a3 15 6b 00 a1 1c Data Ascii: k!kAk`ka.akkkkkkkk!kAk`kakckkkkkkkkkkk!k#kA]/AkDakckkkkk.kk
2024-07-03 12:33:52 UTC	16384	IN	Data Raw: 52 65 71 75 65 73 74 49 44 00 73 65 74 5f 52 65 71 75 65 73 74 49 44 00 3c 3e 4f 00 53 79 73 74 65 6d 2e 49 4f 00 3c 73 74 72 65 61 6d 49 44 3e 50 00 43 61 6c 63 75 6c 61 74 65 46 50 53 00 54 00 67 65 74 5f 58 00 74 69 6c 65 58 00 67 65 74 5f 59 00 74 69 6c 65 59 00 76 61 6c 75 65 5f 5f 00 55 6e 69 6f 6e 55 6e 6c 65 73 73 4e 6f 41 72 65 61 00 67 65 74 5f 44 61 74 61 00 73 65 74 5f 44 61 74 61 00 73 6f 75 6e 64 44 61 74 61 00 57 72 69 74 65 4d 65 73 73 61 67 65 44 61 74 61 00 67 65 74 5f 46 72 61 6d 65 44 61 74 61 00 73 65 74 5f 46 72 61 6d 65 44 61 74 61 00 53 69 67 6e 44 61 74 61 00 67 65 74 5f 41 75 74 68 65 6e 74 69 63 61 74 69 6f 6e 44 61 74 61 00 73 65 74 5f 41 75 74 68 65 6e 74 69 63 61 74 69 6f 6e 44 61 74 61 00 49 42 69 74 6d 61 70 44 61 74 61 00 Data Ascii: RequestIDset_RequestID<>OSystem.IO<streamID>PCalculateFPSTget_XtileXget_YtileYvalue__UnionUnlessNoAreaget_Dataset_DatasoundDataWriteMessageDataget_FrameDataset_FrameDataSignDataget_AuthenticationDataset_AuthenticationDataIBitmapData
2024-07-03 12:33:52 UTC	16384	IN	Data Raw: 72 6f 70 65 72 74 69 65 73 2e 53 74 61 74 75 73 47 6c 79 70 68 42 6c 61 6e 6b 4d 6f 6e 69 74 6f 72 2e 70 6e 67 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 50 72 6f 70 65 72 74 69 65 73 2e 43 6f 6d 6d 61 6e 64 4f 70 65 6e 4d 6f 6e 69 74 6f 72 2e 70 6e 67 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 50 72 6f 70 65 72 74 69 65 73 2e 43 6f 6e 74 72 6f 6c 50 61 6e 65 6c 4d 65 73 73 61 67 65 73 2e 70 6e 67 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 50 72 6f 70 65 72 74 69 65 73 2e 43 6f 6d 6d 61 6e 64 53 65 6e 64 43 6c 69 70 62 6f 61 72 64 4b 65 79 73 74 72 6f 6b 65 73 2e 70 6e 67 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 2e 50 72 6f 70 65 72 74 69 65 73 2e 43 6f 6d 6d 61 6e 64 53 65 6e 64 46 69 6c 65 73 2e 70 6e 67 00 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 Data Ascii: roperties.StatusGlyphBlankMonitor.pngScreenConnect.Properties.CommandOpenMonitor.pngScreenConnect.Properties.ControlPanelMessages.pngScreenConnect.Properties.CommandSendClipboardKeystrokes.pngScreenConnect.Properties.CommandSendFiles.pngScreenConnect
2024-07-03 12:33:52 UTC	16384	IN	Data Raw: 00 61 00 6e 00 64 00 00 27 53 00 6f 00 75 00 6e 00 64 00 43 00 61 00 70 00 74 00 75 00 72 00 65 00 4d 00 6f 00 64 00 65 00 20 00 3d 00 20 00 00 2b 53 00 65 00 6c 00 65 00 63 00 74 00 53 00 70 00 65 00 61 00 6b 00 65 00 72 00 73 00 43 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 00 27 4d 00 75 00 74 00 65 00 53 00 70 00 65 00 61 00 6b 00 65 00 72 00 73 00 43 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 00 31 53 00 65 00 74 00 53 00 70 00 65 00 61 00 6b 00 65 00 72 00 73 00 56 00 6f 00 6c 00 75 00 6d 00 65 00 43 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 00 13 56 00 6f 00 6c 00 75 00 6d 00 65 00 20 00 3d 00 20 00 00 37 53 00 65 00 6c 00 65 00 63 00 74 00 41 00 6e 00 6e 00 6f 00 74 00 61 00 74 00 69 00 6f 00 6e 00 4d 00 6f 00 64 00 65 00 43 00 6f 00 6d 00 6d 00 61 00 6e 00 Data Ascii: and'SoundCaptureMode = +SelectSpeakersCommand'MuteSpeakersCommand1SetSpeakersVolumeCommandVolume = 7SelectAnnotationModeComman
2024-07-03 12:33:53 UTC	16384	IN	Data Raw: 61 6b 65 43 6f 6d 70 6c 65 74 65 64 00 00 21 01 00 02 00 00 00 10 4d 65 74 72 69 63 73 45 6e 74 72 79 54 79 70 65 07 4d 69 6e 69 6d 75 6d 00 00 26 01 00 84 6b 00 00 02 00 54 02 0d 41 6c 6c 6f 77 4d 75 6c 74 69 70 6c 65 00 54 02 09 49 6e 68 65 72 69 74 65 64 00 26 01 00 4c 14 00 00 02 00 54 02 0d 41 6c 6c 6f 77 4d 75 6c 74 69 70 6c 65 00 54 02 09 49 6e 68 65 72 69 74 65 64 00 26 01 00 02 00 00 00 02 00 54 02 0d 41 6c 6c 6f 77 4d 75 6c 74 69 70 6c 65 00 54 02 09 49 6e 68 65 72 69 74 65 64 00 06 01 00 e4 00 00 00 06 01 00 48 00 00 00 06 01 00 49 00 00 00 06 01 00 4a 00 00 00 06 01 00 4f 00 00 00 06 01 00 50 00 00 00 06 01 00 89 00 00 00 06 01 00 8c 00 00 00 06 01 00 8e 00 00 00 06 01 00 8f 00 00 00 06 01 00 91 00 00 00 06 01 00 9f 00 00 00 06 01 00 a1 00 00 Data Ascii: akeCompleted!MetricsEntryTypeMinimum&kTAllowMultipleTInherited&LTAllowMultipleTInherited&TAllowMultipleTInheritedHIJOP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.7	51659	145.40.109.218	443	5408	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-03 12:33:54 UTC	105	OUT	GET /Bin/ScreenConnect.ClientService.dll HTTP/1.1 Host: bcl.screenconnect.com Accept-Encoding: gzip
2024-07-03 12:33:54 UTC	238	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 68096 Content-Type: text/html Server: ScreenConnect/24.1.7.8892-2977050628 Microsoft-HTTPAPI/2.0 X-Robots-Tag: noindex Date: Wed, 03 Jul 2024 12:33:54 GMT Connection: close
2024-07-03 12:33:54 UTC	16146	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 43 c7 e6 fc 00 00 00 00 00 00 00 00 e0 00 22 20 0b 01 30 00 00 02 01 00 00 06 00 00 00 00 00 00 82 21 01 00 00 20 00 00 00 40 01 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 01 00 00 02 00 00 87 49 01 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELC" 0! @ I@
2024-07-03 12:33:54 UTC	16384	IN	Data Raw: 67 00 00 2b 7d 55 00 00 04 02 7b 53 00 00 04 6f 20 02 00 0a 28 68 00 00 2b 06 7b 56 00 00 04 25 2d 16 26 06 06 fe 06 96 00 00 06 73 21 02 00 0a 25 0c 7d 56 00 00 04 08 28 69 00 00 2b 6f 22 02 00 0a 0b 2b 28 07 6f 23 02 00 0a 0d 02 7b 54 00 00 04 28 2a 00 00 06 73 bd 00 00 0a 25 09 6f 24 02 00 0a 6f be 00 00 0a 6f 97 00 00 0a 07 6f 11 00 00 0a 2d d0 de 0a 07 2c 06 07 6f 10 00 00 0a dc 06 7b 55 00 00 04 6f 25 02 00 0a 13 04 2b 5a 11 04 6f 26 02 00 0a 13 05 02 7b 54 00 00 04 7b 0d 00 00 04 11 05 73 27 02 00 0a 25 02 7b 53 00 00 04 28 fa 00 00 0a 7e 31 00 00 04 25 2d 17 26 7e 2b 00 00 04 fe 06 6f 00 00 06 73 07 02 00 0a 25 80 31 00 00 04 28 61 00 00 2b 6f 28 02 00 0a 73 84 00 00 0a 6f 85 00 00 0a 11 04 6f 11 00 00 0a 2d 9d de 0c 11 04 2c 07 11 04 6f 10 00 00 Data Ascii: g+}U{So (h+{V%-&s!%}V(i+o"+(o#{T(*s%o$ooo-,o{Uo%+Zo&{T{s'%{S(~1%-&~+os%1(a+o(soo-,o
2024-07-03 12:33:55 UTC	16384	IN	Data Raw: 32 23 e3 0a f9 02 fa 1c 63 00 a1 01 42 48 4d 14 31 04 18 1d 74 0a 01 03 21 26 38 02 09 01 7a 2d f6 00 19 04 13 4a bb 0a 01 03 f8 31 38 02 01 03 16 1c 38 02 31 04 c8 0d aa 14 f4 00 d4 3a 99 02 ec 00 d4 3a b2 14 19 04 c4 23 c5 14 d4 03 26 2c 63 00 dc 03 d4 3a a1 00 4c 03 26 2c 63 00 4c 03 6b 44 74 00 e4 03 d4 3a a1 00 ec 03 26 2c 63 00 ec 03 6b 44 74 00 a9 02 4a 18 11 15 d4 03 d4 3a 39 00 d4 03 6b 44 74 00 d1 07 43 3e 14 15 31 04 fd 25 1a 15 81 05 2b 3e 25 15 19 04 eb 2d 2b 15 19 04 30 2f 35 15 b9 04 79 27 3c 15 31 04 2e 32 82 09 29 04 1a 43 f6 00 f1 04 38 43 54 15 fc 00 df 18 99 02 31 04 08 33 5a 15 f4 03 d4 3a a1 00 fc 03 d4 3a a1 00 19 04 07 2e 83 15 11 03 d4 3a 82 04 09 03 c1 30 9c 15 d9 07 48 36 a5 15 09 03 7f 2c ab 15 e1 07 a8 29 06 00 19 03 c0 31 38 Data Ascii: 2#cBHM1t!&8z-J1881::#&,c:L&,cLkDt:&,ckDtJ:9kDtC>1%+>%-+0/5y'<1.2)C8CT13Z::.:0H6,)18
2024-07-03 12:33:55 UTC	16384	IN	Data Raw: 6e 00 57 54 53 4c 6f 67 6f 66 66 53 65 73 73 69 6f 6e 00 57 54 53 44 69 73 63 6f 6e 6e 65 63 74 53 65 73 73 69 6f 6e 00 54 65 6d 70 6f 72 61 72 79 52 65 67 69 73 74 72 79 4d 6f 64 69 66 69 63 61 74 69 6f 6e 00 47 65 74 54 6f 6b 65 6e 49 6e 66 6f 72 6d 61 74 69 6f 6e 00 54 72 79 53 65 74 54 6f 6b 65 6e 49 6e 66 6f 72 6d 61 74 69 6f 6e 00 53 79 73 74 65 6d 2e 43 6f 6e 66 69 67 75 72 61 74 69 6f 6e 00 67 65 74 5f 47 75 65 73 74 43 6f 6e 66 69 67 75 72 61 74 69 6f 6e 00 73 65 74 5f 47 75 65 73 74 43 6f 6e 66 69 67 75 72 61 74 69 6f 6e 00 54 65 6d 70 6f 72 61 72 69 6c 79 53 77 69 74 63 68 50 72 6f 63 65 73 73 54 6f 57 69 6e 64 6f 77 53 74 61 74 69 6f 6e 00 67 65 74 5f 41 63 74 69 6f 6e 00 46 69 6c 65 41 63 74 69 6f 6e 00 43 72 65 64 65 6e 74 69 61 6c 73 41 63 Data Ascii: nWTSLogoffSessionWTSDisconnectSessionTemporaryRegistryModificationGetTokenInformationTrySetTokenInformationSystem.Configurationget_GuestConfigurationset_GuestConfigurationTemporarilySwitchProcessToWindowStationget_ActionFileActionCredentialsAc
2024-07-03 12:33:55 UTC	2798	IN	Data Raw: 80 a1 02 0e 09 15 11 80 cd 03 0e 0e 09 0a 20 01 0e 15 11 80 a1 02 0e 09 07 20 02 12 81 35 0e 0e 06 20 01 12 81 35 0e 0a 20 01 02 15 11 80 a1 02 0e 09 03 28 00 0e 04 28 00 12 65 05 28 00 12 81 a1 08 28 00 15 12 81 a5 01 1c 05 28 00 12 81 29 05 28 00 12 81 2d 05 28 00 12 81 31 04 28 00 11 71 03 28 00 02 03 28 00 08 03 28 00 0a 05 28 00 12 81 35 09 28 00 15 11 80 a1 02 0e 0e 03 28 00 1c 08 01 00 08 00 00 00 00 00 1e 01 00 01 00 54 02 16 57 72 61 70 4e 6f 6e 45 78 63 65 70 74 69 6f 6e 54 68 72 6f 77 73 01 08 01 00 02 00 00 00 00 00 12 01 00 0d 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 00 00 1b 01 00 16 53 63 72 65 65 6e 43 6f 6e 6e 65 63 74 20 53 6f 66 74 77 61 72 65 00 00 08 01 00 00 08 00 00 00 00 05 01 00 01 00 00 05 01 00 02 00 00 0a 01 00 02 00 00 00 00 01 Data Ascii: 5 5 ((e((()(-(1(q((((5((TWrapNonExceptionThrowsScreenConnectScreenConnect Software

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.7	51660	145.40.109.218	443	5408	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-03 12:33:56 UTC	129	OUT	GET /Bin/ScreenConnect.WindowsClient.exe HTTP/1.1 Host: bcl.screenconnect.com Accept-Encoding: gzip Connection: Keep-Alive
2024-07-03 12:33:56 UTC	239	IN	HTTP/1.1 200 OK Cache-Control: private Content-Length: 598816 Content-Type: text/html Server: ScreenConnect/24.1.7.8892-2977050628 Microsoft-HTTPAPI/2.0 X-Robots-Tag: noindex Date: Wed, 03 Jul 2024 12:33:55 GMT Connection: close
2024-07-03 12:33:56 UTC	16145	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 96 53 7d 96 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 f2 08 00 00 06 00 00 00 00 00 00 22 0c 09 00 00 20 00 00 00 20 09 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 09 00 00 02 00 00 32 ed 09 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELS}"0" @ `2@
2024-07-03 12:33:56 UTC	16384	IN	Data Raw: 0a 0a 06 25 2d 06 26 7e b1 00 00 0a 2a 00 00 1b 30 06 00 96 0d 00 00 2c 00 00 11 73 ab 07 00 06 0a 06 02 7d 13 03 00 04 28 74 01 00 0a 2c 1c 72 9d 0a 00 70 17 17 28 75 01 00 0a 28 76 01 00 0a 16 8d 11 00 00 01 28 77 01 00 0a 02 17 7d 48 00 00 04 02 28 e4 00 00 06 17 28 ce 01 00 0a 0b 02 28 fd 00 00 06 0c 02 28 dc 00 00 06 7e a8 02 00 04 25 2d 17 26 7e 94 02 00 04 fe 06 25 07 00 06 73 cf 01 00 0a 25 80 a8 02 00 04 28 33 00 00 2b 6f d0 01 00 0a 0d 38 cb 0b 00 00 12 04 09 6f d1 01 00 0a 7d 15 03 00 04 11 04 7b 15 03 00 04 28 2c 00 00 2b 13 05 11 04 7b 15 03 00 04 6f 18 03 00 06 28 35 06 00 06 13 06 11 04 7b 15 03 00 04 6f 2c 03 00 06 28 49 06 00 06 13 07 11 04 7b 15 03 00 04 6f 2d 03 00 06 28 49 06 00 06 13 08 11 04 7b 15 03 00 04 6f 18 03 00 06 02 28 fb 00 Data Ascii: %-&~*0,s}(t,rp(u(v(w}H((((~%-&~%s%(3+o8o}{(,+{o(5{o,(I{o-(I{o(
2024-07-03 12:33:57 UTC	16384	IN	Data Raw: 26 02 7b 54 00 00 04 14 6f 7a 01 00 0a 02 17 28 3c 01 00 06 2a 02 16 28 3c 01 00 06 2a 00 00 13 30 05 00 90 00 00 00 47 00 00 11 72 1d 14 00 70 18 8d 11 00 00 01 25 16 03 8c 33 02 00 01 a2 25 17 02 7b 54 00 00 04 6f 0a 07 00 06 8c b6 00 00 02 a2 28 09 03 00 0a 02 7b 54 00 00 04 6f 0a 07 00 06 0a 06 17 2e 06 06 18 2e 27 2b 35 02 7b 5a 00 00 04 28 aa 00 00 06 6f bb 04 00 06 03 2d 22 02 28 ae 00 00 06 73 0c 03 00 0a 6f 0e 02 00 0a 2b 10 02 7b 5a 00 00 04 28 a9 00 00 06 6f bb 04 00 06 02 7b 54 00 00 04 16 6f a2 00 00 0a 02 7b 54 00 00 04 16 6f 0b 07 00 06 2a 0a 14 2a 0a 14 2a 0a 16 2a 0a 14 2a 1a 73 18 03 00 0a 7a 00 13 30 02 00 3d 01 00 00 00 00 00 00 03 d0 9d 00 00 02 28 bf 00 00 0a 33 07 02 7b 4d 00 00 04 2a 03 d0 9e 00 00 02 28 bf 00 00 0a 33 02 02 2a 03 Data Ascii: &{Toz(<(<0Grp%3%{To({To..'+5{Z(o-"(so+{Z(o{To{To****sz0=(3{M(3*
2024-07-03 12:33:57 UTC	16384	IN	Data Raw: 00 00 2b 06 fe 06 3d 08 00 06 73 2d 04 00 0a 28 b3 00 00 2b 28 b4 00 00 2b 6f 2e 04 00 0a 2a c2 02 28 2f 04 00 0a 02 7e 30 04 00 0a 28 31 04 00 0a 02 20 02 60 00 00 17 28 32 04 00 0a 02 02 fe 06 e0 01 00 06 73 33 04 00 0a 28 34 04 00 0a 2a 1e 02 7b 9b 00 00 04 2a 22 02 03 7d 9b 00 00 04 2a 1e 02 7b 9c 00 00 04 2a 22 02 03 7d 9c 00 00 04 2a 1e 02 7b 9d 00 00 04 2a 22 02 03 7d 9d 00 00 04 2a 1e 02 7b 9e 00 00 04 2a 22 02 03 7d 9e 00 00 04 2a 1e 02 7b 9f 00 00 04 2a 22 02 03 7d 9f 00 00 04 2a 1e 02 7b a0 00 00 04 2a 22 02 03 7d a0 00 00 04 2a 1e 02 7b a1 00 00 04 2a 22 02 03 7d a1 00 00 04 2a 1e 02 7b a2 00 00 04 2a 22 02 03 7d a2 00 00 04 2a 1e 02 7b a3 00 00 04 2a 22 02 03 7d a3 00 00 04 2a 1e 02 7b a4 00 00 04 2a 22 02 03 7d a4 00 00 04 2a 1e 02 7b a5 00 Data Ascii: +=s-(+(+o.(/~0(1 `(2s3(4{"}{"}{"}{"}{"}{"}{"}{"}{"}{"}{
2024-07-03 12:33:57 UTC	16384	IN	Data Raw: fe 15 1d 00 00 01 06 28 68 05 00 0a 2c 07 02 28 a7 02 00 06 2a 02 6f 1e 04 00 0a 2a 00 00 00 13 30 02 00 51 00 00 00 92 00 00 11 02 28 67 05 00 0a 2d 1d 02 28 9e 02 00 06 12 00 fe 15 1d 00 00 01 06 28 68 05 00 0a 2c 07 02 28 9e 02 00 06 2a 02 7b ef 00 00 04 2c 1d 02 28 a5 02 00 06 12 00 fe 15 1d 00 00 01 06 28 68 05 00 0a 2c 07 02 28 a5 02 00 06 2a 02 6f 1d 04 00 0a 2a d6 02 28 67 05 00 0a 2d 0f 02 28 a2 02 00 06 2c 07 02 28 a2 02 00 06 2a 02 7b ef 00 00 04 2c 0f 02 28 a9 02 00 06 2c 07 02 28 a9 02 00 06 2a 02 6f cc 04 00 0a 2a d6 02 28 67 05 00 0a 2d 0f 02 28 a4 02 00 06 2c 07 02 28 a4 02 00 06 2a 02 7b ef 00 00 04 2c 0f 02 28 ad 02 00 06 2c 07 02 28 ad 02 00 06 2a 02 28 9c 02 00 06 2a 00 00 00 1b 30 06 00 f0 00 00 00 93 00 00 11 02 03 28 d1 01 00 06 02 Data Ascii: (h,(o0Q(g-((h,({,((h,(o(g-(,({,(,(o(g-(,({,(,((*0(
2024-07-03 12:33:57 UTC	16384	IN	Data Raw: 8a 03 00 06 73 82 01 00 0a 28 0e 06 00 0a 2a 32 02 7b 38 01 00 04 6f 0f 06 00 0a 2a 36 02 7b 38 01 00 04 03 6f 10 06 00 0a 2a 00 13 30 03 00 29 00 00 00 c3 00 00 11 02 7b 3a 01 00 04 0a 06 0b 07 03 28 b7 00 00 0a 74 10 00 00 1b 0c 02 7c 3a 01 00 04 08 07 28 50 01 00 2b 0a 06 07 33 df 2a 00 00 00 13 30 03 00 29 00 00 00 c3 00 00 11 02 7b 3a 01 00 04 0a 06 0b 07 03 28 b9 00 00 0a 74 10 00 00 1b 0c 02 7c 3a 01 00 04 08 07 28 50 01 00 2b 0a 06 07 33 df 2a 00 00 00 13 30 07 00 29 00 00 00 5a 00 00 11 02 02 7b 3a 01 00 04 73 8d 03 00 06 25 02 02 7b 39 01 00 04 0a 06 17 58 7d 39 01 00 04 06 6f 8c 03 00 06 28 51 01 00 2b 2a 66 02 16 7d 39 01 00 04 02 28 86 03 00 06 02 7b 38 01 00 04 6f 11 06 00 0a 2a 1e 02 28 86 03 00 06 2a 32 02 7b 38 01 00 04 6f 12 06 00 0a 2a Data Ascii: s(2{8o6{8o0){:(t\|:(P+30){:(t\|:(P+30)Z{:s%{9X}9o(Q+f}9({8o(2{8o*
2024-07-03 12:33:57 UTC	16384	IN	Data Raw: 00 0a 28 9a 01 00 2b de 39 06 7b 39 05 00 04 2c 0b 06 7b 39 05 00 04 6f 22 00 00 0a dc 06 7b 38 05 00 04 2c 0b 06 7b 38 05 00 04 6f 22 00 00 0a dc 07 2c 06 07 6f 22 00 00 0a dc 28 66 07 00 0a 26 dc 2a 01 34 00 00 02 00 69 00 41 aa 00 14 00 00 00 00 02 00 35 00 89 be 00 14 00 00 00 00 02 00 24 00 ae d2 00 0a 00 00 00 00 02 00 14 00 c8 dc 00 07 00 00 00 00 13 30 06 00 4a 00 00 00 00 00 00 00 02 28 b0 01 00 06 02 20 16 22 00 00 17 28 32 04 00 0a 02 17 28 b7 07 00 0a 02 22 00 00 80 3f 7d 73 01 00 04 02 7e c1 05 00 0a 28 10 05 00 06 73 88 05 00 0a 7d 74 01 00 04 02 18 17 16 16 02 73 b8 07 00 0a 7d 71 01 00 04 2a 00 00 13 30 03 00 29 00 00 00 16 00 00 11 02 7b 78 01 00 04 0a 06 0b 07 03 28 b7 00 00 0a 74 01 00 00 1b 0c 02 7c 78 01 00 04 08 07 28 09 00 00 2b 0a Data Ascii: (+9{9,{9o"{8,{8o",o"(f&4iA5$0J( "(2("?}s~(s}ts}q0){x(t\|x(+
2024-07-03 12:33:57 UTC	16384	IN	Data Raw: 6f 4c 05 00 06 2a 2e 28 c5 04 00 06 6f 4e 05 00 06 2a 2e 28 c5 04 00 06 6f 4a 05 00 06 2a 2e 28 c5 04 00 06 6f 44 05 00 06 2a 2e 28 c5 04 00 06 6f 46 05 00 06 2a 2e 28 c5 04 00 06 6f 48 05 00 06 2a 2e 28 c5 04 00 06 6f 46 05 00 06 2a 2e 28 c5 04 00 06 6f 64 05 00 06 2a 2e 28 c5 04 00 06 6f 66 05 00 06 2a 2e 28 c5 04 00 06 6f 68 05 00 06 2a 2e 28 c5 04 00 06 6f 5a 05 00 06 2a 2e 28 c5 04 00 06 6f 5c 05 00 06 2a 2e 28 c5 04 00 06 6f 5e 05 00 06 2a 42 28 cd 04 00 06 22 00 00 c8 c1 28 32 06 00 06 2a 42 28 cf 04 00 06 22 00 00 f0 c1 28 32 06 00 06 2a 2e 28 c5 04 00 06 6f 4c 05 00 06 2a 2e 28 c5 04 00 06 6f 48 05 00 06 2a 2e 28 c5 04 00 06 6f 50 05 00 06 2a 2e 28 c5 04 00 06 6f 50 05 00 06 2a 2e 28 c5 04 00 06 6f 46 05 00 06 2a 2e 28 c5 04 00 06 6f 58 05 00 06 Data Ascii: oL.(oN.(oJ.(oD.(oF.(oH.(oF.(od.(of.(oh.(oZ.(o\.(o^B("(2B("(2.(oL.(oH.(oP.(oP.(oF.(oX
2024-07-03 12:33:57 UTC	16384	IN	Data Raw: 0a 7d b0 09 00 0a 12 00 02 6f b1 09 00 0a 68 7d b2 09 00 0a 12 00 02 6f b3 09 00 0a 02 6f af 09 00 0a 5a 7d b4 09 00 0a 12 00 02 6f b3 09 00 0a 68 7d b5 09 00 0a 12 00 1f 16 7d b6 09 00 0a 06 2a 62 02 7b b2 09 00 0a 02 7b ae 09 00 0a 02 7b b0 09 00 0a 73 b7 09 00 0a 2a 1e 02 2c 02 17 2a 16 2a 2e 73 b8 09 00 0a 74 fb 01 00 01 2a 3e 1f fe 73 e9 0b 00 06 25 02 7d 1d 06 00 04 2a 00 1b 30 03 00 20 00 00 00 15 00 00 11 28 16 06 00 06 02 28 15 06 00 06 17 6f b9 09 00 0a 6f ba 09 00 0a 0a de 05 26 14 0a de 00 06 2a 01 10 00 00 00 00 00 00 19 19 00 05 11 00 00 01 32 28 16 06 00 06 02 6f bb 09 00 0a 2a 00 00 00 1b 30 02 00 31 00 00 00 40 01 00 11 12 00 fe 15 36 02 00 01 02 12 00 6f bc 09 00 0a 06 d0 7a 01 00 01 28 bf 00 00 0a 28 c0 00 00 0a a5 7a 01 00 01 0b de 07 Data Ascii: }oh}ooZ}oh}}b{{{s,*.st>s%}0 ((oo&2(o*01@6oz((z
2024-07-03 12:33:57 UTC	16384	IN	Data Raw: 00 0a 69 05 73 b2 01 00 0a 0c 02 28 df 00 00 0a 08 28 19 0b 00 0a 28 7f 00 00 0a 2c 0c 08 28 86 00 00 0a 73 41 05 00 0a 2a 07 06 58 0b 07 04 6b 32 b5 12 03 fe 15 c4 00 00 1b 09 2a 2e 73 11 07 00 06 80 94 02 00 04 2a 1e 02 28 46 00 00 0a 2a 82 7e aa 00 00 0a 04 6f 1b 0b 00 0a 6f 1c 0b 00 0a 20 00 01 00 00 28 6b 02 00 2b 6f 1d 0b 00 0a 2a 5e 0f 01 28 55 02 00 0a 0f 01 28 56 02 00 0a 1f 20 17 28 b5 07 00 0a 2a 1e 03 6f a4 00 00 06 2a 06 2a 82 03 6f 5c 02 00 0a 20 0b 06 00 00 33 11 03 6f 1e 0b 00 0a 20 00 02 00 00 28 6b 02 00 2b 2a 16 2a c6 7e fa 00 00 0a 72 e8 47 00 70 0f 01 28 fe 05 00 0a 28 76 01 00 0a 28 5c 06 00 06 25 2d 12 26 03 03 73 77 06 00 0a 28 03 0a 00 0a 28 04 0a 00 0a 2a 4e 03 03 6f 1f 0b 00 0a 17 73 cd 04 00 0a 6f 20 0b 00 0a 2a 22 03 04 73 21 Data Ascii: is(((,(sAXk2.s(F~oo (k+o^(U(V (oo\ 3o (k+~rGp((v(\%-&sw((Noso "s!

Target ID:	1
Start time:	08:33:08
Start date:	03/07/2024
Path:	C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe"
Imagebase:	0x6e0000
File size:	86'672 bytes
MD5 hash:	CC4DD46308EBB24E27B340426F05056C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:33:10
Start date:	03/07/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
Imagebase:	0x247ec340000
File size:	24'856 bytes
MD5 hash:	B4088F44B80D363902E11F897A7BAC09
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000002.00000002.2172747682.000002478039E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:33:11
Start date:	03/07/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:33:11
Start date:	03/07/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	08:33:16
Start date:	03/07/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -s W32Time
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	08:33:18
Start date:	03/07/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff75da10000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	08:33:19
Start date:	03/07/2024
Path:	C:\Windows\System32\SgrmBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\SgrmBroker.exe
Imagebase:	0x7ff7c1080000
File size:	329'504 bytes
MD5 hash:	3BA1A18A0DC30A0545E7765CB97D8E63
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	08:33:19
Start date:	03/07/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	08:33:19
Start date:	03/07/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	08:33:19
Start date:	03/07/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	08:33:20
Start date:	03/07/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	09:34:28
Start date:	03/07/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	09:34:33
Start date:	03/07/2024
Path:	C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe"
Imagebase:	0x430000
File size:	598'816 bytes
MD5 hash:	DBD7C0D2CF1BF5CEC608648F14DC8309
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ScreenConnectTool, Description: Yara detected ScreenConnect Tool, Source: 00000010.00000000.1761418707.0000000000432000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	09:34:34
Start date:	03/07/2024
Path:	C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=instance-ss6pex-relay.screenconnect.com&p=443&s=e409b2f5-1e44-4489-a8a4-30f0588f10c9&k=BgIAAACkAABSU0ExAAgAAAEAAQBdjPB2q8wjCfbSeYamY%2f1I8rI%2fJv32GQaD4DfyMmJGNmo%2f%2fRNg83nebcxkKC9J9fnvQipaIXrQUsxpppQnPKZ7juxo8OMg%2fgQWhvcJ843vxr8g3Su6i%2bOQ19Uh%2b6nNu4Mvd5N1Gn7gmJQP8LmLFqcM4XdqaWncXy3DTwTAm6za8sn0Nrpx%2fR7Jc98i2Kg%2bl%2fjkHFH9my9cD1Qp8bY32WV4Poh8SZJEDL3RX7M1gNCxhAy6Of%2bu4Ov%2f99l3%2bbDBAOICkjlLTBAUBYzj9YiB5Zym8VEMCtI%2b7OFy%2bv0PXxtCiizxlfv251D4ovL7mdH2HWE5l%2fwdqfUZx0u617T5JnSJ&r=&i=Ily" "1"
Imagebase:	0xbd0000
File size:	95'520 bytes
MD5 hash:	1B8110B335E144860E91F5E68CCDC8B3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	09:34:34
Start date:	03/07/2024
Path:	C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=instance-ss6pex-relay.screenconnect.com&p=443&s=e409b2f5-1e44-4489-a8a4-30f0588f10c9&k=BgIAAACkAABSU0ExAAgAAAEAAQBdjPB2q8wjCfbSeYamY%2f1I8rI%2fJv32GQaD4DfyMmJGNmo%2f%2fRNg83nebcxkKC9J9fnvQipaIXrQUsxpppQnPKZ7juxo8OMg%2fgQWhvcJ843vxr8g3Su6i%2bOQ19Uh%2b6nNu4Mvd5N1Gn7gmJQP8LmLFqcM4XdqaWncXy3DTwTAm6za8sn0Nrpx%2fR7Jc98i2Kg%2bl%2fjkHFH9my9cD1Qp8bY32WV4Poh8SZJEDL3RX7M1gNCxhAy6Of%2bu4Ov%2f99l3%2bbDBAOICkjlLTBAUBYzj9YiB5Zym8VEMCtI%2b7OFy%2bv0PXxtCiizxlfv251D4ovL7mdH2HWE5l%2fwdqfUZx0u617T5JnSJ&r=&i=Ily" "1"
Imagebase:	0xbd0000
File size:	95'520 bytes
MD5 hash:	1B8110B335E144860E91F5E68CCDC8B3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	09:34:36
Start date:	03/07/2024
Path:	C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Apps\2.0\BWL7GTAY.EPV\5W5HVA52.70C\scre..tion_25b0fbb6ef7eb094_0018.0001_799011a69f7fd08e\ScreenConnect.WindowsClient.exe" "RunRole" "15a971cf-ed33-4068-91f7-d1656f0da9bf" "User"
Imagebase:	0x680000
File size:	598'816 bytes
MD5 hash:	DBD7C0D2CF1BF5CEC608648F14DC8309
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	09:34:53
Start date:	03/07/2024
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Imagebase:	0x7ff790650000
File size:	468'120 bytes
MD5 hash:	B3676839B2EE96983F9ED735CD044159
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	09:34:53
Start date:	03/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Disassembly

Reset < >

Analysis Process: 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exePID: 60, Parent PID: 4056COMMON

Execution Graph

Execution Coverage:	3.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.6%
Total number of Nodes:	1564
Total number of Limit Nodes:	33

Executed Functions

Function 006E1260 Relevance: 54.4, APIs: 26, Strings: 5, Instructions: 197
encryptionmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LocalAlloc.KERNEL32(00000000,00000208), ref: 006E12AD
GetModuleFileNameW.KERNEL32(00000000,00000000,00000104), ref: 006E12BC
CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 006E12D5
SetFilePointer.KERNELBASE(00000000,000000FC,00000000,00000002), ref: 006E12ED
ReadFile.KERNELBASE(00000000,?,00000004,?,00000000), ref: 006E1302
LocalAlloc.KERNEL32(00000000,?), ref: 006E1309
SetFilePointer.KERNELBASE(?,?,00000000,00000002), ref: 006E131C
ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 006E132B
CertOpenSystemStoreA.CRYPT32(00000000,TrustedPublisher), ref: 006E1334
CryptQueryObject.CRYPT32(00000001,?,00000400,00000002,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 006E1375
CryptMsgGetParam.CRYPT32(?,0000000B,00000000,00000000,00000004), ref: 006E1392
LocalAlloc.KERNEL32(00000000,00002000), ref: 006E13C4
CryptMsgGetParam.CRYPT32(?,0000000C,00000000,00000000,00002000), ref: 006E13DA
CertCreateCertificateContext.CRYPT32(00000001,00000000,00002000), ref: 006E13EA
CertAddCertificateContextToStore.CRYPT32(?,00000000,00000001,?), ref: 006E13FD
CertFreeCertificateContext.CRYPT32(00000000), ref: 006E1404
LocalFree.KERNEL32(00000000), ref: 006E1414
CryptMsgClose.CRYPT32(?), ref: 006E1422
LoadLibraryA.KERNELBASE(dfshim), ref: 006E142C
GetProcAddress.KERNEL32(00000000,?), ref: 006E1437
Sleep.KERNELBASE(00009C40), ref: 006E144D
CertDeleteCertificateFromStore.CRYPT32(?), ref: 006E146B
CertCloseStore.CRYPT32(?,00000000), ref: 006E147A
CloseHandle.KERNEL32(?), ref: 006E1483
LocalFree.KERNEL32(?), ref: 006E148C
LocalFree.KERNEL32(?), ref: 006E1491

Strings

TrustedPublisher, xrefs: 006E132D
nW, xrefs: 006E12A3
ShOpenVerbApplic, xrefs: 006E1270
atio, xrefs: 006E129C
dfshim, xrefs: 006E1428, 006E142B

Memory Dump Source

Source File: 00000001.00000002.1340143419.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1340123924.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1340177619.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1340196740.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1340219453.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.jbxd

Similarity

API ID: CertFileLocal$CertificateCryptFreeStore$AllocCloseContext$CreateParamPointerRead$AddressDeleteFromHandleLibraryLoadModuleNameObjectOpenProcQuerySleepSystem
String ID: ShOpenVerbApplic$TrustedPublisher$atio$dfshim$nW
API String ID: 1177889865-1288618524
Opcode ID: 5b1a1163dd1b20a5145491bd7936f674a1caa352f118cf7a9baa732eaaf3a7be
Instruction ID: e3a8f0ce1e966465d05eb347fed2d6eda8dfb1a9b674daa9a5f1a70b62972c66
Opcode Fuzzy Hash: 5b1a1163dd1b20a5145491bd7936f674a1caa352f118cf7a9baa732eaaf3a7be
Instruction Fuzzy Hash: 2C612971A41358EBEB109BE5DC89FAEBBBAFB08710F104015E605AF2D1D7B15906CB60

Function 006E34FD Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?), ref: 006E351E
TerminateProcess.KERNEL32(00000000), ref: 006E3525
ExitProcess.KERNEL32 ref: 006E3537

Memory Dump Source

Source File: 00000001.00000002.1340143419.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1340123924.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1340177619.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1340196740.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1340219453.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 70e9e81a3c1c3ec34869c2296b49dc3d55df320397cc9e3e951f3352757b069f
Instruction ID: 757075319bc89ecf95b14af021f90119c61266de50f717205b3f424941796708
Opcode Fuzzy Hash: 70e9e81a3c1c3ec34869c2296b49dc3d55df320397cc9e3e951f3352757b069f
Instruction Fuzzy Hash: 13E09231001798EBCB516B55ED49A983B6AEB44365B005418F9068B322CB36DA82CA90

Non-executed Functions

Function 006E4414 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 006E450C
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 006E4516
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 006E4523

Memory Dump Source

Source File: 00000001.00000002.1340143419.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1340123924.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1340177619.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1340196740.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1340219453.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: e2b28fe5c2052d96de124c31aab0db685f1fa55b847b168fd400e41251b19ea7
Instruction ID: e9ff1fc0c32508db150f5676078c31fc1ab536df5df76d1aadb4407482be3b94
Opcode Fuzzy Hash: e2b28fe5c2052d96de124c31aab0db685f1fa55b847b168fd400e41251b19ea7
Instruction Fuzzy Hash: 2531C2759023189BCB61DF69D8887DCBBB9AF08710F5041EAE81CAB250EB709F858F44

Function 006E1E1B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 006E1E34

Strings

, xrefs: 006E1F98

Memory Dump Source

Source File: 00000001.00000002.1340143419.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1340123924.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1340177619.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1340196740.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1340219453.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-3916222277
Opcode ID: e4b86f0d4696058920e51dba890e7c2a92a3cc04fdfeeeda23792508e57866d2
Instruction ID: 46326444f4c9e743721ea05cd8dd0b28d1962c1cb389c4d0efac1d5477f278e7
Opcode Fuzzy Hash: e4b86f0d4696058920e51dba890e7c2a92a3cc04fdfeeeda23792508e57866d2
Instruction Fuzzy Hash: 0451A3B1D013468FEB15CF6AD895BAABBF6FB09314F10852AE815EB390D3749940CF91

Function 006E4855 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 006E49E8

Memory Dump Source

Source File: 00000001.00000002.1340143419.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1340123924.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1340177619.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1340196740.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1340219453.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 7dcf1b6a036fe1a2fe7e02d391468487216b7245845c6c5cb4502bd23fbc436f
Instruction ID: 918d330bd911e1731cea40dda3fdfac005fa6b38ccbd355737194953fe88406e
Opcode Fuzzy Hash: 7dcf1b6a036fe1a2fe7e02d391468487216b7245845c6c5cb4502bd23fbc436f
Instruction Fuzzy Hash: 37310472801389AFDB248E7ACC84EFB7BAEDB85314F1401ADE559D7252EA309E45CB50

Function 006EA285 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,006EA280,?,?,00000008,?,?,006E9F20,00000000), ref: 006EA4B2

Memory Dump Source

Source File: 00000001.00000002.1340143419.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1340123924.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1340177619.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1340196740.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1340219453.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: b11718cc6bb81293b54728677770f4bcffc60736929fb47fc5302a2e7aeaac60
Instruction ID: a5e2f6a02d88d5cca284f39fc099f991421fc1ecd89c80cbec3db03785573cca
Opcode Fuzzy Hash: b11718cc6bb81293b54728677770f4bcffc60736929fb47fc5302a2e7aeaac60
Instruction Fuzzy Hash: 86B15A31111748CFD719CF69C48ABA47BE2FF45364F298658E89ACF2A1C335E982CB41

Function 006E1D02 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00001D0E,006E1564), ref: 006E1D07

Memory Dump Source

Source File: 00000001.00000002.1340143419.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1340123924.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1340177619.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1340196740.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1340219453.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 3777fe6f34cb02bf5afce811ed2b281f720a33b55d6f149083c756a74eb17346
Instruction ID: 719cf3b9e3442a5d0c9452bfb2c2633daa042d32530ea5477e47b65e9f97e112
Opcode Fuzzy Hash: 3777fe6f34cb02bf5afce811ed2b281f720a33b55d6f149083c756a74eb17346
Instruction Fuzzy Hash:

Function 006E664F Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 006E664F

Memory Dump Source

Source File: 00000001.00000002.1340143419.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1340123924.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1340177619.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1340196740.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1340219453.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: de617b29451ee7febb273b580b238b813bfedf86d8e5863e397c5856d6525d2b
Instruction ID: 56b55bfbecea43a1f370993da3fcfb9e906abbed448f2da8b38d9827d9572bae
Opcode Fuzzy Hash: de617b29451ee7febb273b580b238b813bfedf86d8e5863e397c5856d6525d2b
Instruction Fuzzy Hash: 67A02430101300CFD300CF3C5DCF30C37D755001D030550545004C4130D73440C0D700

Function 006E78B3 Relevance: 12.2, APIs: 8, Instructions: 216
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,006E52D2,00000000,?,?,?,006E7B04,?,?,00000100), ref: 006E790D
__alloca_probe_16.LIBCMT ref: 006E7945
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,006E7B04,?,?,00000100,5EFC4D8B,?,?), ref: 006E7993
__alloca_probe_16.LIBCMT ref: 006E7A2A
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 006E7A8D
__freea.LIBCMT ref: 006E7A9A

Part of subcall function 006E3D88: HeapAlloc.KERNEL32(00000000,?,00000004,?,006E7C4B,?,00000000,?,006E662B,?,00000004,00000000,?,?,?,006E3A53), ref: 006E3DBA

__freea.LIBCMT ref: 006E7AA3
__freea.LIBCMT ref: 006E7AC8

Memory Dump Source

Source File: 00000001.00000002.1340143419.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1340123924.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1340177619.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1340196740.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1340219453.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.jbxd

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 2597970681-0
Opcode ID: 94666543b7828848cd896290b5c3b9155ca243d17413018de5ab7ad66bbde4c3
Instruction ID: c38a531ce09cc948db40df2f91599787a50dcb670e49e34493309d29239eaf35
Opcode Fuzzy Hash: 94666543b7828848cd896290b5c3b9155ca243d17413018de5ab7ad66bbde4c3
Instruction Fuzzy Hash: F551E072616396ABDB248E6ADC81EBF77ABEB44750B154238FD05DB280EB30DD508760

Function 006E8207 Relevance: 10.7, APIs: 7, Instructions: 152
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,006E897C,?,00000000,?,00000000,00000000), ref: 006E8249
__fassign.LIBCMT ref: 006E82C4
__fassign.LIBCMT ref: 006E82DF
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 006E8305
WriteFile.KERNEL32(?,?,00000000,006E897C,00000000,?,?,?,?,?,?,?,?,?,006E897C,?), ref: 006E8324
WriteFile.KERNEL32(?,?,00000001,006E897C,00000000,?,?,?,?,?,?,?,?,?,006E897C,?), ref: 006E835D

Memory Dump Source

Source File: 00000001.00000002.1340143419.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1340123924.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1340177619.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1340196740.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1340219453.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: e108b7f8a0bc6722ecd63c8f6d43c743fdf6581215624c3b5dcaac7a7cb0573d
Instruction ID: e44119d2fd642440d8440c2da43091e5f882e7bc0ea7cf0599b6496bbe0c63d4
Opcode Fuzzy Hash: e108b7f8a0bc6722ecd63c8f6d43c743fdf6581215624c3b5dcaac7a7cb0573d
Instruction Fuzzy Hash: 8E51E1719013899FDB10CFA9DC91AEEBBFAEF08310F14415AE955E7291EB30D941CB60

Function 006E21A0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_ValidateLocalCookies.LIBCMT ref: 006E21CB
__IsNonwritableInCurrentImage.LIBCMT ref: 006E2245

Part of subcall function 006EA8B0: __FindPESection.LIBCMT ref: 006EA909

_ValidateLocalCookies.LIBCMT ref: 006E22B9
_ValidateLocalCookies.LIBCMT ref: 006E22E4

Strings

csm, xrefs: 006E222F

Memory Dump Source

Source File: 00000001.00000002.1340143419.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1340123924.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1340177619.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1340196740.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1340219453.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentFindImageNonwritableSection
String ID: csm
API String ID: 1685366865-1018135373
Opcode ID: 8da4e86a91a8450f0c3ef12b06e932896585c7e27532bc848376e30309e35dd5
Instruction ID: e7b62a5d4e42b1b1dfb22f172e0eaa37e5c7cb6d24bedad6a38bc04640456be9
Opcode Fuzzy Hash: 8da4e86a91a8450f0c3ef12b06e932896585c7e27532bc848376e30309e35dd5
Instruction Fuzzy Hash: 9941A53090134A9FCB10DF5AC8A1AEEBBBBAF45324F148159EA156B352D771DB11CB90

Function 006E3582 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,006E3533,?), ref: 006E35A2
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 006E35B5
FreeLibrary.KERNEL32(00000000,?,?,?,006E3533,?), ref: 006E35D8

Strings

mscoree.dll, xrefs: 006E359B
CorExitProcess, xrefs: 006E35AD

Memory Dump Source

Source File: 00000001.00000002.1340143419.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1340123924.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1340177619.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1340196740.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1340219453.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 859279a1aacb6760152caa4d86d595e078558ddf9c8ab5195822b41c751bcf87
Instruction ID: 122cf5ccc68ed265217024deefc5777b59e6b8f3c8953d9bb8dd8f4c25462953
Opcode Fuzzy Hash: 859279a1aacb6760152caa4d86d595e078558ddf9c8ab5195822b41c751bcf87
Instruction Fuzzy Hash: 7FF03C31A01358EBCB119F96DC49BAEBFBBEB44725F114068F805AA390DB314A42CA90

Function 006E6109 Relevance: 7.6, APIs: 5, Instructions: 110
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,006E52D2,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 006E6156
__alloca_probe_16.LIBCMT ref: 006E618E
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 006E61DF
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 006E61F1
__freea.LIBCMT ref: 006E61FA

Part of subcall function 006E3D88: HeapAlloc.KERNEL32(00000000,?,00000004,?,006E7C4B,?,00000000,?,006E662B,?,00000004,00000000,?,?,?,006E3A53), ref: 006E3DBA

Memory Dump Source

Source File: 00000001.00000002.1340143419.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1340123924.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1340177619.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1340196740.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1340219453.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.jbxd

Similarity

API ID: ByteCharMultiWide$AllocHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 1857427562-0
Opcode ID: 8a7f3ec8eb78cb7a1fc0506eabcc2b9bcf2fda760752afa48ac9809b0633b60d
Instruction ID: 5450bc04a3a27a47c63ba231c08fc267cd4d1f9869c9328f913cfe14193fc7b0
Opcode Fuzzy Hash: 8a7f3ec8eb78cb7a1fc0506eabcc2b9bcf2fda760752afa48ac9809b0633b60d
Instruction Fuzzy Hash: 8C31E232A0138A9BDB259F6ACC85DEE3BA6EF10350B14012CFC04DB251EB35CD51CBA0

Function 006E5428 Relevance: 6.1, APIs: 4, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentStringsW.KERNEL32 ref: 006E5431
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 006E5454

Part of subcall function 006E3D88: HeapAlloc.KERNEL32(00000000,?,00000004,?,006E7C4B,?,00000000,?,006E662B,?,00000004,00000000,?,?,?,006E3A53), ref: 006E3DBA

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 006E547A
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 006E549C

Memory Dump Source

Source File: 00000001.00000002.1340143419.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1340123924.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1340177619.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1340196740.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1340219453.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocFreeHeap
String ID:
API String ID: 1993637811-0
Opcode ID: 77328b585684fe4a762356580e9b44533271cfa9a48051d17057b14dbf7009eb
Instruction ID: 5161ff4ef48a2f0763a157f4bb24101dd170103b4731d1d511d447fff96a21a6
Opcode Fuzzy Hash: 77328b585684fe4a762356580e9b44533271cfa9a48051d17057b14dbf7009eb
Instruction Fuzzy Hash: 1301D872603B95BF632116675C8DCBB6AAFDEC2BB5315012CFD05CB241EA608C4281B0

Function 006E55E7 Relevance: 6.1, APIs: 4, Instructions: 52
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,006E558E,00000000,00000000,00000000,00000000,?,006E578B,00000006,FlsSetValue), ref: 006E5619
GetLastError.KERNEL32(?,006E558E,00000000,00000000,00000000,00000000,?,006E578B,00000006,FlsSetValue,006ED248,006ED250,00000000,00000364,?,006E4397), ref: 006E5625
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,006E558E,00000000,00000000,00000000,00000000,?,006E578B,00000006,FlsSetValue,006ED248,006ED250,00000000), ref: 006E5633

Memory Dump Source

Source File: 00000001.00000002.1340143419.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1340123924.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1340177619.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1340196740.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1340219453.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: f2d14e81fee2a2b20f2da9020ec82d53f9821751d6d5e8068f8985394b365c53
Instruction ID: b805a6d9be047cae600bd35d278ae4658c619cf0f3e7bf31891ca5372de2ad56
Opcode Fuzzy Hash: f2d14e81fee2a2b20f2da9020ec82d53f9821751d6d5e8068f8985394b365c53
Instruction Fuzzy Hash: EB017B322037A2DBC7204B7A9C84E96775BAF447B87600520FA17D7360D721D802C6E0

Function 006E14BC Relevance: 6.1, APIs: 4, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___scrt_initialize_onexit_tables.LIBCMT ref: 006E14DF
__RTC_Initialize.LIBCMT ref: 006E14EE

Part of subcall function 006E1A87: __onexit.LIBCMT ref: 006E1A8D

Part of subcall function 006E1B45: InitializeSListHead.KERNEL32(006F2B00,006E1513), ref: 006E1B4A

___scrt_fastfail.LIBCMT ref: 006E1551
___scrt_initialize_default_local_stdio_options.LIBCMT ref: 006E1557

Memory Dump Source

Source File: 00000001.00000002.1340143419.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1340123924.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1340177619.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1340196740.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1340219453.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.jbxd

Similarity

API ID: Initialize$HeadList___scrt_fastfail___scrt_initialize_default_local_stdio_options___scrt_initialize_onexit_tables__onexit
String ID:
API String ID: 3692885319-0
Opcode ID: a5941b45a1091f01ce40834c6256c5e84dad6fef976080147d5d5cfe43be49c5
Instruction ID: ee2aef2d896493ec03f8fd02eeddf2f2798fcb53b09b09a90e2008e3492774f3
Opcode Fuzzy Hash: a5941b45a1091f01ce40834c6256c5e84dad6fef976080147d5d5cfe43be49c5
Instruction Fuzzy Hash: D3F0FDB15433D221D9E037F71C0BAAE028B0EA3711F40499EB5809F283FDB58642706E

Function 006E42C5 Relevance: 6.0, APIs: 4, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,006E3D23,006F1098,0000000C,006E1D4E), ref: 006E42C9
SetLastError.KERNEL32(00000000), ref: 006E4331
SetLastError.KERNEL32(00000000), ref: 006E433D
_abort.LIBCMT ref: 006E4343

Memory Dump Source

Source File: 00000001.00000002.1340143419.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1340123924.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1340177619.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1340196740.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1340219453.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.jbxd

Similarity

API ID: ErrorLast$_abort
String ID:
API String ID: 88804580-0
Opcode ID: 5c06ba9b8fa72b7d8904f5b62dd5b30e312d6aa3512010336cda4d039bc4a818
Instruction ID: f6bf25dae72d3fe554ed9f252bb4726ba748eb933388bb8b5ceab91106860c58
Opcode Fuzzy Hash: 5c06ba9b8fa72b7d8904f5b62dd5b30e312d6aa3512010336cda4d039bc4a818
Instruction Fuzzy Hash: 47F08C361077916BC75273776C4EBAB2A6B8FD1770F250128F92597392EE2189028168

Function 006E2DD9 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe,00000104), ref: 006E2E19

Strings

+o, xrefs: 006E2E25
C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe, xrefs: 006E2E10, 006E2E17, 006E2E46, 006E2E7E

Memory Dump Source

Source File: 00000001.00000002.1340143419.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1340123924.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1340177619.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1340196740.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1340219453.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.jbxd

Similarity

API ID: FileModuleName
String ID: C:\Users\user\Desktop\1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe$+o
API String ID: 514040917-258262031
Opcode ID: 62cb065e8100965e414103172b56f3ff2ce310c6f15764994cbe8124c66b5e30
Instruction ID: bc6e9e1cb5b23011619b587ad93e5be5db3bb57d842828cc4af1b4c836052f47
Opcode Fuzzy Hash: 62cb065e8100965e414103172b56f3ff2ce310c6f15764994cbe8124c66b5e30
Instruction Fuzzy Hash: FC318571A023A9AFDB21DF5ADC959AEBBFFEF85310B10405AE40497311D6704E41CB90

Function 006E4CC8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

GetOEMCP.KERNEL32(00000000,?,?,006E4F51,?), ref: 006E4CF3
GetACP.KERNEL32(00000000,?,?,006E4F51,?), ref: 006E4D0A

Strings

QOn, xrefs: 006E4CE1

Memory Dump Source

Source File: 00000001.00000002.1340143419.00000000006E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006E0000, based on PE: true

Associated: 00000001.00000002.1340123924.00000000006E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1340177619.00000000006EC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1340196740.00000000006F2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1340219453.00000000006F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6e0000_1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.jbxd

Similarity

API ID:
String ID: QOn
API String ID: 0-1339326976
Opcode ID: 16beec529977922557059acf4adff260e45b233305cb776648d80d5d5dbc57e8
Instruction ID: 81aa4042da6390a672caae5be435dd7ea37140e8bf64c6a0fdf870cf591872a4
Opcode Fuzzy Hash: 16beec529977922557059acf4adff260e45b233305cb776648d80d5d5dbc57e8
Instruction Fuzzy Hash: 45F037308012C98BDB209B69DC497B877A2FF4033AF240748E9258B6E1DBB25946CB85

Analysis Process: dfsvc.exePID: 5408, Parent PID: 60COMMON

Execution Graph

Execution Coverage:	16.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	121
Total number of Limit Nodes:	13

Executed Functions

Function 00007FFAACCB1488 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 415
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2O_I, xrefs: 00007FFAACCB1504

Memory Dump Source

Source File: 00000002.00000002.2184803628.00007FFAACCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaaccb0000_dfsvc.jbxd

Similarity

API ID:
String ID: 2O_I
API String ID: 0-847486308
Opcode ID: 842e7cd5aa705a77072c334c53a9d3523d036faee2d8011e4e05bc7942eee97e
Instruction ID: d0a10df603521eeaa6184b30b79e11ba6ce542966a0a9e6c8245377c92539198
Opcode Fuzzy Hash: 842e7cd5aa705a77072c334c53a9d3523d036faee2d8011e4e05bc7942eee97e
Instruction Fuzzy Hash: DAC1F69290EBC98FE7559BAD58192B97FE1EF57210B0881BBD04EC7297E914D80A8381

Function 00007FFAACCC1212 Relevance: 1.8, APIs: 1, Instructions: 275
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetGetCookieW.WININET ref: 00007FFAACCC13F6

Memory Dump Source

Source File: 00000002.00000002.2184803628.00007FFAACCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaaccb0000_dfsvc.jbxd

Similarity

API ID: CookieInternet
String ID:
API String ID: 930238652-0
Opcode ID: 634780bfb0641a5aa86015fe0e5c267b0df22c9950c6e8d88ac3d821f1cd5cbf
Instruction ID: 615d4082253518a81e6c6971ffc724ec1a14005bfe464383e71cc6e1d8d72d83
Opcode Fuzzy Hash: 634780bfb0641a5aa86015fe0e5c267b0df22c9950c6e8d88ac3d821f1cd5cbf
Instruction Fuzzy Hash: 2291C130508A8D8FEB69DF28D8557E53BE1FF99310F04826FE84DC7292CB74A8458B81

Function 00007FFAACCB99EB Relevance: 1.7, APIs: 1, Instructions: 174
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32 ref: 00007FFAACCB9B1C

Memory Dump Source

Source File: 00000002.00000002.2184803628.00007FFAACCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaaccb0000_dfsvc.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 204f4905ed5494974466d8ea7c0a8546b9328484f24256c483179ead537d3b41
Instruction ID: a12a21335baea804dec137e3e73d26296ea9c027b341a6f2db00f7469698cdf4
Opcode Fuzzy Hash: 204f4905ed5494974466d8ea7c0a8546b9328484f24256c483179ead537d3b41
Instruction Fuzzy Hash: C251807191CA5C8FDB68EF58D845BA9BBF0FF59310F1442AEE04DD3252CB34A8858B81

Function 00007FFAACB9EEBF Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2184464193.00007FFAACB9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffaacb9d000_dfsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9d4f14c37e8c6e77c7fe16502f227210813aa48626b5fff1b9479f3abd370a9
Instruction ID: 5a03dfc707f8a87fc3405a91d590ed12c616fa095890e14ccdaea96617907eea
Opcode Fuzzy Hash: a9d4f14c37e8c6e77c7fe16502f227210813aa48626b5fff1b9479f3abd370a9
Instruction Fuzzy Hash: 4F41B37140DBC48FE7569B2898459523FF0EF57320B1541EFD089CB1A7DA2AE84AC792

Analysis Process: ScreenConnect.WindowsClient.exePID: 7812, Parent PID: 5408COMMON

Execution Graph

Execution Coverage:	12.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	8
Total number of Limit Nodes:	1

Executed Functions

Function 00007FFAACCBF62B Relevance: 1.7, APIs: 1, Instructions: 179
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 00007FFAACCBF75C

Memory Dump Source

Source File: 00000010.00000002.1795061596.00007FFAACCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffaaccb0000_ScreenConnect.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 641a78048a7f589afee95a2de86f7252bf1fa7fc2d867f0c0541acc0d8472609
Instruction ID: 90c72263692cd95f44596f7f1c89c93ecfc94b81835473e32a4a5b95d8290d8c
Opcode Fuzzy Hash: 641a78048a7f589afee95a2de86f7252bf1fa7fc2d867f0c0541acc0d8472609
Instruction Fuzzy Hash: 3F51AF7190CA5C8FDB58DF58D845BA9BBE0FB59310F1442AEE04DD3252CB74A8458B81

Function 00007FFAACCB83C4 Relevance: 1.7, APIs: 1, Instructions: 174
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetProcessMitigationPolicy.KERNELBASE ref: 00007FFAACCB84F2

Memory Dump Source

Source File: 00000010.00000002.1795061596.00007FFAACCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffaaccb0000_ScreenConnect.jbxd

Similarity

API ID: MitigationPolicyProcess
String ID:
API String ID: 1088084561-0
Opcode ID: 6e367a00bb3a28b93cdb765924ae851437439f2abbbb2e3c50ca867f5f34e29e
Instruction ID: c80deb40e3598e1b3123d2c717614e6656721b4b801560aa069d96bb2edbd13d
Opcode Fuzzy Hash: 6e367a00bb3a28b93cdb765924ae851437439f2abbbb2e3c50ca867f5f34e29e
Instruction Fuzzy Hash: 2341287190CB498FE7159FA8984A5EABBE0EF56310F04417FE049C3193DB68A84A87D1

Analysis Process: ScreenConnect.ClientService.exePID: 7848, Parent PID: 7812COMMON

Executed Functions

Function 010D2095 Relevance: 2.9, Strings: 2, Instructions: 370COMMON

Download Yara Rule

Strings

;$r^, xrefs: 010D2309
, xrefs: 010D235E

Memory Dump Source

Source File: 00000011.00000002.1774171760.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_10d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: ;$r^$
API String ID: 0-2188298845
Opcode ID: ec322cb47f796669e390943368fdcd6513e20691f4a3c32de804512074c9a933
Instruction ID: f15f9867480777cce3671cef94d8d5e425211fc2b5c26c453eba65fc63294f4e
Opcode Fuzzy Hash: ec322cb47f796669e390943368fdcd6513e20691f4a3c32de804512074c9a933
Instruction Fuzzy Hash: 7051BF307003458FD726EB79D9546AE7BE2EF88310B1484A9E446DB3A5DF35EC06CB91

Function 010D5638 Relevance: 2.6, Strings: 2, Instructions: 52COMMON

Download Yara Rule

Strings

t*;u, xrefs: 010D567A
t*;u, xrefs: 010D5684

Memory Dump Source

Source File: 00000011.00000002.1774171760.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_10d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: t*;u$t*;u
API String ID: 0-727745153
Opcode ID: f60970706032459cbfdbac0b60c59fae8ac710d4ae2021e63dfd755655af9fbf
Instruction ID: 86d09827c4da81dec55d4b8b3f189683952848e9969ce9d3da8dc6c4ff30cf24
Opcode Fuzzy Hash: f60970706032459cbfdbac0b60c59fae8ac710d4ae2021e63dfd755655af9fbf
Instruction Fuzzy Hash: 0B11A175F00305AFEB64CE69DC00AAFB7F6AFC8211F548565D954D7250E77299028B90

Function 010D185F Relevance: 2.5, Strings: 2, Instructions: 16COMMON

Download Yara Rule

Strings

$q, xrefs: 010D1881
$q, xrefs: 010D1875

Memory Dump Source

Source File: 00000011.00000002.1774171760.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_10d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: $q$$q
API String ID: 0-3126353813
Opcode ID: c763e6944034364537d175934198c18165edd7775e0ca5dc8f02b47b4e9953a4
Instruction ID: cf1704a11b00e5a0926092b97b8c190590ca0f5f8a98036d9431a55aca2ef677
Opcode Fuzzy Hash: c763e6944034364537d175934198c18165edd7775e0ca5dc8f02b47b4e9953a4
Instruction Fuzzy Hash: 28D05E307082098FD728DB7AF8429153BF1BF9820032601EAE84ACB272CE31D802CA81

Function 010D5218 Relevance: 1.4, Strings: 1, Instructions: 192COMMON

Download Yara Rule

Strings

(q, xrefs: 010D523A

Memory Dump Source

Source File: 00000011.00000002.1774171760.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_10d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: (q
API String ID: 0-2414175341
Opcode ID: cb782aaebb7b6aaf0302a7787a2656923d6071dfa947bf6d257efd3dfe000902
Instruction ID: 7be24f2bb980f0a08400b1c7e7750c54b17cc5575bb9461af10b86fd29fc0131
Opcode Fuzzy Hash: cb782aaebb7b6aaf0302a7787a2656923d6071dfa947bf6d257efd3dfe000902
Instruction Fuzzy Hash: C761E838B107058FDB14DF69E894AAEB7F2FF8D205B148199E9469F365DB30EC029B40

Function 010D42D0 Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

(q, xrefs: 010D42F1

Memory Dump Source

Source File: 00000011.00000002.1774171760.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_10d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: (q
API String ID: 0-2414175341
Opcode ID: b0be57e26ee9f6c0e841eb6738511cb3d1c50124f4fc729c303d1932f73dca12
Instruction ID: 856b895bcc21b3b09266e96acd6e0b4619ded61fb6bc8589c5ee6a7892857756
Opcode Fuzzy Hash: b0be57e26ee9f6c0e841eb6738511cb3d1c50124f4fc729c303d1932f73dca12
Instruction Fuzzy Hash: 1641B031E002058BDB25EF68E49466DBBA2EF84310F04C169E90ADF24ADF35A806CB91

Function 010D3460 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

[', xrefs: 010D3528

Memory Dump Source

Source File: 00000011.00000002.1774171760.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_10d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: ['
API String ID: 0-410297704
Opcode ID: 15b7a4fbb96cbcb808b7d448a1243d58421d2f9d25a647a7af38892b4dc5d909
Instruction ID: d3f6bbff82aeaa65f83e75c70975169885aac5252a6e2c642eb1974225201a09
Opcode Fuzzy Hash: 15b7a4fbb96cbcb808b7d448a1243d58421d2f9d25a647a7af38892b4dc5d909
Instruction Fuzzy Hash: 4331E4B9B007124BD721EB79A95166EB7E6FFC92103408528D816DB344EF34FD068BD2

Function 010D5627 Relevance: 1.3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

Strings

t*;u, xrefs: 010D567A

Memory Dump Source

Source File: 00000011.00000002.1774171760.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_10d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: t*;u
API String ID: 0-3961405802
Opcode ID: a35e0ca72b1ccd8e232a62b1aa89e39a6b215229ac3345c213af32278be355bd
Instruction ID: 701ec728df9575adcac0b35d8e322048d46cac4e10982d63bc4e8820dd6a3a77
Opcode Fuzzy Hash: a35e0ca72b1ccd8e232a62b1aa89e39a6b215229ac3345c213af32278be355bd
Instruction Fuzzy Hash: 3511A1B5E00305AFEB25CE69D840AEBB7F6EFC8611F4585A6D994DB150E772C9028B80

Function 010D7750 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1774171760.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_10d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78bd5f8c7b39828c4c737a3335211cdd9f3cd532c0a7f6ffdfb6c39387cefc9f
Instruction ID: bba6ed41df22ba0a8487d1d4a671bf20c6720b7f8f64415be1e606950fd9da11
Opcode Fuzzy Hash: 78bd5f8c7b39828c4c737a3335211cdd9f3cd532c0a7f6ffdfb6c39387cefc9f
Instruction Fuzzy Hash: 0951AD74E003089FDB11EFB4E844B9DBBB2FF89300F508659E005AB295DB78A946CF91

Function 010D4920 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1774171760.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_10d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbd050d698fc96343884493c341573553278cd7f99a6a2e2e930d4650616bded
Instruction ID: d3977de59f55f1a1cdb6475eda07b7357646d81b1f11906f39a1d8c162515297
Opcode Fuzzy Hash: bbd050d698fc96343884493c341573553278cd7f99a6a2e2e930d4650616bded
Instruction Fuzzy Hash: 7451F834600B018FD734CF2AD484A66B7F2FF8D225B149A5CE496DBBA5DB31E806CB45

Function 010D6F41 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1774171760.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_10d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dec79c6fa477ce42df9a438127d265d22b0aa24ff1a43cdb7f83c559b655971
Instruction ID: c3010a7e576dca2f95978488e895eb2ba6e6f17e4a83bfab7dfe99ba59705ab2
Opcode Fuzzy Hash: 4dec79c6fa477ce42df9a438127d265d22b0aa24ff1a43cdb7f83c559b655971
Instruction Fuzzy Hash: 3941E131B003518FD7149B68D85476EBBE1EB84315F1886AAE59ACB2E2CB36DC85C781

Function 010D3648 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1774171760.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_10d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a3d98f6a8dae69ad83b2fa77016a3032a1d46f5cf9d991b4522e206ad09ec85
Instruction ID: 22bf4d2221e0a896256120a1fdf94c1cb94428455b566cb5eec9ef44935d1f83
Opcode Fuzzy Hash: 6a3d98f6a8dae69ad83b2fa77016a3032a1d46f5cf9d991b4522e206ad09ec85
Instruction Fuzzy Hash: EC51A0B4A00705CFDB71CF29D84466ABBF1FF88311B148A68E096CB7A5D730E906CB91

Function 010D774A Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1774171760.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_10d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 339e69a8b1b82f3fdc5d63cc0452accf1d1a720a5f67070ca8d06c2fd097d2ae
Instruction ID: 85e29c93e207b84542395c38943531b165ce8aaf63695659cff74ac24fb37ff0
Opcode Fuzzy Hash: 339e69a8b1b82f3fdc5d63cc0452accf1d1a720a5f67070ca8d06c2fd097d2ae
Instruction Fuzzy Hash: 56515C74E103099FDB11EFB4E844BDDBBB2FF88300F108629E105AB294DB75A996CB51

Function 010D3658 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1774171760.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_10d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14f826692f104bbd919a5c829fc99bd446ac8d14e9e0e8c58dc2b8f63bdfeece
Instruction ID: 28425e6e8987bba485f4612b70be8ded2d369067c3818c2585729e2d0074d820
Opcode Fuzzy Hash: 14f826692f104bbd919a5c829fc99bd446ac8d14e9e0e8c58dc2b8f63bdfeece
Instruction Fuzzy Hash: B9418DB4A00705CFDB70CF29D84465ABBF1FF88311B118A68E496DB7A4DB30E905CB91

Function 010D3DA0 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1774171760.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_10d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8500827712e2a3a5691addc9b9f559a7434584a1ac502ae997ce261d6e263e9
Instruction ID: 334e623fbac06bb285861b43b16017756db0a28cafe19c1b8c178f78436508cf
Opcode Fuzzy Hash: b8500827712e2a3a5691addc9b9f559a7434584a1ac502ae997ce261d6e263e9
Instruction Fuzzy Hash: 39318B71B002058BEB24DF6AC458AAFF7F6EF89355F108469E446EB694DB709C018BA1

Function 010D3808 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1774171760.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_10d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3e4710a554f2cb547ce210b6d57541ce255c1a4b82844e77a8aa020e6b9c776
Instruction ID: 8b12f9a415889e11c4258ed9744f5e51e828cc1a434aead8a05fc9987642049b
Opcode Fuzzy Hash: b3e4710a554f2cb547ce210b6d57541ce255c1a4b82844e77a8aa020e6b9c776
Instruction Fuzzy Hash: 4431DFB0F043499FCB15DBA8D85566EFBB2FF85310B1480BAD649DB391DA309C02CB96

Function 010D5528 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1774171760.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_10d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d44073d11c956684a9a4f86c5ba51d00d045b041a4a9b2abc30da275ed3ad1b
Instruction ID: f3983b618df97432a71af044d62c7a7484946dfad0f5158c5922e9451972e397
Opcode Fuzzy Hash: 6d44073d11c956684a9a4f86c5ba51d00d045b041a4a9b2abc30da275ed3ad1b
Instruction Fuzzy Hash: 57313E706007018FC770CF29D894A6AB7F2EF89721B544A5CE896DB7A5D730E905CB91

Function 010D50A0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1774171760.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_10d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 793107d8c3f4681d84da7982ed2a3d0a62538d598e3dde8e3c9f055be6af035d
Instruction ID: c303185d98d2e0194fc31cf8bbb4e292b65e4983a6db2c79048aaec5e222c38b
Opcode Fuzzy Hash: 793107d8c3f4681d84da7982ed2a3d0a62538d598e3dde8e3c9f055be6af035d
Instruction Fuzzy Hash: 69112475B003545BE714EB69D886B7EBBA2EFC0310F008629E505AB384DF70BD0A8791

Function 010D4B50 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1774171760.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_10d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28d55cd5ad1c4e8f15d18c941bc3f5f93ad2e4b24742373a1c3e81fde16e6b2e
Instruction ID: 702e7e1188a10708ce4a8dc8d02dbd2ee61888ec522acdf1669e7ce11f0cfd58
Opcode Fuzzy Hash: 28d55cd5ad1c4e8f15d18c941bc3f5f93ad2e4b24742373a1c3e81fde16e6b2e
Instruction Fuzzy Hash: 40215E306007058FD734CF69D84469ABBF1EF84320F008A6CE4929BAE5DB71E94ACF80

Function 010D50B0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1774171760.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_10d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2834ff3faedff5e6abc400116ceab1fa81be15f92d99e954f296784edda4377f
Instruction ID: ee4e111c3b470aea047863be4f4d6439d88e6358c1f143b0e017352d87e48fa1
Opcode Fuzzy Hash: 2834ff3faedff5e6abc400116ceab1fa81be15f92d99e954f296784edda4377f
Instruction Fuzzy Hash: 9111B235B002559BE714FB69D946B7EB7A2EBC4310F408629E505AB384DF70BE0687D1

Function 010D3870 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1774171760.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_10d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07a4c7418bfee3a6cd86641f6a3783083ea776e13f1967591dde8918f8ac81e7
Instruction ID: def2893079337162fb4d9e7e61777549824c88dad05edd03254f4b0d6e6ae6a8
Opcode Fuzzy Hash: 07a4c7418bfee3a6cd86641f6a3783083ea776e13f1967591dde8918f8ac81e7
Instruction Fuzzy Hash: 6311CEB0B053458FCB118B68D49196EFBB2FF89210B1481A9D8498B351DA31DC02CB92

Function 010D4F21 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1774171760.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_10d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8de0877ed4e473b0e9597f40b216683b530c6aa0013ba6eb331458889b7d7e11
Instruction ID: 7653564eb0f302f9cc6e089a335de53445548d8a6fafc230f0658736668eac38
Opcode Fuzzy Hash: 8de0877ed4e473b0e9597f40b216683b530c6aa0013ba6eb331458889b7d7e11
Instruction Fuzzy Hash: 34115476E0121A9FDB01DFA4D980ADEBBB5FF49304F108159DA04BB251D771EA06CB90

Function 010D5015 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1774171760.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_10d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bb97380c4d841faff9ce6e3b1d50b0d932d657b463c2e780f8d8cb9b37bb65d
Instruction ID: 63809fb82e4bba15c3a2b02a4f24bcfc4af97257be9ee8225b8403ea5a8af52e
Opcode Fuzzy Hash: 5bb97380c4d841faff9ce6e3b1d50b0d932d657b463c2e780f8d8cb9b37bb65d
Instruction Fuzzy Hash: AF118B3290024E8FDF10DFA8D880AECBFB2FF84214B58C544E445AB125DB31A90BCBA1

Function 010D6E38 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1774171760.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_10d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3407c7c9e4b01360f054c30d1add6b51fda38e439a55d8b70503b164a5f1d601
Instruction ID: db74241e71f358da7d4f66349b9a18156593e7e63b21c892a23e4c271caa1cbd
Opcode Fuzzy Hash: 3407c7c9e4b01360f054c30d1add6b51fda38e439a55d8b70503b164a5f1d601
Instruction Fuzzy Hash: 5F01F771F003249FDB14DB69E84469BB7E9EBC4210B14496AD405DB341DEB6EC078BC0

Function 010D4F30 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1774171760.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_10d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb9d6c5d59b0720e211f31ed23a90ad18fa268f7ff80aea852074664f018570d
Instruction ID: 42f314c46c83905161826ac41e9d28b028f68504b1f70d2d52bc0c592479f390
Opcode Fuzzy Hash: eb9d6c5d59b0720e211f31ed23a90ad18fa268f7ff80aea852074664f018570d
Instruction Fuzzy Hash: 6E111236E0021A9FCF00DFA4D9409DEBBF5FF49314B108569E605BB261D771BA1ACB91

Function 00CED005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1773794193.0000000000CED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ced000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4fee1815f9414be43eeb4fbd761623c79a8681443bd8e23b17507b212baaa6f
Instruction ID: 4d05f0244c6e2927de78e2a7d06ccfef4ff71f26d3e31863596ceb2bdfdd52b3
Opcode Fuzzy Hash: f4fee1815f9414be43eeb4fbd761623c79a8681443bd8e23b17507b212baaa6f
Instruction Fuzzy Hash: E101296100E3C09ED7128B258894B52BFB8DF53224F1D81DBD8998F2A3C2695849C772

Function 00CED01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1773794193.0000000000CED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_ced000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63e31fc837f22bed0e40c94c4161f557673f8a6dc56095416c3272cf6de03a76
Instruction ID: 33d587f93c8b3bc196e261b7dd6aab70140cf760b7321e910a72fe394b7849f5
Opcode Fuzzy Hash: 63e31fc837f22bed0e40c94c4161f557673f8a6dc56095416c3272cf6de03a76
Instruction Fuzzy Hash: ED0126314083809EE7205E23CCC4B67BF98DF41325F1CC41AEC6A0F282C6799D46CAB2

Function 010D35C0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1774171760.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_10d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 035a8e5d9d57aace41e89d51f2ec12b6d3d6dda14c65d89a2c7640fffd69400e
Instruction ID: c7adb18091a819bcaee66211b27c335584bf56622c4bbee91a01a15c5c50c724
Opcode Fuzzy Hash: 035a8e5d9d57aace41e89d51f2ec12b6d3d6dda14c65d89a2c7640fffd69400e
Instruction Fuzzy Hash: 40F02D75B013505FC3219B79A8014EABFF5EEC5110300457AD549CB701DE35D90B8BC1

Function 010D4FB1 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1774171760.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_10d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f80ab40e4d3c3e124ceae735d7cfb34558e8f25604e4253d677d76775f8c1dfd
Instruction ID: a93654388ef0881c4f60b4d90e2b9b89b92a5dbcd43bac34da741a42dcb69435
Opcode Fuzzy Hash: f80ab40e4d3c3e124ceae735d7cfb34558e8f25604e4253d677d76775f8c1dfd
Instruction Fuzzy Hash: D8019272D0065A9FDB04DFA9D8449DDBBB6EF98310F05812AE545B7250D730A917CB90

Function 010D1E65 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1774171760.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_10d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b31171f12e2d683771bd295cd553e8e9c1a91cfe1723a724395169f17ed3774
Instruction ID: fdf21a6cf35d1f89cbd5b5939bacef0801070fe2a06416cbbc8aea3a24fd1a68
Opcode Fuzzy Hash: 8b31171f12e2d683771bd295cd553e8e9c1a91cfe1723a724395169f17ed3774
Instruction Fuzzy Hash: 82F0C2363597808FC70B57B4A8A51A97F62AE9623134981DBD481CB1E3CE349C57C362

Function 010D8148 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1774171760.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_10d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81fc678a5d3524d323c67a9eb7d5ef39397edc1336d740752b60cadcf17ed161
Instruction ID: 38b1925e779cff615aca1960efb6db871e01c27748af6061097202d3fe1035af
Opcode Fuzzy Hash: 81fc678a5d3524d323c67a9eb7d5ef39397edc1336d740752b60cadcf17ed161
Instruction Fuzzy Hash: A0F05837B083045AD728CABEA80069BBBDECBD4220B24C07FE55DC3640E932A4008768

Function 010D8138 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1774171760.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_10d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08f8adb4bc8491489416e82dd3849c03b37f1aa809783dc4fd0ca7d70f7eb38f
Instruction ID: 663d63c42171912df38f7eace2b2dca77c218e93602129444fa45f12ead59027
Opcode Fuzzy Hash: 08f8adb4bc8491489416e82dd3849c03b37f1aa809783dc4fd0ca7d70f7eb38f
Instruction Fuzzy Hash: 43E0E573A083005ED719CA7E6801B9BBBDDCFD0210F25C07ED41DC3280E925D401C724

Function 010D6EC8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1774171760.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_10d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3fd107f3495774b85f9024d67d6be4443c31da590a3f8af0a13f1c5a8e19230
Instruction ID: d58c9a29448cd49ff22fe60281d23308b57c8e91dc85d1bdf7758a9347d60d4b
Opcode Fuzzy Hash: f3fd107f3495774b85f9024d67d6be4443c31da590a3f8af0a13f1c5a8e19230
Instruction Fuzzy Hash: 03F0E5B2B043449BD7145A6B749C66EBAD6EBC8661B44407DE60AC3381CE6ACC068B51

Function 010D13FC Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1774171760.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_10d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d64df68d9263ecd0872fccc2a5be2c3af44b4d5e63f9fecb17961f6599a52c7
Instruction ID: fedf84861855e0f18ca777be022a21291a1bf5bcb6d05a1369d7ebb3da0414a8
Opcode Fuzzy Hash: 9d64df68d9263ecd0872fccc2a5be2c3af44b4d5e63f9fecb17961f6599a52c7
Instruction Fuzzy Hash: 77F059B240C3914FD321D77CE8553987FA1EF9220174406DAD4818F996DB55BA0AD352

Function 010D1298 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1774171760.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_10d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9cb09be407688b1db9065eab54c81c61d840714605bb776bfa2e1fe806962ad
Instruction ID: fccce2bfe8c0d45761bcaca2607036dab58fcfcf10fc1ea26b235144a0c50a55
Opcode Fuzzy Hash: c9cb09be407688b1db9065eab54c81c61d840714605bb776bfa2e1fe806962ad
Instruction Fuzzy Hash: 8BF0ED393003049F8B12AA6DE800A7E3BEAEBC0610700802DE546CB344EF70FD0A8BD2

Function 010D1297 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1774171760.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_10d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 015a09c714e941554a234d5c8448d1f8c5fc831435e8d3feb926e9aee2cd5cad
Instruction ID: 5239759f03798afd75c29c12855e13838d0bb308a51dbee6e6320419838e8f7c
Opcode Fuzzy Hash: 015a09c714e941554a234d5c8448d1f8c5fc831435e8d3feb926e9aee2cd5cad
Instruction Fuzzy Hash: 1EF0A0397002049F8B12A669E810A7E3BE6EBC0610714402DE546CB254DF70BD0A8BD2

Function 010D1810 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1774171760.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_10d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4323cc41ac6e1cedf1c67516069d5714af1869c7dfe92727a50b96f9fa56a5d3
Instruction ID: fadfd8e85edd73cde88e19007e703b2333f12164a3f8271c1118ae0a3721f8d7
Opcode Fuzzy Hash: 4323cc41ac6e1cedf1c67516069d5714af1869c7dfe92727a50b96f9fa56a5d3
Instruction Fuzzy Hash: 85F06535609344DFC7069B34951C6697FB5EB461217064096D486C7296DF358C85C752

Function 010D5F4A Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1774171760.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_10d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9281a7f718110b734cc87dffc9a203f325ab38c7e658f16af2b49bf5d0de4c0
Instruction ID: 19a5580b2827e1bdbafc3fc74e1fbf2e8e49a335139c6ea8f8127801f3b7f58f
Opcode Fuzzy Hash: c9281a7f718110b734cc87dffc9a203f325ab38c7e658f16af2b49bf5d0de4c0
Instruction Fuzzy Hash: 83E0D8B3B056425FC710852C6C852956BE9CB5D25973D81F1FC94CF292F614CC024B40

Function 010D6ED8 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1774171760.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_10d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 905a170e3d9d3a3e31684087f748fdc8814e9f84ef634d2e52dea5602ef21686
Instruction ID: 88abdb85ba430a4278efde61e08f17aa14c7f5061589982ee437fb863d660886
Opcode Fuzzy Hash: 905a170e3d9d3a3e31684087f748fdc8814e9f84ef634d2e52dea5602ef21686
Instruction Fuzzy Hash: 1FE02672700318978B141AAF788C13EBADAFBCCAA1744403DF20EC3340CE7A8C0583A1

Function 010D5F58 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1774171760.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_10d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aff6d51dcae0587c23ef3215fe2945f8ac146287f654fbf09887dc883ec987a
Instruction ID: 51d9142e3bb276df61f541f06b60be51c23c7485f472776f5a8c2f9cdae8dffc
Opcode Fuzzy Hash: 8aff6d51dcae0587c23ef3215fe2945f8ac146287f654fbf09887dc883ec987a
Instruction Fuzzy Hash: 52E08673B006526B8B50811C9C4555576E987492A8B3C81F1FD69CF341F611DC024BD0

Function 010D1801 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1774171760.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_10d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b12aaa4085765e1e9abafeb070051e36bc869544fc55774f1a42038aba6a88e6
Instruction ID: 79c1db87f68adb38623af4dcf1bb4372e968d9cdb132a8a030629ae5e7a90e65
Opcode Fuzzy Hash: b12aaa4085765e1e9abafeb070051e36bc869544fc55774f1a42038aba6a88e6
Instruction Fuzzy Hash: 9FE09236B053408FC7059F30A55DBAC3FA2EF42222715409AE44BD3651CF35CC86CB42

Function 010D1D8F Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1774171760.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_10d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc2b7c4fb3285b59eff31aaa07b855495ae848ea602b41253764fa59f63f6841
Instruction ID: c176b0635e114f19c8edfe521b6aa5640177dca76e5d6807b2bee9c12f6b2522
Opcode Fuzzy Hash: cc2b7c4fb3285b59eff31aaa07b855495ae848ea602b41253764fa59f63f6841
Instruction Fuzzy Hash: A0E0863A7001545FC704A779B959A7E7FA6DBD9261314412AF507D33D0CE718C02CB51

Function 010D1D90 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1774171760.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_10d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f726438ddd20ca95dfe528a19f0e511d1be0404ff639f991d5b88bd4fe93f148
Instruction ID: aec28cc4c649a13685f8e25d42c2287e85618d52c3fe31c543aea26c68a66207
Opcode Fuzzy Hash: f726438ddd20ca95dfe528a19f0e511d1be0404ff639f991d5b88bd4fe93f148
Instruction Fuzzy Hash: FAE0863A3001185F8304A779B95966E7F9ADBC92713104126F506D33D0CE319C02CB91

Function 010D1DD9 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1774171760.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_10d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7e42662d93fcd372b46fee1c95b298327ef36fdbfe9ff3bd60ea673663169f4
Instruction ID: 0dbc9ee4ce17be5e99c892c76b85e0f1e5d740561ecdcff331b51fe01f2a654e
Opcode Fuzzy Hash: b7e42662d93fcd372b46fee1c95b298327ef36fdbfe9ff3bd60ea673663169f4
Instruction Fuzzy Hash: 30E086B1D01249DFDB40DF65E55129E77B5DF50200F0101A89509D7241EF35DF069B81

Function 010D13B7 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1774171760.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_10d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c58dd912232aa6ee19147d1b46bed720966f18e93250e408cb3affd136d5ad3
Instruction ID: 34ba3bf7c28c6dfd84036433112e8b55ad194e74db36beceb11462b4d8554428
Opcode Fuzzy Hash: 0c58dd912232aa6ee19147d1b46bed720966f18e93250e408cb3affd136d5ad3
Instruction Fuzzy Hash: EEE0DF321083924BC321EB7CF8493D87F92EF80218F0406A8D4410F94BDA617A1B9795

Function 010D0838 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1774171760.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_10d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a03b47dcddf173c524fe41c0a2f519c26abe5d38c9b589f250cda2ddbaac7a5a
Instruction ID: 654298d1f9993dff2ddd8acb6535c6c4b3a543ff83b24a8d75a372c54d7a6b89
Opcode Fuzzy Hash: a03b47dcddf173c524fe41c0a2f519c26abe5d38c9b589f250cda2ddbaac7a5a
Instruction Fuzzy Hash: 17E0D870906188AFCB41CB749857BEE7FF49F41200B1481ECD409D7202DA315B16D702

Function 010D8100 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1774171760.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_10d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 367cb9549ca776d855f627f76937131b36a6dcb5328bd6784baf355cf7a14d4a
Instruction ID: 24892591c6f6def98c804ee6b13d95c934f4d63b909d8360bf7141909acaa9dd
Opcode Fuzzy Hash: 367cb9549ca776d855f627f76937131b36a6dcb5328bd6784baf355cf7a14d4a
Instruction Fuzzy Hash: 07E0C27040429047D789DB68E5897E5BBD4EF12228F9440ACD9858A646E326984FC786

Function 010D12F8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1774171760.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_10d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5abf990eee9935ec032249b4e04ccfc974398831c7f6df56a3e6b18e36517b3
Instruction ID: 276a662e0a54d352a453ce93d22683be6e5dd30903e27cb34471138c35fa303a
Opcode Fuzzy Hash: d5abf990eee9935ec032249b4e04ccfc974398831c7f6df56a3e6b18e36517b3
Instruction Fuzzy Hash: 56E04F70E052445E8B40DFBC845129DBFF0AA0A104B1485EEC89DD7712EA3245028F41

Function 010D7F97 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1774171760.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_10d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b3210502ca565900eaa2aefd0ad279a9403bac36d3c00aeb8a0ba22443ce336
Instruction ID: cff02c33a4473cca6062bfd31210494c2479cacf6fe53e91a3573889f6ef052f
Opcode Fuzzy Hash: 6b3210502ca565900eaa2aefd0ad279a9403bac36d3c00aeb8a0ba22443ce336
Instruction Fuzzy Hash: 46E04F304042409FC340EB78E54A6857FF0EB45610F9484ACD989C7641E236AD07CB91

Function 010D0848 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1774171760.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_10d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18febc81affe9f8a8272f196f041bba7bd469a1880f3f2145b8087ee660d049a
Instruction ID: 9f032e7971e536d27422672392caa4fd613546d9ae59b73d976e00f20b6ff9cc
Opcode Fuzzy Hash: 18febc81affe9f8a8272f196f041bba7bd469a1880f3f2145b8087ee660d049a
Instruction Fuzzy Hash: C5D05B7090110CFFCF40DFA4D90156D7BF5DB45201B1041E8D409D7204EE313F159742

Function 010D1DE8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1774171760.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_10d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29fb7fef69c93c9e360de860b48a0ebaa0220cbb2b497197e338a8bf3e4dca8b
Instruction ID: 6ac3cfc6ea937520659af0104e6d345be495609a3bdcf049fb14e1cc1c353e02
Opcode Fuzzy Hash: 29fb7fef69c93c9e360de860b48a0ebaa0220cbb2b497197e338a8bf3e4dca8b
Instruction Fuzzy Hash: DAD01771A0224CEFCF40EFA9EA0159EB7B9EB85204B1041A8A50AE7300EA316F019B81

Function 010D7E28 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1774171760.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_10d0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 598489aa9cf3a6030ca52dc7ff4490590e06b1254be2be7b7e5c3a72a2855975
Instruction ID: 04cb3774c067838fe9a12d50f97462a0f72cf24e62abfe05f2d178c15c639a74
Opcode Fuzzy Hash: 598489aa9cf3a6030ca52dc7ff4490590e06b1254be2be7b7e5c3a72a2855975
Instruction Fuzzy Hash: 91D023F170411047C305C50C9451212E391CFA8600F4BC06E6C88C3351DB11CC134380

Analysis Process: ScreenConnect.ClientService.exePID: 7872, Parent PID: 624COMMON

Executed Functions

Function 00D8C678 Relevance: 2.8, Strings: 2, Instructions: 274COMMON

Download Yara Rule

Strings

$q, xrefs: 00D8C84D
$q, xrefs: 00D8C841

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID: $q$$q
API String ID: 0-3126353813
Opcode ID: aed730444d833748d7771e5b93d2f91e1e8dae4f73788b5521bf05f67fe1bc21
Instruction ID: ec5d574315013ba7def311b480da2df5eb040fad258a248b184dbc7c3e44debb
Opcode Fuzzy Hash: aed730444d833748d7771e5b93d2f91e1e8dae4f73788b5521bf05f67fe1bc21
Instruction Fuzzy Hash: 0CB1B130E10309DFDB14EFA8D894AADBBB1FF85300F119559D445AF365DB70A98ACBA0

Function 00D8EF10 Relevance: 2.7, Strings: 2, Instructions: 208COMMON

Download Yara Rule

Strings

(q, xrefs: 00D8F160
(&q, xrefs: 00D8F041

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID: (&q$(q
API String ID: 0-2464455664
Opcode ID: 5519af029a5c28242a659aba93b22493fd1bd5cb1d24d297acf67c0787a87f4a
Instruction ID: 92352a0d3eb82845bf51e95ea6aa083b0a80167b2913be80bbad5078db856a4e
Opcode Fuzzy Hash: 5519af029a5c28242a659aba93b22493fd1bd5cb1d24d297acf67c0787a87f4a
Instruction Fuzzy Hash: 87718131F002189FDB19EBB9D4507AE7AB2EFC9700F188129E406AB385DF749D46C7A5

Function 00D891B8 Relevance: 2.6, Strings: 2, Instructions: 52COMMON

Download Yara Rule

Strings

t*;u, xrefs: 00D891FA
t*;u, xrefs: 00D89204

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID: t*;u$t*;u
API String ID: 0-727745153
Opcode ID: 3bba12bbac6e3f1d4bdb9d545cacd7dd49b9c023d255ef665e02604157f48214
Instruction ID: 2918f62e7171e07d7d34ca16886983ad1171464692d089c50e151003475fd88a
Opcode Fuzzy Hash: 3bba12bbac6e3f1d4bdb9d545cacd7dd49b9c023d255ef665e02604157f48214
Instruction Fuzzy Hash: B211A171F00209AFDB24DAA9C800BBBF7FAAFC4310F98C565D595D7254E7729902CBA4

Function 00D85410 Relevance: 2.5, Strings: 2, Instructions: 16COMMON

Download Yara Rule

Strings

$q, xrefs: 00D85425
$q, xrefs: 00D85431

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID: $q$$q
API String ID: 0-3126353813
Opcode ID: 9e9c2565aff14d2dd2dbdb8b90a847d5672a4f8695828b964d5ec4160598d9fe
Instruction ID: 3c80d977af29d4b1ae2eeb632ede5896d7ac943954626d3eec2ed7aea0da29fe
Opcode Fuzzy Hash: 9e9c2565aff14d2dd2dbdb8b90a847d5672a4f8695828b964d5ec4160598d9fe
Instruction Fuzzy Hash: D8D05E30700A0D8FD728EA6AF541A1133E8BB48B123A600A5E9068B239CA20EC82C761

Function 00D88D98 Relevance: 1.4, Strings: 1, Instructions: 192COMMON

Download Yara Rule

Strings

(q, xrefs: 00D88DBA

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID: (q
API String ID: 0-2414175341
Opcode ID: bcd7fe45d2be7f2dd02eb3d5f59094ba25b4760354906b7ba9dc64e6b4f071b2
Instruction ID: 2576ea5cc5d3cde890729e597126ad9141ec897cca5dc641ea11e5e4443362f0
Opcode Fuzzy Hash: bcd7fe45d2be7f2dd02eb3d5f59094ba25b4760354906b7ba9dc64e6b4f071b2
Instruction Fuzzy Hash: 8B61F534B102098FDB14EB68E894A9AB7F2FF8D714B548158F906DB365DB30EC029B50

Function 00D8C6F0 Relevance: 1.4, Strings: 1, Instructions: 144COMMON

Download Yara Rule

Strings

$q, xrefs: 00D8C841

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID: $q
API String ID: 0-1301096350
Opcode ID: 70f28904dc46fd5c9e10fe3b7f234f4a959635864ec28243af78edb23f23daf0
Instruction ID: 291bcde0d5f640b166360c67f5ddbc0c37385925dbe8e7611792d8e2233e1b83
Opcode Fuzzy Hash: 70f28904dc46fd5c9e10fe3b7f234f4a959635864ec28243af78edb23f23daf0
Instruction Fuzzy Hash: 68519E30A10709CFCB18EFA9C454AADBBB1FF44300F159959D406AB365EB70ED85CBA0

Function 00D87E50 Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

(q, xrefs: 00D87E71

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID: (q
API String ID: 0-2414175341
Opcode ID: de4d889710af745a31de4d423cc74b07f015ef0c3892f4014e01a8817e1c82fe
Instruction ID: b02a1da0bb36df86d180ba592ea2056361305dbfb2b1fc256f8808d92718e841
Opcode Fuzzy Hash: de4d889710af745a31de4d423cc74b07f015ef0c3892f4014e01a8817e1c82fe
Instruction Fuzzy Hash: B041C031A00206CFDB29EF65E89466DBBA2EFC4714B14C169D9069B355DB30ED06CBA1

Function 05841D50 Relevance: 1.3, Strings: 1, Instructions: 91COMMON

Download Yara Rule

Strings

`Qq, xrefs: 05841DAF

Memory Dump Source

Source File: 00000012.00000002.2520621182.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_5840000_ScreenConnect.jbxd

Similarity

API ID:
String ID: `Qq
API String ID: 0-2318545310
Opcode ID: 992e5d7c0d8b1f864b3f2110835d76c732680ad8ee1036b8f6b382d061f65c1d
Instruction ID: ddb8e189565970b3bdf1f15109b8634b5db777eaf6b03a8291acfaa85bad51d1
Opcode Fuzzy Hash: 992e5d7c0d8b1f864b3f2110835d76c732680ad8ee1036b8f6b382d061f65c1d
Instruction Fuzzy Hash: 05314774E0030C9BDB14DF99D858BDEBBF2AF48310F148419E805AB354DB786845CF51

Function 00D8E4D8 Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

LRq, xrefs: 00D8E514

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: 538ac47a0faa45eec6aad221b4d3d57fd2034a6a714da49de81551ab940d9ef4
Instruction ID: 9dfe7bebe3574df6087d138fe2b3963b1a0061b52ac4c60a1ff9f81b894e8180
Opcode Fuzzy Hash: 538ac47a0faa45eec6aad221b4d3d57fd2034a6a714da49de81551ab940d9ef4
Instruction Fuzzy Hash: 4821A331B402049FD718EB65D865AAEBFB6ABC8710F18806DE402E73D0EEB09D05CB60

Function 00D8E1A1 Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

3, xrefs: 00D8E23E

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID: 3
API String ID: 0-4035909810
Opcode ID: 58434b1903fb18bade8967e6a8b3b0707db279f3efe08d69a7f2360aff2ef526
Instruction ID: edb5636e5c26e212b4eaf3af611a0867f2ed5ac2591666e7934b863161566cfa
Opcode Fuzzy Hash: 58434b1903fb18bade8967e6a8b3b0707db279f3efe08d69a7f2360aff2ef526
Instruction Fuzzy Hash: 68118E757003089FD711EB68EC819AE7BE2FF8A311704896AF409DF351DB71AC058BA0

Function 00D8E1B0 Relevance: 1.3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

3, xrefs: 00D8E23E

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID: 3
API String ID: 0-4035909810
Opcode ID: b111c2a0f27f53a6e5bf9b564e169a8dec6b046c7211f5ec0dde7883c888cc5b
Instruction ID: c138712c893022832d78f20ccc74dfec97559a36e723fb435ae003291773d7df
Opcode Fuzzy Hash: b111c2a0f27f53a6e5bf9b564e169a8dec6b046c7211f5ec0dde7883c888cc5b
Instruction Fuzzy Hash: 0F116D75700308AFD710EB69E8809AEB7E6FB89321700892AF5199F345DB71AD058BA0

Function 00D891A8 Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

t*;u, xrefs: 00D891FA

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID: t*;u
API String ID: 0-3961405802
Opcode ID: 8a78c51998f06e9523bd0911502d284686ee17496251c6257288257f05ba0dda
Instruction ID: 51de1ee698f615bd454f7bd6afe9e4a56594910bd740e0949c2028f59bef9785
Opcode Fuzzy Hash: 8a78c51998f06e9523bd0911502d284686ee17496251c6257288257f05ba0dda
Instruction Fuzzy Hash: 7C11CE71E00209AFDB25DEA8C840AFAF7B6AF84300B58856AD494DB250D332A906CB94

Function 00D84C61 Relevance: 1.3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

Strings

`Qq, xrefs: 00D84C86

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID: `Qq
API String ID: 0-2318545310
Opcode ID: 4498e2b74117900c7f12297a488ae0c17280d1858056976899eded4c48f05486
Instruction ID: 20a784af98cca9ae17e4ae0f5a11bda0614fad251738cf979d75b1d0839f6d07
Opcode Fuzzy Hash: 4498e2b74117900c7f12297a488ae0c17280d1858056976899eded4c48f05486
Instruction Fuzzy Hash: 72019631F143098FDB14AB74A81A3BE7EF5EF85310F54447AD916DB281EA748D068BB1

Function 00D85400 Relevance: 1.3, Strings: 1, Instructions: 17COMMON

Download Yara Rule

Strings

$q, xrefs: 00D85425

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID: $q
API String ID: 0-1301096350
Opcode ID: eac87494bac4c6f6a053f26e1356157f72cd6360a7634064639b36e8456ef075
Instruction ID: 7b073a3c07e00558d5e4b6710ee3d902bfb462e969e818c442326399b1096ce7
Opcode Fuzzy Hash: eac87494bac4c6f6a053f26e1356157f72cd6360a7634064639b36e8456ef075
Instruction Fuzzy Hash: 96E0C230148A088FCB24DFA8F900A8533B8AF44712B1A40A6D808C7235D321C941CB11

Function 00D8D078 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5fd1fdb305ca54a3c5c7b65343cdc621d8f80d2ebf2921e65c3db3d7b23fa2f
Instruction ID: 9b0db28ff6063546bb88661215bc6e0e3ad7402f00f36c4f26eccd5c0dc243e7
Opcode Fuzzy Hash: c5fd1fdb305ca54a3c5c7b65343cdc621d8f80d2ebf2921e65c3db3d7b23fa2f
Instruction Fuzzy Hash: B5A1F974B002088FDB14EFA9D594AADBBF2EF8D700B144159E406EB3A5DB71ED41CBA1

Function 00D8D069 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 541f53dc933c669521f7ca87b22955650d312167b3b98bc77e0d725ad1c5eae8
Instruction ID: 5dbf94d8b52604a63e1193b74f899c24bf6887fed7f777ffdd3efa31969a995f
Opcode Fuzzy Hash: 541f53dc933c669521f7ca87b22955650d312167b3b98bc77e0d725ad1c5eae8
Instruction Fuzzy Hash: 82A10A74B002048FDB14EFA9D594A9DBBF2EF8D300B1585A9E805EB3A5DB31ED41CB61

Function 00D8D029 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af42738e8bc00875b0b9071b6141291d894c9328d0fb5a809757dab4845204d6
Instruction ID: ed2e79e19c9f3dd398d34acf1f2982227254bd3ef7d3845101b3cc0a1437243f
Opcode Fuzzy Hash: af42738e8bc00875b0b9071b6141291d894c9328d0fb5a809757dab4845204d6
Instruction Fuzzy Hash: CB910874B002048FDB14EFA9D994A9DBBF2EF8D310B144599E406EB3A5DB31ED42CB61

Function 00D8D043 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d1e1bae0d4555a1975501d6d2d11594bf5382e1a7cb58aac7009ea8aa563522
Instruction ID: 8e12168ec386e30fe91be424b372e1851c48f44c218e59a948bfb878480d543d
Opcode Fuzzy Hash: 8d1e1bae0d4555a1975501d6d2d11594bf5382e1a7cb58aac7009ea8aa563522
Instruction Fuzzy Hash: 29910874A002048FDB14EFA9D594A9DBBF2EF8D310B148199E406DF3A5DB31ED46CB61

Function 00D836A0 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccd464f1b996639fb45ec61246185231daa095da458a3d9d090e28f2a7263644
Instruction ID: 1d9de4a4c1a3d35ca1691bef6f693a3573c3b1a7ab73456a22862d3c2c1e72c6
Opcode Fuzzy Hash: ccd464f1b996639fb45ec61246185231daa095da458a3d9d090e28f2a7263644
Instruction Fuzzy Hash: 4C518771604252CFCB29DF3CEC542D8BBE4EB15755B1809ADE496CF384EB21D902C7A2

Function 00D8E2EB Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4f699655283a375746ff186d10dc1b3f7c86eb54bcd3c48c10bde50a06939ba
Instruction ID: 68f4e266eec2dfbb63e684d492cc5d332314fc037b620b3bb5aecc474ade5606
Opcode Fuzzy Hash: b4f699655283a375746ff186d10dc1b3f7c86eb54bcd3c48c10bde50a06939ba
Instruction Fuzzy Hash: 32516834B003058FDB24EB68D880A6AB7E6EFD93107148569F446CF365EB70ED068BA1

Function 00D8E2F8 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5903fdb4e66136a87663c79c7826248cefc60ba637c1f066c411943564a6332f
Instruction ID: 7fb37d54dba842007e2e11f1e9d2ce05117fb29347a7044fed70db0d4ea98c9e
Opcode Fuzzy Hash: 5903fdb4e66136a87663c79c7826248cefc60ba637c1f066c411943564a6332f
Instruction Fuzzy Hash: 45516934B003059FDB24EF68D884A6AB7E6EFD93107148569F446CF365EB70EC068BA1

Function 00D85DF0 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 435c225753ac516181f8cb6a52e25ffcb74c6b57f177e799ed094a0a651e9151
Instruction ID: 51c8675f1a553963bc01344d687c242a733604b77e04d144d7fbce7e7079bba2
Opcode Fuzzy Hash: 435c225753ac516181f8cb6a52e25ffcb74c6b57f177e799ed094a0a651e9151
Instruction Fuzzy Hash: 7851A130B006058FDB18EF79E954A6E7BE2EF88310B544468E506DB369EF71ED05CBA1

Function 00D884A0 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d7bb6e3e3e6b085a4f37e8dfdad6bbcdf088473ffcf1e6d7fa915e22f419b96
Instruction ID: ce903e324019aac86844c403e04690234d375c733bbc6aca0128e3ae5910cad1
Opcode Fuzzy Hash: 6d7bb6e3e3e6b085a4f37e8dfdad6bbcdf088473ffcf1e6d7fa915e22f419b96
Instruction Fuzzy Hash: EF51F634600B018FC724DF29D894A66B7F2FF8D325B644A58E496DB7A4EB31E806DB50

Function 00D85DE0 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb5fd7b3159e0b9a3b9839b9cf23ba5802be410e199b1b8cec16074aa332464f
Instruction ID: 78dd72224c3be0d55350db595d0530549d70f7f7bf15853e9d2bb7cbd98e11fa
Opcode Fuzzy Hash: eb5fd7b3159e0b9a3b9839b9cf23ba5802be410e199b1b8cec16074aa332464f
Instruction Fuzzy Hash: 75518E30B006058FC719EF79E954A6E7BE2AF88310B544468E506DB3A9DF71ED06CBA1

Function 00D8B2D0 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc67b5944d14d2c8262e1845e132291bf452aabad6dd923a9d89ec4ea2588f39
Instruction ID: efbb09d22458b2d3994e6c8f92d17d336f2b6d77b9245d11653cd105a5222c68
Opcode Fuzzy Hash: bc67b5944d14d2c8262e1845e132291bf452aabad6dd923a9d89ec4ea2588f39
Instruction Fuzzy Hash: 26519134E003099FDB24EFB5D844BDDBBB1FF88300F548559E404AB295DB74A95ACBA0

Function 00D8B2C0 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cda30fcc0b52ee0f7ad211c7e15a92ceb7d27457f6d791cb72178d1387524f04
Instruction ID: 0233065b492855de0237ba2069a7d8dc5429e184c32951c10998d639091b1647
Opcode Fuzzy Hash: cda30fcc0b52ee0f7ad211c7e15a92ceb7d27457f6d791cb72178d1387524f04
Instruction Fuzzy Hash: CA518D34E003099FDB24EFB5E844BDDBBB1FF89300F508559E004AB291DB74A98ACB60

Function 00D85B93 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dea37e4bf7126f4a1509e5b470c4eab46524d91d774972519aa3c89158e4aa1f
Instruction ID: b5facff7d925660351605280b2807b82f8f15f0b1942bedd20cd98ea268218ca
Opcode Fuzzy Hash: dea37e4bf7126f4a1509e5b470c4eab46524d91d774972519aa3c89158e4aa1f
Instruction Fuzzy Hash: C431596081E782DFCB1BBB74A8A52A87FE2AE3236578545C7C080CF05EDA149815C7B7

Function 00D86FE8 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adb565410f8002c8994cddc1981fec2d55d0d4b96970ef28f1939696e670b0db
Instruction ID: 24ba91bbf205f74624f5fd4ab7cf8508a8723a63e40b3928dfa1baafba6a070e
Opcode Fuzzy Hash: adb565410f8002c8994cddc1981fec2d55d0d4b96970ef28f1939696e670b0db
Instruction Fuzzy Hash: 6141B171B053015FC721EF79E8505AE7FE2EFC92207054569D445EF345EF60AD098BA2

Function 00D8EF03 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f23b476d9e3849730673fab077058ba18b260d04f3edf5b4ffa9060712f17914
Instruction ID: af3279f8a66657351b0f5cb474cdbac4b572f895648a49938954d6a924c03ffb
Opcode Fuzzy Hash: f23b476d9e3849730673fab077058ba18b260d04f3edf5b4ffa9060712f17914
Instruction Fuzzy Hash: F8412F71E003199FDB15DFA5C980BEEBBB1EF88700F248129E415B7245DB70AD45CBA0

Function 00D8AAB0 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a489b0a9dae59e1f437f64d9d10ec2c2f8e665e044f769854f005c46bce6324
Instruction ID: 283cdbc9db4b8368e1be7dda24abff32264e60f048a785447e1fef2356505127
Opcode Fuzzy Hash: 0a489b0a9dae59e1f437f64d9d10ec2c2f8e665e044f769854f005c46bce6324
Instruction Fuzzy Hash: B441E231B012509FE724AB6CD95476EBBE2EF80310F19C56AD8568B392DB31EC85C7A1

Function 00D86FA0 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c86f08162b3eb0964f87fe2720d190346e5382bcd972ba50ddb5ad929e8d079
Instruction ID: 609cbb7f4b5232b4b37530d7aff624c83e5cb8d0d43c29ac440721467564485a
Opcode Fuzzy Hash: 3c86f08162b3eb0964f87fe2720d190346e5382bcd972ba50ddb5ad929e8d079
Instruction Fuzzy Hash: 5631E271B013114FC721EA7DA85059E7BE2EF8A3207044569D415DF384EF64ED0A8BE2

Function 00D89968 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c99e3b5dfc78eccf8529fb45fb66fe69cf00f5f66002e1de6a971e4c8f55c86
Instruction ID: 56097ec2947c15f621a11536bfa685baba72b97eb110d2895d0c9ceafb0f3d1c
Opcode Fuzzy Hash: 3c99e3b5dfc78eccf8529fb45fb66fe69cf00f5f66002e1de6a971e4c8f55c86
Instruction Fuzzy Hash: 32415130B106059FC718EF69D864AADBBF6FF88710B194568E446EB3A1DF709D05CBA0

Function 00D89978 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5c139369b1dd8a321915e07ae18af23287af8f1a61f16a0cdfca002ebd1a7b8
Instruction ID: 6b3d1af455c3975b99f1aeac79ada75c283cb07ab82c80daeea583bf01e15b8b
Opcode Fuzzy Hash: b5c139369b1dd8a321915e07ae18af23287af8f1a61f16a0cdfca002ebd1a7b8
Instruction Fuzzy Hash: A2415D307106059FC718EF69D864AADBBF6BF88710B194569E446EB3A0DF70AD05CBA0

Function 00D87920 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7507eb6dd6903290ce2069db8ec0623bbf307ba44574c7e031cd4d361f3596c
Instruction ID: 999b3b8d78bb41d342005277cd91be7d5055fe72b1628dc4dc84d5f1af870163
Opcode Fuzzy Hash: c7507eb6dd6903290ce2069db8ec0623bbf307ba44574c7e031cd4d361f3596c
Instruction Fuzzy Hash: 2F318E31B052058FDB18EF69C494AAEF7F6EF89354F248469E40AE7750DB70DD018BA0

Function 00D86FF8 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2926529e84d8c86c5b0eefa0eafaee43a7e813662eaaa9bb5ae96eda50fa8a0
Instruction ID: 33958c87adbed5b27152a2ba574d547ca1c954a6d14979bdbab0c745eafe5d3a
Opcode Fuzzy Hash: c2926529e84d8c86c5b0eefa0eafaee43a7e813662eaaa9bb5ae96eda50fa8a0
Instruction Fuzzy Hash: A231A171B013155B8725EF7DE84056EBBE6EFC92607448528D815EB344EF70EE098BE1

Function 05840D60 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2520621182.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_5840000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 423732b6cfb8c732ad8c270b2470c56bae3f84fea0f832eed2ae5a64585bdcfa
Instruction ID: d0be1f837ecfdc478d2cc83152d9e94d4d3a801bbdf0cf5ab971a31b42130a4d
Opcode Fuzzy Hash: 423732b6cfb8c732ad8c270b2470c56bae3f84fea0f832eed2ae5a64585bdcfa
Instruction Fuzzy Hash: 66318931B013198FCB48EF78999466E7AE6ABCC250B148079D90ADB364EF35CD028B91

Function 00D8D7F8 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b740b4268d9823209a88cfa30f3b407be9ba8d245c1fcd802c1dd72b776f1624
Instruction ID: 49750ac2a963031a79240cc559a65cbe897a4ee4a396de7b8a19f91f58589c99
Opcode Fuzzy Hash: b740b4268d9823209a88cfa30f3b407be9ba8d245c1fcd802c1dd72b776f1624
Instruction Fuzzy Hash: 75311974A007058FD730EF29D844666BBF2AB49320B144B1CE496DB6E4D730E94ACF94

Function 00D852F8 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f525ded8a7eb31ade9a75c98fe0cf92541439363102628d6781a8317b99ff43
Instruction ID: a9777938ea4cf12d024acc4e049e2d76489a17cdcc96765573fad4cccc1ebd98
Opcode Fuzzy Hash: 0f525ded8a7eb31ade9a75c98fe0cf92541439363102628d6781a8317b99ff43
Instruction Fuzzy Hash: 1A318E71D007099FCB14DFA9D845BEEBBF4EF88310F14842AD409A7340DB74A9468FA4

Function 00D87390 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5530e5b5b8596e14d4027322422b2dd70f82fe75aacd67657aa56c00902fc36b
Instruction ID: 81273c68e81ec086687cf0ed5bb20f6e101e2c62d7815fa3d1d669be8d7e7605
Opcode Fuzzy Hash: 5530e5b5b8596e14d4027322422b2dd70f82fe75aacd67657aa56c00902fc36b
Instruction Fuzzy Hash: 3F31B870B052598FC714DF68D85456EFBB2EF85310B24817AD549DB395DB30DC02CBA5

Function 00D86568 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 361acc50ca88927ca0d6f8fddb6b977025f3126c09611d45c468cd80ef80440d
Instruction ID: ac13ca599d27307c336314a406a26f4f7d952f58dafbfe9c8ff5861089b63ee8
Opcode Fuzzy Hash: 361acc50ca88927ca0d6f8fddb6b977025f3126c09611d45c468cd80ef80440d
Instruction Fuzzy Hash: A1312F346007018FC730DF29D854A6AB7F5EF89365B144A6CD496DB7A4E730E946CF90

Function 00D836B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 873d05128a32ac2687dc331f76391c26c29febf3a47c9cbeac2bf79627a55b1c
Instruction ID: 27767845ba8727b42a58dc91dbe077752a72f3401c45eceb43d7d535ddf55047
Opcode Fuzzy Hash: 873d05128a32ac2687dc331f76391c26c29febf3a47c9cbeac2bf79627a55b1c
Instruction Fuzzy Hash: 4131DC70A05304DFCB10EFB4ED485AEBBB4EF48311B1040AAD81ADB351DB309E01CBA0

Function 00D8D808 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42fa35a726743a615cb75230b968a452734c1df8cac4fdc8b39fe3e0250e5ec6
Instruction ID: 66ff3e9d05478f0ef67de54ba67b3d2fde8a6f0ef115f3f3fd05c42d6054684c
Opcode Fuzzy Hash: 42fa35a726743a615cb75230b968a452734c1df8cac4fdc8b39fe3e0250e5ec6
Instruction Fuzzy Hash: E631F970A00B058FD730EF29D84466ABBF2EF49321B144A18D496DB6E5D730E94ACF94

Function 00D890A8 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a9c58c5d6c34600073d17ca5c6454a62436446c7995e1cca7d4eb42b87602f6
Instruction ID: 17be7f342e1ec5c932bb16e8bdba065d88eee191cf139aa10a2f85b88aebd69c
Opcode Fuzzy Hash: 2a9c58c5d6c34600073d17ca5c6454a62436446c7995e1cca7d4eb42b87602f6
Instruction Fuzzy Hash: E6313E306007058FC734DF29D898A66F7F1EF89721B184A2CD496DB7A4D731E945CBA1

Function 00D8D9B0 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea9767f6dc0e034ee4da78feb00dca58bd69b53866fe195890d3c74824735a9a
Instruction ID: b104f84a35f1afe6d2fa7f3d3b537d0db72b821c210e55320b433b6c67a14ab9
Opcode Fuzzy Hash: ea9767f6dc0e034ee4da78feb00dca58bd69b53866fe195890d3c74824735a9a
Instruction Fuzzy Hash: 38312C34A007018FC734EF2AC84466AB7F2EF99311B244A19D496DB7E1D730E906CFA0

Function 00D1D59C Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2501270314.0000000000D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d1d000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7967552f8d6f4f8e1a22350e981c325cd7b40a33a22944c50d1b06c4cd089ac
Instruction ID: f3012a9b3576e974439c6ebd050dc99bb5e5d04fc2389b267e125f0036aae5c9
Opcode Fuzzy Hash: b7967552f8d6f4f8e1a22350e981c325cd7b40a33a22944c50d1b06c4cd089ac
Instruction Fuzzy Hash: 04212871504204EFDB05DF10E9C0B56BF67FB98324F248169E8490F256C736D896CBB1

Function 00D88C20 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5788470076fdc7ffc50e4ecbace543f672efcfab1a8c558c7922735522e7da22
Instruction ID: e96a6d989837d472ad83edc4486701f9cf15e1fdab0bae5338ec68e3d41232e7
Opcode Fuzzy Hash: 5788470076fdc7ffc50e4ecbace543f672efcfab1a8c558c7922735522e7da22
Instruction Fuzzy Hash: 3721F335B013046FC704EB68E841AAE7BA2EBC4210B048969D4099F395DF70AE1A87E2

Function 00D886D0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 229d4052262133ce1e197e38c6b6ecadc8ec5be8dfcf859be95247168fef0232
Instruction ID: fadbc1c94ff10f599b59d18ac84f0fb8373055f7069043e52dd08ab9b3c9acb1
Opcode Fuzzy Hash: 229d4052262133ce1e197e38c6b6ecadc8ec5be8dfcf859be95247168fef0232
Instruction Fuzzy Hash: 1221FA346007058FD734DF26DC5469ABBF1EF84321B248A2DD4939B6A1DB31E94ADFA0

Function 00D8ECD8 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 712957188da4345258263f217b63e18da84878c423fd449e0fdd39d94bf9b74b
Instruction ID: 152cec02cb9aa791e846130e1e05b7ba368fb40ec78b4a4fbccfa550e9c30c8b
Opcode Fuzzy Hash: 712957188da4345258263f217b63e18da84878c423fd449e0fdd39d94bf9b74b
Instruction Fuzzy Hash: 382137B6C0034ADFCB20DF9AC845ADEBBF5FB48310F148429E954A7210C779A555CFA1

Function 00D8ED03 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 011ea0dd393a0a7c4c0cfce6ff56181fcbcbc293bcc70c4ac71e5978cc4d513d
Instruction ID: 3d4549d7bfb177424fb9ce5d4d95a330e46fcd996ecf2e165f0148a023b2d1bf
Opcode Fuzzy Hash: 011ea0dd393a0a7c4c0cfce6ff56181fcbcbc293bcc70c4ac71e5978cc4d513d
Instruction Fuzzy Hash: FA218B31D00B0A9ECB01EFB9D8405EAFBB0EF99300F10CA6AD559B7111FB70A295CB91

Function 05840D4F Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2520621182.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_5840000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c69fa4a750de8f9cec73fcf03bded228a9694ea40aaa484d5a2826e348c3dda5
Instruction ID: bab0bae1a826abca3aae79d618d118f017542e7c718834f3094654386e0da991
Opcode Fuzzy Hash: c69fa4a750de8f9cec73fcf03bded228a9694ea40aaa484d5a2826e348c3dda5
Instruction Fuzzy Hash: 9F116D35B01219CFCB18EF7895541BE76E3AFC8250B64417AC90ADB354EF718E068BD0

Function 00D8A7B0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14eb80798a7a4e7e6167a8f8ff32a159a876f200d8c5bdab3ae97c3c1691e63e
Instruction ID: 3d1309c40421f74ee383099e2de0da01ae36b356318740ff21db225ae604fcca
Opcode Fuzzy Hash: 14eb80798a7a4e7e6167a8f8ff32a159a876f200d8c5bdab3ae97c3c1691e63e
Instruction Fuzzy Hash: EA213070A007018FD724EF29D854A6ABBF5FF48310B148A2DD4A6CB790D774E902CFA1

Function 00D88C30 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aba3e3288a1063c0d93b63a7f8986be8c7622a0d11f0636e846a4771258b9950
Instruction ID: 56a875d5a3d054e19d8246d24d16161ff8b361ef01ce954aefd51896b21ab92b
Opcode Fuzzy Hash: aba3e3288a1063c0d93b63a7f8986be8c7622a0d11f0636e846a4771258b9950
Instruction Fuzzy Hash: 3511C835B013046BD714EB68E841BAEBBE2EBC4310F008929E5159F385EF70AE1687F1

Function 00D88AA0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4df7355b23ab1bc4f816c3241e290194980c8864e3acccd13f82018f4b2fd1ee
Instruction ID: 71e040c8cddbe9372e1a9b9015c042a1170c4045e4dcc92922e9526656bff7e3
Opcode Fuzzy Hash: 4df7355b23ab1bc4f816c3241e290194980c8864e3acccd13f82018f4b2fd1ee
Instruction Fuzzy Hash: 5A113336E0121A9FCB11DFA8D9809DEBBF1EF49314B108169E905FF251D731AA1ACB90

Function 00D84EE8 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3273486a87e2ac2e430c812791550c042401c18467de95108de3e4f99101d8d0
Instruction ID: 354ff6945a841eb7825ab49f6dc7ff76b299d34965f3a0e79452ed401ba74925
Opcode Fuzzy Hash: 3273486a87e2ac2e430c812791550c042401c18467de95108de3e4f99101d8d0
Instruction Fuzzy Hash: F62147B1C007099FCB20DF9AD845BDEFBF4EB48320F14842AD919A7240D779A545CFA1

Function 05840F4B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2520621182.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_5840000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7772effdda414b6fd9b80597809c6810bf9e704c39c7df3d7a95ff83693c3ce3
Instruction ID: 671f181e916165f35276e6ee04f2c8cb0051987c6628cc6c5288c55ec4b56460
Opcode Fuzzy Hash: 7772effdda414b6fd9b80597809c6810bf9e704c39c7df3d7a95ff83693c3ce3
Instruction Fuzzy Hash: 3A0126317043146BD3219B3EA854B6B3FEBEFD465474444B9EA05CF381EE24EE094BA1

Function 00D1D597 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2501270314.0000000000D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d1d000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction ID: e5104d7738af66709b86bfe8ef7ab9649da0f9a2fb9092bb4c15840dd655d269
Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction Fuzzy Hash: D311E676504284DFCB05CF10D9C4B56BF72FB94324F28C6A9D8490B657C33AD89ACBA1

Function 00D873F8 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55b99344a7d6f547c2778fcc96570775106d190fc0816ffec4466da36d33eb98
Instruction ID: 2286f5d938fcef73a99d54d31373109f7f08267f6374dd068f956586cb7a5422
Opcode Fuzzy Hash: 55b99344a7d6f547c2778fcc96570775106d190fc0816ffec4466da36d33eb98
Instruction Fuzzy Hash: FC11A370B055098FCB10DF68D494A6EFBB2FFC8310B248169E84A9B354DB30DC42CB90

Function 00D8FA20 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ba6c486a6095ebf80dae903624bb98568f4f22922f4ea1b2fef4d709781efe8
Instruction ID: f5f774e554d98bf2deb01432132aa4f83d20f530d1e10e2d0055b3aa0044048d
Opcode Fuzzy Hash: 9ba6c486a6095ebf80dae903624bb98568f4f22922f4ea1b2fef4d709781efe8
Instruction Fuzzy Hash: AE018F763401108B8718DB6EF89486AB7EAFBD8675355847AE509C7310CE72DC1787A4

Function 00D8CBC0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23bec848f02d6aff8884c64bda38a66302025650c0f7b96a9394b4dbc72bb867
Instruction ID: ffa8e43159d2fd10f7f1eeeb18e1d0992b98d4b38005cbc25e39c0b0328dc5c4
Opcode Fuzzy Hash: 23bec848f02d6aff8884c64bda38a66302025650c0f7b96a9394b4dbc72bb867
Instruction Fuzzy Hash: 2711EC71E1021DCFEF24EBA4D854BEDBBB1AF89311F005469E005BB2A0DB742D46CBA1

Function 00D88B95 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89bee65c95b906c0d542a4f84a72d2d9d05962277fdbfa5f3540d2f44ac06e4d
Instruction ID: ab836f43fbbc9caba8b4e8922c512dcb5c68474878c16262e22fa2cb3475b7b3
Opcode Fuzzy Hash: 89bee65c95b906c0d542a4f84a72d2d9d05962277fdbfa5f3540d2f44ac06e4d
Instruction Fuzzy Hash: FC116D3190014E9FCB24EFA8D8809ECBBB2EF85314B98C554E045AB115CB31ED47DB71

Function 00D8CBB0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf045839aa0795315e821f83a6500a0748b9dbb61faac14ba330cd52305f5327
Instruction ID: 7baeee69555638a3e64e5f9109f1956a3900eca78750f704f47d35d7c02d9505
Opcode Fuzzy Hash: bf045839aa0795315e821f83a6500a0748b9dbb61faac14ba330cd52305f5327
Instruction Fuzzy Hash: 5B111C70D10208CFEF24EFA4C851BEE7BB1AF48301F045429D406AB360DA742946CBA5

Function 00D88AB0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7bada3f3619ddc76773bfade4a4c29946d0c2000426eb910d02933e35869801
Instruction ID: 214100cb23afe0f4cffebaf96f25f8583af8274f12cc3ccec9557aafc69e0101
Opcode Fuzzy Hash: c7bada3f3619ddc76773bfade4a4c29946d0c2000426eb910d02933e35869801
Instruction Fuzzy Hash: 6A115236E0120A9FCF00DFA4D9409DEBBF5FF49314B108169E609BB250D771AE1ACBA0

Function 05840F60 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2520621182.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_5840000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67ce67c922f176ffc33c89408c6909a0d7a69aadcb62f7ab4dfbebd21042a28c
Instruction ID: 411ffe83c5158e33043affe3a3febba2b302e794b3aeb04db5483dadea330b5e
Opcode Fuzzy Hash: 67ce67c922f176ffc33c89408c6909a0d7a69aadcb62f7ab4dfbebd21042a28c
Instruction Fuzzy Hash: 5A012B307003146B93249B7EA854A2B7BEBFFC85A03544479EA05CF380EE64EE0647E1

Function 00D88B30 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e7ab14ffc0a1bce50a5a1ef3d290fff7e2de0d0f1d2a184979af19210db447e
Instruction ID: 7b52a56c72f7e2272eb362565b4c019222f32db81b9f1f045c7671c87d25c9bc
Opcode Fuzzy Hash: 5e7ab14ffc0a1bce50a5a1ef3d290fff7e2de0d0f1d2a184979af19210db447e
Instruction Fuzzy Hash: 6401A132E0115A9FCB05DFA8DC448DDBBB2EF88314F05813AE404BB250DB31B91ADBA0

Function 00D8A9C8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8554f301f47c5d5e9badb6f9d4f75faecabb4556b3f11616e6b34d329aa0286a
Instruction ID: 03f618a8fe9ef8ff9e470b09a96a4f57d75a6e185824067644b61f0b1018b9ba
Opcode Fuzzy Hash: 8554f301f47c5d5e9badb6f9d4f75faecabb4556b3f11616e6b34d329aa0286a
Instruction Fuzzy Hash: 0401A231F042155B9B18AA6EE84046BBBE9EBC8720314896BE505CB305DBB5DC068BE0

Function 00D1D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2501270314.0000000000D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d1d000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0bef69d4d8d47ca05222f23ded9c8d76a1bcefc348ca8a4454f9506bdf9235f
Instruction ID: 0bb078f34a388302fd42f3cc8490832388d066cebbb004133ec4c9422f39af85
Opcode Fuzzy Hash: d0bef69d4d8d47ca05222f23ded9c8d76a1bcefc348ca8a4454f9506bdf9235f
Instruction Fuzzy Hash: A501A731508344BEE7204A15ECC4BA6BF99DF49325F28C559ED890B182CB79D885CAB5

Function 00D1D005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2501270314.0000000000D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d1d000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c9f5f5f04c750ca4aaca1dffe61a59e68ef64ec6d83c3cc821d6448af38991d
Instruction ID: d5ef96f8a517ef6bb47a6fa2e1bbecc40b6714ac9b01696ec6f93335c5bc73e7
Opcode Fuzzy Hash: 8c9f5f5f04c750ca4aaca1dffe61a59e68ef64ec6d83c3cc821d6448af38991d
Instruction Fuzzy Hash: 7101802150E3C05FD7128B258894B92BFB4DF47224F1D80DBD8888F1E3C2695C48C772

Function 058400DF Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2520621182.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_5840000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8491067d2c33127dd09973cce5110a4fc623e77a0fe826644d6d20a3cb173739
Instruction ID: 4cfe66fdeb4c4af9ef97238b8f9403cc897946da093172a56f5612a5d793eb0e
Opcode Fuzzy Hash: 8491067d2c33127dd09973cce5110a4fc623e77a0fe826644d6d20a3cb173739
Instruction Fuzzy Hash: 8B01215590E7C25FDB07872499E65953F74AE6325578901CAC881CB0A3D608A52FE362

Function 00D88B40 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 225629f5579f550345173fb3e5529e8138478dcbe8c2c90d8a9de3079e5512ba
Instruction ID: c8570edc211652382c44cf19d10f0a4f2d11311a57b14d93a84aa9c190c75326
Opcode Fuzzy Hash: 225629f5579f550345173fb3e5529e8138478dcbe8c2c90d8a9de3079e5512ba
Instruction Fuzzy Hash: 73014B32D0165E9BCF08DFA9E8048CDBBF6EF89324F05856AE5057B250DB306956CBA1

Function 00D85A05 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31c096c907ff1c796b97abca9ed1dc26103798c98587d52e80e7459cf95b1299
Instruction ID: 9cea19bde114c9954fcf06299dac81c8a2d1a82c381fb7c719506507926225b4
Opcode Fuzzy Hash: 31c096c907ff1c796b97abca9ed1dc26103798c98587d52e80e7459cf95b1299
Instruction Fuzzy Hash: EBF05932319651CBCB0933E8B45419DBB52FEC0332345419BD014CA289DE349C45C372

Function 00D8BCC8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 098e2618b9eb41557dc3dd02c0e22072a30bb8f44f2b8acd9ded09750b2d9320
Instruction ID: 7fe439c2a3c0f6e048ca249fad706cbb1aa39d92d2055386555691f453dbb286
Opcode Fuzzy Hash: 098e2618b9eb41557dc3dd02c0e22072a30bb8f44f2b8acd9ded09750b2d9320
Instruction Fuzzy Hash: 4EF05837B093045AD728CABEA40069BBBDACBD4220B24807FE54DC3740E972A8008768

Function 00D8F5D8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6573f3f2faf21c6ed0b4c333a0cc20693ca7dd329a478f3bec90c56b340ae667
Instruction ID: cb06850149bd4d8f92f6d7c7e1a2aeb877aa8619b2580c7e62579d5367db8c8a
Opcode Fuzzy Hash: 6573f3f2faf21c6ed0b4c333a0cc20693ca7dd329a478f3bec90c56b340ae667
Instruction Fuzzy Hash: 43F0893270021C6B9F059E99AC009EF3FABEBC8360B00442AF605C7251DB72995157B5

Function 00D8A9A1 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c730afe3e36f42848bccc707e2bb419bdb3d8cde3c7b59d9a20d8996ac17cfac
Instruction ID: 00d93779e6fb05612d258f0d35dc4e9020cc0f7f2f4322602e2cdb118d797e68
Opcode Fuzzy Hash: c730afe3e36f42848bccc707e2bb419bdb3d8cde3c7b59d9a20d8996ac17cfac
Instruction Fuzzy Hash: 52F0A03350E2911FD7265BB95864AA23FB8DB8756470D09EBE488CB147D4155C06C3A1

Function 00D8F9A8 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92caf0e6f5877f266c66f8fecfdfe2ac426a01fd4621b1dc4b29fff353a6325d
Instruction ID: e8c8cf4fb34ab4d980cc31ff10934c55bbbf95c04464cf4ed768175b1fd8d73b
Opcode Fuzzy Hash: 92caf0e6f5877f266c66f8fecfdfe2ac426a01fd4621b1dc4b29fff353a6325d
Instruction Fuzzy Hash: E2F0BE717007106B8624AA6BA840A4EBBAAEEC5760354843AE1098B300DE64AC0A47A1

Function 05840490 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2520621182.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_5840000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75efa0ab6c08c8e608f3d6dd8cb6c6efe7d664d6501e60bdac49cb9dbee3bfab
Instruction ID: be9f8702f1f7c9ba7be2de01a5ebda27659256caf5df11648bb69a8b57447a18
Opcode Fuzzy Hash: 75efa0ab6c08c8e608f3d6dd8cb6c6efe7d664d6501e60bdac49cb9dbee3bfab
Instruction Fuzzy Hash: 32F0EC313106245FD714A35DD42579D37C9EFCA255F1100A9E90ACB760DE74DC424B71

Function 00D8AA48 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe7d651f636502e975e6fb69419689b9cc725567ac1857f41cc3355b796bf69
Instruction ID: f6babbada53ac3c1542f3389e5c6c9d6c90502efe5d0dac52ded4551007911d9
Opcode Fuzzy Hash: cfe7d651f636502e975e6fb69419689b9cc725567ac1857f41cc3355b796bf69
Instruction Fuzzy Hash: D0F082317052505FC715AFADACD866A7BE6EBC9A11718456EE505C7346CE3148078760

Function 00D831E0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd77d63e838713a54efb06b06b610667f12e7bb696d6ea739a6556bcb56e2328
Instruction ID: 0ee834e3513be25613e516a4be2ee6f1e1c45bd6648d9eb7cacbf82fa567f7b2
Opcode Fuzzy Hash: dd77d63e838713a54efb06b06b610667f12e7bb696d6ea739a6556bcb56e2328
Instruction Fuzzy Hash: 77F04930D05248EFCB05EFA8D895A9CBFF0EB46741F2440AAC409EB291DB306F85DB61

Function 05840E89 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2520621182.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_5840000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f80f85bfe68e828d5870a6d4d42145f8656e6d054165fe9999b78d603b679996
Instruction ID: 889f1e3739dc61bdfa4642388a31003e142a912f361348b2d8e646ff57eaae3f
Opcode Fuzzy Hash: f80f85bfe68e828d5870a6d4d42145f8656e6d054165fe9999b78d603b679996
Instruction Fuzzy Hash: 8AF0E931608384AFC3125B19A8D0896BF78EE87264305849AE989CB243C520BD06C7B1

Function 00D80E1F Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cdbde2ec42f218e4701b4a8ad35b68e57bdb5566451687ecb71d8cba30196e8
Instruction ID: 1f1538248c3973e6c712da9b8573cd3bb8120e83264a53dd1178311f8d155d5d
Opcode Fuzzy Hash: 3cdbde2ec42f218e4701b4a8ad35b68e57bdb5566451687ecb71d8cba30196e8
Instruction Fuzzy Hash: 23F090315043119FC3615F74B8180DE7FA1DF9632530445AEE086CB351DE715D8B8BB1

Function 00D8329C Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96447a31de5615ecd8828dd15b52333a515489f7dd8afdaaefa9323ec5c49909
Instruction ID: 35945e18552e0b5244dece694892672054eab456d9c4d6ab7768b9c2a72365cd
Opcode Fuzzy Hash: 96447a31de5615ecd8828dd15b52333a515489f7dd8afdaaefa9323ec5c49909
Instruction Fuzzy Hash: C2F024325097914FC322DBA8FC1169D3FE1EE8621174909DBD482CF1A2C664BA0ED3A2

Function 00D831F0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bacae5eacccbc6446abfb212f13ad307127a818f575068145aaa72fc0dc1675d
Instruction ID: 8d219b744cbc1664c63abafc07436453bb2a4146e5742aeaee2ccd203c6d19e7
Opcode Fuzzy Hash: bacae5eacccbc6446abfb212f13ad307127a818f575068145aaa72fc0dc1675d
Instruction Fuzzy Hash: 3FF0E274E0120CEFCB04EFA8D444A9CBBF1EB44B41F2040A9C409AB250DB306F85CB65

Function 00D8BCBB Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5837eaff6cfabea4776d7f4bdfa580abd7c8916e8a6cf776a5a3abfe39de429f
Instruction ID: 1ac189dc8a4d26b94ae26984dad323bc18dfe57f476f2fdf869724e7c69cae10
Opcode Fuzzy Hash: 5837eaff6cfabea4776d7f4bdfa580abd7c8916e8a6cf776a5a3abfe39de429f
Instruction Fuzzy Hash: D1F03072A093446FC719CBBE9801A677FEDDF9622071984ABE54CC7241D921A5008765

Function 058405C0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2520621182.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_5840000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26dc83cff2187c5fd242566298f5c7653b81830e15649a93e4dc5ded70c399b4
Instruction ID: 4d1d182d7e6cae929dc39689c8a4cf7e11de3b0e64ab992da4d66548058028a6
Opcode Fuzzy Hash: 26dc83cff2187c5fd242566298f5c7653b81830e15649a93e4dc5ded70c399b4
Instruction Fuzzy Hash: DBE0653760021417D210A66DF8126DA6A86CBC5268B05857AE1059F341DE22AD460AE0

Function 00D8E261 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6084cb2d5be7561e0b74b4a9d0f142cd3cbe1b5de31b0beb1400af6ef40b400
Instruction ID: b43e4fa78a061db41e52dd46302754639e81e2b6386a92ec65ddec9234aeeb03
Opcode Fuzzy Hash: e6084cb2d5be7561e0b74b4a9d0f142cd3cbe1b5de31b0beb1400af6ef40b400
Instruction Fuzzy Hash: CDF0F971E01219CFCB44EFA8D84169EBBF0BF49200B24C1A6D918E7215E331AA128B80

Function 00D85920 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfcbf6c91e9858992aff5b8449fb13e52429d912d011dcd42ebde9e1a6ba64b2
Instruction ID: ed9a4f7b1356e207a10876967932504196bf15f89ee09ecbc11fc2f7d8a16b45
Opcode Fuzzy Hash: cfcbf6c91e9858992aff5b8449fb13e52429d912d011dcd42ebde9e1a6ba64b2
Instruction Fuzzy Hash: 9EF0A03131A1255FC301ABB8F8288AE7BA6DFC9222314416EE406CB3C5CF30AC06C7A1

Function 05840ED9 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2520621182.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_5840000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85b2b6743fd474ea2ef867d5cb79f466fa6e85eb8070b9d0c53a7ed1293af041
Instruction ID: d37ff77e9e4d81be0067fd9bb6001ea72a5688fa53a0cc7c339c44268d1a887b
Opcode Fuzzy Hash: 85b2b6743fd474ea2ef867d5cb79f466fa6e85eb8070b9d0c53a7ed1293af041
Instruction Fuzzy Hash: 93F0B435A0451A9FCB18DF68C554A9DFBF2AB48300F118169C905FB380CB729D118B90

Function 00D852E8 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84a6e6c065c23de8334ef8f04112c5fbcc0794103600cc68a3009898155aa475
Instruction ID: f85d9d88b142050587ebb9dc0f8e020d83cf5f99d4400b9d4dfd197882cd842a
Opcode Fuzzy Hash: 84a6e6c065c23de8334ef8f04112c5fbcc0794103600cc68a3009898155aa475
Instruction Fuzzy Hash: 49E02B72A087047FC709EBACB81159DBFE8DF47320F0800EAE448D7252DD31A94583B5

Function 00D8AA58 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe942e9c3ccd69433a252ec3afa81938b85201371dced7dd388f96427e93eb41
Instruction ID: e628ca211c4ae3ce8fe3bc4a1531c38300be2f56c395d7e3f48a52a37d5e1a28
Opcode Fuzzy Hash: fe942e9c3ccd69433a252ec3afa81938b85201371dced7dd388f96427e93eb41
Instruction Fuzzy Hash: 6EE048317003145756146B9EB89852ABADAD7CC761754443DF509C3344CE714C064765

Function 058420A2 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2520621182.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_5840000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5432328684f561535954c988669196473ccd2a3e8788023513b1e91de23e63a3
Instruction ID: d81caf88ba1f3e66beb2284632a241cc6acd02fa34c298f08811e5b7c5b91cb0
Opcode Fuzzy Hash: 5432328684f561535954c988669196473ccd2a3e8788023513b1e91de23e63a3
Instruction Fuzzy Hash: 60E0923170021457C3202669A812BAE3799DFC6328B19446DA605DB351DA22EC0B0BB4

Function 05840EE8 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2520621182.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_5840000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 614c640b5a12236337bf68278da359b3955c43792b5e5e14d1c02fcd3ad52040
Instruction ID: 162f574a10335e68ab8ad51bc7ef6f626b7017f8d04b9c5b648902bab18c7f6f
Opcode Fuzzy Hash: 614c640b5a12236337bf68278da359b3955c43792b5e5e14d1c02fcd3ad52040
Instruction Fuzzy Hash: 32F03031A002199BDB18DB68C925A9EBBF5AF88710F10456ED905FB381DB765E018BE4

Function 05840510 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2520621182.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_5840000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9284cc081dfe5ed75f631cdaf4615a990e059564593fe18497ff6a599d80ac9a
Instruction ID: 6a843053f541ae69b0156449dd3e0a0255bf7f74c1e10295fa6c2d4e3ecf906a
Opcode Fuzzy Hash: 9284cc081dfe5ed75f631cdaf4615a990e059564593fe18497ff6a599d80ac9a
Instruction Fuzzy Hash: 2EE0E5352083802BE312AB7978504DB3FA6CEC311574985EFE105CF252DE62AD1A8BF5

Function 058404A0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2520621182.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_5840000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b62216d695ceaabef8a3fc81ee79f0409b387bfb2a159983e08ffe92383c0742
Instruction ID: b1f134e1d00f83ec7ae7cf38163a95a79ea4ec253974031825f4e8adb0a777f7
Opcode Fuzzy Hash: b62216d695ceaabef8a3fc81ee79f0409b387bfb2a159983e08ffe92383c0742
Instruction Fuzzy Hash: ECE092343106284F8718A369942851E37DAAFCE615B1101A9EE0ACB3A0DE74DC4287A1

Function 00D8E270 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa50e6ee8f5c6f5fe9aeee655a3099eddfca28e96b6cf7be9825655388da6a23
Instruction ID: b59fa7b745312a5bccb2bfb26df2d99c10709e1f3afc02eac00f1d9bef9f1121
Opcode Fuzzy Hash: aa50e6ee8f5c6f5fe9aeee655a3099eddfca28e96b6cf7be9825655388da6a23
Instruction Fuzzy Hash: C3F09271E01219DF8B44EFA9D84169EFBF5EF89200B64816AD919E7211E731AA128FD0

Function 00D80E30 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9135da90ee4ed5668e1dced4c0ffec8303d4e26fee4f986ccc208d021cd3faa
Instruction ID: 94b1a173f0ee0891d5e8008bb8679341babbf41236fa67dd41a03b38e10078ff
Opcode Fuzzy Hash: e9135da90ee4ed5668e1dced4c0ffec8303d4e26fee4f986ccc208d021cd3faa
Instruction Fuzzy Hash: C0E092326003106B83216B68B80549F7B95DFC6335304887AE10ACB350DE72AD4A4BF1

Function 00D8F8E8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e62f4a21eb6a251a095c1ef5243196e3c6a2dd8712ced9354081d6252c45eb7
Instruction ID: 2b878881a9eae101a7ca8596d65d70644b5fa0cd5054063936da446b9422a4cf
Opcode Fuzzy Hash: 2e62f4a21eb6a251a095c1ef5243196e3c6a2dd8712ced9354081d6252c45eb7
Instruction Fuzzy Hash: 23E086327412045BC328A52BF850957B7AAEBC9764B514479E50CD7356CDB29C4687A0

Function 05840E98 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2520621182.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_5840000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a4c2502a90f35f2f55410e1c9b792be6c9850bf42c0f5dcf13af947c4f83746
Instruction ID: d5be3f87c4825930d0a93f2c650a76805efbd3adabda9c2fb01e6a8dd4654531
Opcode Fuzzy Hash: 8a4c2502a90f35f2f55410e1c9b792be6c9850bf42c0f5dcf13af947c4f83746
Instruction Fuzzy Hash: D9E08631300614BB92109E59F98585BBBA9EBC97753409429E90D8B241CA31BE058BF5

Function 058405D0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2520621182.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_5840000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 315da9e3ad65aa8c49efe3d632837fe45aad95e2ddde552a88da29e7762d8e4f
Instruction ID: 1c1f55c622c2a6d39faa05ab62063a5193ae3dfc4bfb921d2cf28b3105fc737f
Opcode Fuzzy Hash: 315da9e3ad65aa8c49efe3d632837fe45aad95e2ddde552a88da29e7762d8e4f
Instruction Fuzzy Hash: 79E08636600300679315BA6AB8414DF7A96CBC2224345C5BEE6099F342DE72BD0A47F5

Function 05840520 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2520621182.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_5840000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee4ea8eeef9f2ded3cb7429b93154a3690bbded9c8cb12e55f636106c0d162e3
Instruction ID: 41536a72719cd31953056383ddbb9d6debcad377e4d370042f7b723ada8ffa8b
Opcode Fuzzy Hash: ee4ea8eeef9f2ded3cb7429b93154a3690bbded9c8cb12e55f636106c0d162e3
Instruction Fuzzy Hash: 75E02632600300279310BA69B81048F3A96CAC2220740C5BFE205CF301DE32BD0B47F4

Function 00D8E2A4 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e356606310b7dac030142d4d19a1985025ff2de1c586489efc477dba3da9c540
Instruction ID: a5388277443aa75235d706b2610a852d6dd7ce5dc46e50a17b9a5573da2dc1ac
Opcode Fuzzy Hash: e356606310b7dac030142d4d19a1985025ff2de1c586489efc477dba3da9c540
Instruction Fuzzy Hash: DFE0DF31F006198FCB18DFA9D8006AEB7E5EF893403008092FC24CB310EB74CE268BA1

Function 00D85930 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eff666f9947296fb1d976d1ccf087276696c82b1dcb7a748e8fa786a1625d772
Instruction ID: 3fb73971f1e956b22ca30b777dce5aefee56e68120c1134774c175097c5d8432
Opcode Fuzzy Hash: eff666f9947296fb1d976d1ccf087276696c82b1dcb7a748e8fa786a1625d772
Instruction Fuzzy Hash: B8E0863531521457834476BDB4188AE7A9ADBC9635310412AF516C7384CE309C4187A5

Function 058420B0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2520621182.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_5840000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9334b7d47c121c8bda472545efe33287eb63f45c0c65ae930558d065da387f37
Instruction ID: c6d6821dd56f10f3c1dacd437c8a5e9d19ee3ae4d3527be9892cc212a64716e6
Opcode Fuzzy Hash: 9334b7d47c121c8bda472545efe33287eb63f45c0c65ae930558d065da387f37
Instruction Fuzzy Hash: 62E086317002145747206A69B40687E7799DFC6325344446DF609DB311DE62AC0B4BF4

Function 00D83257 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 261aa0b0aceac084bdce79f9c9d0c23e0355a6b0ab7acdd1473954a15ca0cdfd
Instruction ID: 6ef79ba0aa35990662f4c0ca155e5481ede1ca49bc1832824a006afdf9af8d35
Opcode Fuzzy Hash: 261aa0b0aceac084bdce79f9c9d0c23e0355a6b0ab7acdd1473954a15ca0cdfd
Instruction Fuzzy Hash: 6AE09231209B554FC726DBA8F84069D3BE2AF86220B0909AAD4419B156CAA07A49C3D2

Function 00D85979 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a98e03b6cb9422f77e2b12dcc8ab08fd810e0acf930080e607bfa8481257e8a
Instruction ID: a9c993adcec35eb7b8bb56e4edc25259bd42e7c5af106d784b0c43ef46790ed1
Opcode Fuzzy Hash: 7a98e03b6cb9422f77e2b12dcc8ab08fd810e0acf930080e607bfa8481257e8a
Instruction Fuzzy Hash: 2DE0DF3090A24A8FC761EFA0ED4149C7BB0EF46200B0405CEC8069B2A2DA312B08DBA1

Function 00D8DAF7 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 603f4cec60844adaeb11eabc5322fefa5a733be0118baa9cdc6f465cbd86e002
Instruction ID: b5349f5b80e622848380d2791dd27bb003c6b772be88289f4edffd902e508d5d
Opcode Fuzzy Hash: 603f4cec60844adaeb11eabc5322fefa5a733be0118baa9cdc6f465cbd86e002
Instruction Fuzzy Hash: 8DE0177588A2818FDB21FF29EC869517BF4FE3A3003180082E408C72A5D225A92ADB71

Function 00D8E8C0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d850455a9bfc068a5576c778c283623fde3ae16ec48676f9e53faf4992095ea
Instruction ID: e848c578d8cddaff2dbbd004d3d532ac77188c47fb215b5707e62c1d9b570431
Opcode Fuzzy Hash: 3d850455a9bfc068a5576c778c283623fde3ae16ec48676f9e53faf4992095ea
Instruction Fuzzy Hash: 23E08631405B448FC701EFB4C455555BF78EF96200B059A8BE8895F173EB30E595D781

Function 00D8BC83 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45063ea727c627aeb9b019c5d827fc61225f05784fc7a27ec517a1b443e79b33
Instruction ID: 042f9e15859f24d2b91d54550c5ea34b827f3ac365b0e6fcf275d431e361c4e7
Opcode Fuzzy Hash: 45063ea727c627aeb9b019c5d827fc61225f05784fc7a27ec517a1b443e79b33
Instruction Fuzzy Hash: E5E08C3040A350CFC780EF38E989555BFF0EF15204B0889AEECC8C7202E630A846DB52

Function 05840591 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2520621182.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_5840000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4812de1276adfe01a8c64eb2ecb84460235e439a109d993f26853d14dc6d8a77
Instruction ID: 9e310a797c0dbf9479756aacedbc1cad5ca5710f2f7bd1eceb0a391e590415ac
Opcode Fuzzy Hash: 4812de1276adfe01a8c64eb2ecb84460235e439a109d993f26853d14dc6d8a77
Instruction Fuzzy Hash: FDD02232301A3C43C804359CD81A3DE3209EF8002DF122048DE46E3743CE05EE4349CA

Function 00D85988 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc01fb85f1979604c0993f54683c072e162e8ca6c69f526ef20017ea19c9e171
Instruction ID: aee975301a1b4c72b655f5e88826ccdddc03a37710beecda5bf65e4efca6e135
Opcode Fuzzy Hash: fc01fb85f1979604c0993f54683c072e162e8ca6c69f526ef20017ea19c9e171
Instruction Fuzzy Hash: 98D05E70E1620DEFCB50EFA8E90159DBBF9EB45244B1045E8D80AE7314EA312F049BA1

Function 00D8B9A9 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd63ae7b1fb4af05766961b0dea69eca3a9524d8fd1aabace9010342548639cd
Instruction ID: 02a99664cf6a380cdb6a129e154a629c477004a17229e742dbc3fe9454a60e9d
Opcode Fuzzy Hash: dd63ae7b1fb4af05766961b0dea69eca3a9524d8fd1aabace9010342548639cd
Instruction Fuzzy Hash: 4AC012257440100FD255C518D860654A7D28BDA251B28C4A7B598C76A5C965DD038242

Function 00D8E8D0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d968e9bd6505eb8c849f102d026e4bdadfd51a74dc8e3a035148a52bba995db
Instruction ID: 092dbcbb7f60db180ef65802df1f4c28ac71918f6d4d43696934e580b8783668
Opcode Fuzzy Hash: 2d968e9bd6505eb8c849f102d026e4bdadfd51a74dc8e3a035148a52bba995db
Instruction Fuzzy Hash: 03D0C73141470D89C700BFB8D454469B778EED5240F04D65AE44957121FF70D5D0D6D1

Function 058405A0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2520621182.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_5840000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74a99e6b7ade35f84f0b05fa6440018b815a24feee0677a9d3d755c93ab6a069
Instruction ID: 6468ff2b457baa35957bf3b5fc470d05c2a0853d449018cec367a660423fd6a0
Opcode Fuzzy Hash: 74a99e6b7ade35f84f0b05fa6440018b815a24feee0677a9d3d755c93ab6a069
Instruction Fuzzy Hash: 4BC02B3130133C830C043648600C06D330DEF4543C3000049DE0997302CE426D034ADB

Function 05840578 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2520621182.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_5840000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35ccb22acac01df1979be46886e83c1b504aabadaab74031e174fa6bba881de0
Instruction ID: adb91a36c050ef3076c9119cf8154102741f3157d98a94594afeebec0e2b4edb
Opcode Fuzzy Hash: 35ccb22acac01df1979be46886e83c1b504aabadaab74031e174fa6bba881de0
Instruction Fuzzy Hash: 71B0123234030DDB8E185B85B52893B7B5DEA8491E30440ADFD0ECAF01AB33F821CD90

Function 00D80E84 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f91c3f5f5179854f22b3933ddc6e1ebebabb58a768aaa9915e93631f571f038
Instruction ID: 4088d0f7a23bb2989f3dfb3cb9ec23955ce8fd654b22e16659449f256beccddb
Opcode Fuzzy Hash: 6f91c3f5f5179854f22b3933ddc6e1ebebabb58a768aaa9915e93631f571f038
Instruction Fuzzy Hash: ECC04C342191809FC305DB64C9A1425BFA59F87204329C8D994868F263CA23EC07D750

Function 058425BA Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2520621182.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_5840000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52f6ba92d86f717dafd594ee63a647ad4ec05ba6cc34e7e28ef0a0875a8e89f6
Instruction ID: 101062f4806d1142bf17873e44551a3dea0860bacd159f644a63263878c48d68
Opcode Fuzzy Hash: 52f6ba92d86f717dafd594ee63a647ad4ec05ba6cc34e7e28ef0a0875a8e89f6
Instruction Fuzzy Hash: 0890024D71525001A66471355C9129D21026BD050D7C98961018144704C96CA4911024

Non-executed Functions

Function 00D8B5A8 Relevance: 6.5, Strings: 5, Instructions: 299COMMON

Download Yara Rule

Strings

K, xrefs: 00D8B7EE
+, xrefs: 00D8B619
;, xrefs: 00D8B725
UYr^, xrefs: 00D8B874
K, xrefs: 00D8B768

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID: +$;$K$K$UYr^
API String ID: 0-685714319
Opcode ID: 834378a67264b46d8f2b1a9313ccaa1bda2a0e712773f06fe2fb2515b4c6c758
Instruction ID: 5e1ccf7a04e4d43c188fb01373de10ce5ee21e32fe5e7fa25c5909192078f023
Opcode Fuzzy Hash: 834378a67264b46d8f2b1a9313ccaa1bda2a0e712773f06fe2fb2515b4c6c758
Instruction Fuzzy Hash: 0DC134787002059FDB04EF69E59586EB7B1FF493103158AAAF9028F3A6DF74DD058BA0

Function 00D8B598 Relevance: 6.5, Strings: 5, Instructions: 286COMMON

Download Yara Rule

Strings

K, xrefs: 00D8B7EE
+, xrefs: 00D8B619
;, xrefs: 00D8B725
UYr^, xrefs: 00D8B874
K, xrefs: 00D8B768

Memory Dump Source

Source File: 00000012.00000002.2502112720.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_d80000_ScreenConnect.jbxd

Similarity

API ID:
String ID: +$;$K$K$UYr^
API String ID: 0-685714319
Opcode ID: 036b8a6a220629a78a31b1130564c08ed9029288f3507cd5ffa060f06a43e11d
Instruction ID: beef229bc82c98380c6644b6d0837318f9d2acefe55f0dd8b69c24d6393178e7
Opcode Fuzzy Hash: 036b8a6a220629a78a31b1130564c08ed9029288f3507cd5ffa060f06a43e11d
Instruction Fuzzy Hash: B2C145787002059FDB05EF69E59586EBBB1FF493103158AAAF9028F3A6DF74DC058B90

Analysis Process: ScreenConnect.WindowsClient.exePID: 7952, Parent PID: 7872COMMON

Execution Graph

Execution Coverage:	11.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	5
Total number of Limit Nodes:	1

Executed Functions

Function 00007FFAACFE2FED Relevance: 3.9, Strings: 2, Instructions: 1437COMMON

Download Yara Rule

Strings

(, xrefs: 00007FFAACFE357C
x(t, xrefs: 00007FFAACFE3AEF

Memory Dump Source

Source File: 00000013.00000002.2520245845.00007FFAACFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacfd0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: ($x(t
API String ID: 0-3188275639
Opcode ID: 552128438bb9e2f182e58f1561ba5c453be00c041fdbf8928a15da5198bbce0e
Instruction ID: 0bfb5ce6bafc366250b26ed3c3ca8e5ee58d9ba8d3d98c981c6ce3432c30f383
Opcode Fuzzy Hash: 552128438bb9e2f182e58f1561ba5c453be00c041fdbf8928a15da5198bbce0e
Instruction Fuzzy Hash: D2B2B7B180E7C68FE766973C88196A97BD0EF57310F0945FDD88D8B1A3DB18A50E8391

Function 00007FFAACFD6571 Relevance: 2.6, Strings: 1, Instructions: 1322COMMON

Download Yara Rule

Strings

E, xrefs: 00007FFAACFD670F

Memory Dump Source

Source File: 00000013.00000002.2520245845.00007FFAACFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacfd0000_ScreenConnect.jbxd

Similarity

API ID:
String ID: E
API String ID: 0-3568589458
Opcode ID: 974e325d01799c713bbb320d06f56724a3a2e5e3a8765774fae894225f427d98
Instruction ID: 7df28ebcc7362b66fe0aface927249110334534bf9669d1770a2098693d1e009
Opcode Fuzzy Hash: 974e325d01799c713bbb320d06f56724a3a2e5e3a8765774fae894225f427d98
Instruction Fuzzy Hash: F8923561A1DB4ACBFBAA973884553B977D1EF46304F1484BBD44EC7186DE28E80AC3D1

Function 00007FFAACFD6DC2 Relevance: .9, Instructions: 881
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000013.00000002.2520245845.00007FFAACFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacfd0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df5818038a6951c894f39b016f06591a081980691cbd57907879c5647ab87766
Instruction ID: 9d56ef32813e3a8c01e13cd22ecd136474afa853da4f718cd9a403909e37eb31
Opcode Fuzzy Hash: df5818038a6951c894f39b016f06591a081980691cbd57907879c5647ab87766
Instruction Fuzzy Hash: FA52F070A1DB46CFEB9AEB3884557B977E1EF96304F04847AD00EC7296DE24E809C791

Function 00007FFAACCC7FC4 Relevance: 1.7, APIs: 1, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetProcessMitigationPolicy.KERNELBASE ref: 00007FFAACCC80F2

Memory Dump Source

Source File: 00000013.00000002.2514230742.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaaccc0000_ScreenConnect.jbxd

Similarity

API ID: MitigationPolicyProcess
String ID:
API String ID: 1088084561-0
Opcode ID: f95a619138d369eae1e897ee09a5aca244185fa875aa5c9aa3f304a599961a1d
Instruction ID: d89c60910d86da6120ca8fa7a5f1ffa442a952abcca28f245b4a94df10b50bd8
Opcode Fuzzy Hash: f95a619138d369eae1e897ee09a5aca244185fa875aa5c9aa3f304a599961a1d
Instruction Fuzzy Hash: AA413971D0CB498FE7159FA89C4A5F97BE0EF56311F04417EE049C3292DF68A84A87D1

Function 00007FFAACFD0038 Relevance: .6, Instructions: 588
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000013.00000002.2520245845.00007FFAACFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacfd0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a8305d14664597683db2540f8912ad79a160061d3fd811811372ab1cdec376e
Instruction ID: d2996745b45cae6eace97a163acb4be5cd7fbce7f413af7de95973b579ead92a
Opcode Fuzzy Hash: 1a8305d14664597683db2540f8912ad79a160061d3fd811811372ab1cdec376e
Instruction Fuzzy Hash: 7702E461A1EB4A8FF79AD72C84557B837D1EF5A305F5480BAE44EC7283DD18E809C3A1

Function 00007FFAACFD56B9 Relevance: .4, Instructions: 414
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000013.00000002.2520245845.00007FFAACFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacfd0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7aa1bcc5f04eb7d5e15920b6aef69aed8a92333735283372d15b6b83049171fe
Instruction ID: 31aa77b56ec9467ddeb8d2c409b7a6684dd1cce66a845c2d1faf0866de1479f2
Opcode Fuzzy Hash: 7aa1bcc5f04eb7d5e15920b6aef69aed8a92333735283372d15b6b83049171fe
Instruction Fuzzy Hash: 82C16CA290DB4A8BFF96D73884426B877D0EF56324B14427AD45EC7183ED24F94AC3D2

Function 00007FFAACFD514D Relevance: .4, Instructions: 398COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2520245845.00007FFAACFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacfd0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cb6abd220ab89eced9fdfc56ef76705ab1fe143ecac39674801a59996b0656f
Instruction ID: bef349b0a960094aa6d1741b003d4cc715f546d3ae16a3c96e27604e69e5ccf4
Opcode Fuzzy Hash: 1cb6abd220ab89eced9fdfc56ef76705ab1fe143ecac39674801a59996b0656f
Instruction Fuzzy Hash: 31D16D7460DB098FEB89EF28C090AA577E1FF55304B2549E9D05DCF297CE25E846CB90

Function 00007FFAACFD6792 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2520245845.00007FFAACFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacfd0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a84825f6ad88aefa41517573b38db7f07cce5459240a99d9412452170633958e
Instruction ID: 8cfd23b3e93d58d0b83bfbf35bacb05f7c1cf2a1d155be22f6431d1359a9af44
Opcode Fuzzy Hash: a84825f6ad88aefa41517573b38db7f07cce5459240a99d9412452170633958e
Instruction Fuzzy Hash: 45B19530A1EB4BCAFB5B973884557BD66D2EF86309F54847AD00EC71C6DD28E84AC2D1

Function 00007FFAACFD1E74 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2520245845.00007FFAACFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacfd0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c15d6393eb770e35ff131ab8116c5fcf92ae2cf3f0986f93911e39d0b809e325
Instruction ID: dabfd1fe4114ba467b94f76f6f2637e96b9da6f8f2e85644a5bf6a7743444ac8
Opcode Fuzzy Hash: c15d6393eb770e35ff131ab8116c5fcf92ae2cf3f0986f93911e39d0b809e325
Instruction Fuzzy Hash: BEA146B2A1DB4A8FEB99DB28C846BB93790FF55314B0480B9D04EC7197DE24E806C7C1

Function 00007FFAACFE438A Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2520245845.00007FFAACFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacfd0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dd8123309355894cbd3a925bb748132ef54fb841ae5eee68cd15534c15af745
Instruction ID: 49535bb22375c18d0e494ab9470010d6e297cd9c9b117ebcddc3dc8e6e8e3ef2
Opcode Fuzzy Hash: 7dd8123309355894cbd3a925bb748132ef54fb841ae5eee68cd15534c15af745
Instruction Fuzzy Hash: 28A1E13190E7998FE759EB7C98056A9BBE0EF86304F0441BED44DC7192CF25A84AC7D1

Function 00007FFAACFD680C Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2520245845.00007FFAACFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacfd0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 059aa19381f6c036d4fb9defc0aabcd60f55096ec8d18b30586fbe003adb018a
Instruction ID: b0ee8ca767e026d85f40579a31b3f8f40aeba3c4ddc23e42d8f471db0723a66b
Opcode Fuzzy Hash: 059aa19381f6c036d4fb9defc0aabcd60f55096ec8d18b30586fbe003adb018a
Instruction Fuzzy Hash: CD811965A1DB47CBFFAA9B3848557BC26D1EF56308F0484BED45EC7186CE18E809C2E1

Function 00007FFAACFE51CD Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2520245845.00007FFAACFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacfd0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddd9d18eae19ce4e80ada869d69b40f21d28b6e693e42e06796f6c28ba5c3426
Instruction ID: 4b7225f96b865c6038041ecf5c6e74d0b5465b681f1f39ee3fe547ae21bd2b1d
Opcode Fuzzy Hash: ddd9d18eae19ce4e80ada869d69b40f21d28b6e693e42e06796f6c28ba5c3426
Instruction Fuzzy Hash: 96612732A0EB498FFF649B7C98511AD7BA2EF99310B04417AD05DC3592DF65E80A83D1

Function 00007FFAACFDA5F6 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2520245845.00007FFAACFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacfd0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e3fb3d9e380b147364c555a15551bec5ef23b76d417397fe476e4e5b27d236a
Instruction ID: 27812db399178dd78df393053bf747e61f52f5c96f9a5011170401297ee3119f
Opcode Fuzzy Hash: 2e3fb3d9e380b147364c555a15551bec5ef23b76d417397fe476e4e5b27d236a
Instruction Fuzzy Hash: 27615260B1DA098FEB95EB6C8459BB873E2EF99300F5441B5E00DD7296CE28EC46C785

Function 00007FFAACFD0AF3 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2520245845.00007FFAACFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacfd0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 931327b984bc1f5d5f64a02760c881d276868f50954021e63af8131f53451c7a
Instruction ID: 8e1f73797dac6b909866323bf0bdec7f86778411035d64801dde820a211c60c8
Opcode Fuzzy Hash: 931327b984bc1f5d5f64a02760c881d276868f50954021e63af8131f53451c7a
Instruction Fuzzy Hash: DB51D7A2D0E7C6CBF3564738986A1A97F90DF12219B0981B7D09D8B193DD18A90AC7E1

Function 00007FFAACFD6AA0 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2520245845.00007FFAACFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacfd0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebf21dd1ebc574fc12b642487827c6997ece0d40a154096adbe0d2589f4a5e03
Instruction ID: 310b281d44056106c73cd81b042ba7502d1c026bbabd41c4572847fbb3669cda
Opcode Fuzzy Hash: ebf21dd1ebc574fc12b642487827c6997ece0d40a154096adbe0d2589f4a5e03
Instruction Fuzzy Hash: 22516961A2CB868BFB6AAB3884557B836C1EF55308F1484BED45EC7196DD28E80983D1

Function 00007FFAACFD440A Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2520245845.00007FFAACFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacfd0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 316a10b662cf41bf1bd6b9ab61f24172ed5ac7983d1b1e38145b7f911edbb04f
Instruction ID: 07ad36b3e003b68247052022c54e38bc79524f4e93c8a18d0295d0d1158033d5
Opcode Fuzzy Hash: 316a10b662cf41bf1bd6b9ab61f24172ed5ac7983d1b1e38145b7f911edbb04f
Instruction Fuzzy Hash: 1A512292B0EB868FF786937848557B82F90DF57205B0880BBD45DCB1D3DD0C984A83E1

Function 00007FFAACFDA836 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2520245845.00007FFAACFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacfd0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cd00dd608618f854706aba45cdc64250c2aecd15bc3f96b57f9793d5ac69492
Instruction ID: efb8620877ea93f4d863fe5c9208b50850a197cd89378f23d6372a18c6d58af2
Opcode Fuzzy Hash: 1cd00dd608618f854706aba45cdc64250c2aecd15bc3f96b57f9793d5ac69492
Instruction Fuzzy Hash: 9F51D53191DA4ACBFB99EB2884447B933A1FF95304F1484BAD00ED3186DE24EC46C7D6

Function 00007FFAACFE3EFA Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2520245845.00007FFAACFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacfd0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0d4bf834c840721ec6905aef33a4bd11e73f5af2333f0dc45115e2e26f8bf9d
Instruction ID: a4ec54596b0f2e69795d425ef5d9c63911d17d5e2817328869d9664a969f6d49
Opcode Fuzzy Hash: f0d4bf834c840721ec6905aef33a4bd11e73f5af2333f0dc45115e2e26f8bf9d
Instruction Fuzzy Hash: F94134A2A09B598FFA94A7BCA4595FC3BE0EF56310B08417AD50EC7183CF25A84987D1

Function 00007FFAACFE4E36 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2520245845.00007FFAACFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacfd0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ca447527e6b0507f6dcabf5297b84c00a80b52572ff722551f2d5b0492360fa
Instruction ID: 64522a478eb9942044582ade70b415a7a5792fe6c92e2c02be28556564bff560
Opcode Fuzzy Hash: 4ca447527e6b0507f6dcabf5297b84c00a80b52572ff722551f2d5b0492360fa
Instruction Fuzzy Hash: 48414761A2DB8E8FF7469B7C94456B8BBA1FF46210B4481BED00DC3183DF14E80A8791

Function 00007FFAACFDC195 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2520245845.00007FFAACFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacfd0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c34d55fc8e7f19c4665918d79800930deb736931b38ffcaef1f05ff02361b91
Instruction ID: 285746d690a17c3dd96a1e8b5cab33a7a2d868d4171315934b66896fa74bc062
Opcode Fuzzy Hash: 4c34d55fc8e7f19c4665918d79800930deb736931b38ffcaef1f05ff02361b91
Instruction Fuzzy Hash: DB414952A1DF0A8FF786E73C98992B877D1FF96244B5881B6D00DC3186DD18EC0A83D2

Function 00007FFAACFD5CC9 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2520245845.00007FFAACFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacfd0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc95b826c935980d3ab59b63f6dfe84f258b985e6252e6d75f601d5a4bcd0e84
Instruction ID: 67b88a50042dae2057141ec5bf303b6f8cb63d9a7cd3005637f9204f63e21137
Opcode Fuzzy Hash: fc95b826c935980d3ab59b63f6dfe84f258b985e6252e6d75f601d5a4bcd0e84
Instruction Fuzzy Hash: 154162B061DB498FEF89DF2888A4AA937A1FF59314B14419AD41EC7292CB31E846C751

Function 00007FFAACFDB045 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2520245845.00007FFAACFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacfd0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c049ad45be7e0ec780b64b001831f52f55a29d384743265bfadea3a951fc2c22
Instruction ID: 64aa67a0539944eb199e589b5f8acaa595fd781fc5d362b8b1a807e820d7b3c4
Opcode Fuzzy Hash: c049ad45be7e0ec780b64b001831f52f55a29d384743265bfadea3a951fc2c22
Instruction Fuzzy Hash: FC311661A1DB0A8FF796EB3CD449A7873C1EF59214B1486BBC41DC3292DE24E846C7C1

Function 00007FFAACFDCE52 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2520245845.00007FFAACFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacfd0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3853ab7457e3f385bba66e3fc56441256ecff5617ed889936856d7e6bb1a7c7
Instruction ID: adb9fabe56a672bb120bba89c56cc5efbca47241a983c8e2b3aa88099f2affe2
Opcode Fuzzy Hash: c3853ab7457e3f385bba66e3fc56441256ecff5617ed889936856d7e6bb1a7c7
Instruction Fuzzy Hash: 1141C87090971A8FF795EB38C4497AC77E0EF55304F5581BAC40DD72A2DE28E8898B91

Function 00007FFAACFD3D7A Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2520245845.00007FFAACFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacfd0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dab1357c19fc976625e0d0634b8514f641d97516aec70f3693c91af3a412f685
Instruction ID: 549c986ed762fe9acfdf30ee8d47df6f8dd99c7da5b5aa5caf9af18b12ac6f38
Opcode Fuzzy Hash: dab1357c19fc976625e0d0634b8514f641d97516aec70f3693c91af3a412f685
Instruction Fuzzy Hash: 7C31F561A1EB868FE396977884557F967E1EF86204F0440FAD44EC71D3CD2C984EC391

Function 00007FFAACFDCEFB Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2520245845.00007FFAACFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacfd0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc17c2fe8b02886b64d51b2b65266b4df83e23975126ce5e68334b3398aab11e
Instruction ID: 366d69afbc4ed1eec139c06eb31110a596e3cedaa83c4e1abc00824021c2b098
Opcode Fuzzy Hash: bc17c2fe8b02886b64d51b2b65266b4df83e23975126ce5e68334b3398aab11e
Instruction Fuzzy Hash: F6315A71909A1D8FEBD5EB2CC449BA877E1FF58300F5580BAD40DD72A2DE34AD858B90

Function 00007FFAACFE538A Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2520245845.00007FFAACFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacfd0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc474629df3961ddbd912dd648b2f8f1c7d1e50dd2a6805bfbf6d7235944a5a0
Instruction ID: 1a1093689d13bff5b34ac9374ff5d562d788618c454f8d52930948ce57214efd
Opcode Fuzzy Hash: cc474629df3961ddbd912dd648b2f8f1c7d1e50dd2a6805bfbf6d7235944a5a0
Instruction Fuzzy Hash: E5214C3151EB8D8FE755DB3998141A97BE2FF86320B0441FBD08DC3592DB68E846C391

Function 00007FFAACFD1D44 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2520245845.00007FFAACFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacfd0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ac4cec2f20ed722ce751adbd465e9ab57b99c4db566b754b1772941f2418226
Instruction ID: ce2e558ed990a58d38e23eaa958e7375d566ae5c1d6fe357b215e627a2765320
Opcode Fuzzy Hash: 8ac4cec2f20ed722ce751adbd465e9ab57b99c4db566b754b1772941f2418226
Instruction Fuzzy Hash: 6631C57160DB868FE79ADB38C454BB937E1FF59304B0485BED45EC7292CA28E805C790

Function 00007FFAACFDA926 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2520245845.00007FFAACFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacfd0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28ceaa980eb7938583cc55adb111fad9b6d0fd33106ff64227580400cac5a5d1
Instruction ID: 0ad9fd3d3aba36517d96fa9ea817ca5e5ef50837bd90abb0b78197fe8d01f32b
Opcode Fuzzy Hash: 28ceaa980eb7938583cc55adb111fad9b6d0fd33106ff64227580400cac5a5d1
Instruction Fuzzy Hash: DF21F631A1DB4ACBFB5AEB2894447B93791EF45308F5480BBD00E97186ED25E80AC3D6

Function 00007FFAACFE444A Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2520245845.00007FFAACFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacfd0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49b0a082826a10206bea77471ed84ee8bea568b37da827e5d6953fa503b57435
Instruction ID: daa5c2756c131a8ac92fdc0f2d65e2991b5f0c4d4e62e2aee72b5b6599a5f20f
Opcode Fuzzy Hash: 49b0a082826a10206bea77471ed84ee8bea568b37da827e5d6953fa503b57435
Instruction Fuzzy Hash: 7B21807490964DCFE758EF68C8415A8BBA1FF95301B0082BDD41EC7291CE35D84ACBC0

Function 00007FFAACFD4AE9 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2520245845.00007FFAACFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacfd0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c05a5bd794cfc449e7f0956a1106af7c41587c68f1ba6828c85ba90eb5dbd837
Instruction ID: 58f6b1d50cb94038b46ac3a978c36d3392694a41440c9affe12927186e618002
Opcode Fuzzy Hash: c05a5bd794cfc449e7f0956a1106af7c41587c68f1ba6828c85ba90eb5dbd837
Instruction Fuzzy Hash: E021F452A1DB4A4FE3A6EB7C88657B46BD1EF6A310B4401FAE04DC3293EE1C9C458391

Function 00007FFAACFD5B5D Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2520245845.00007FFAACFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacfd0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d097eef25e88a19ebd4568bf89a7210b78e543e269b821f681c9020d2de9f41e
Instruction ID: 061fb453a3c5de8f6036adc280e007509822736306905df6c183b1e1324507ed
Opcode Fuzzy Hash: d097eef25e88a19ebd4568bf89a7210b78e543e269b821f681c9020d2de9f41e
Instruction Fuzzy Hash: CF11B7B1E1EB488FEF95DB7458611BC3FA0EF5A305F09409AD48DD7192DB21D508C792

Function 00007FFAACFDC198 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2520245845.00007FFAACFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacfd0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4189fe2cff01663becc1d94ef4af0ed8f0c777a681cda548e8d8496ad22ac946
Instruction ID: d879be4cec269caf28d2e205dbb41544063b992c9ee27e58d83b79075630687e
Opcode Fuzzy Hash: 4189fe2cff01663becc1d94ef4af0ed8f0c777a681cda548e8d8496ad22ac946
Instruction Fuzzy Hash: F3113891A1DB598FF786E37C8CA66B43BD1EF56204B0980B7D04DC7187DD0CAC098392

Function 00007FFAACFE3FD2 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2520245845.00007FFAACFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacfd0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ef4601b74793434f32283727a48432d06c72b96a3974c468de19ee1abbce734
Instruction ID: 0da4d357857ebccfbcb0468c0c0d21c29bf69596acbf18b7739dc74f289e7fd8
Opcode Fuzzy Hash: 4ef4601b74793434f32283727a48432d06c72b96a3974c468de19ee1abbce734
Instruction Fuzzy Hash: CD118E30B19B48CFEBA4DBBC94985683BA1EF6A30470401BDE54EC7292CF21D8098692

Function 00007FFAACFD4A59 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2520245845.00007FFAACFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacfd0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 180255f7f9eeffa0c91200a01e4f7aed074e6bef90d1ed8fb4da2afa408f3a51
Instruction ID: 0031392025802a88c63b95488d42d6ebe9dd0c1c5ea235010b65ee56ec4fe16f
Opcode Fuzzy Hash: 180255f7f9eeffa0c91200a01e4f7aed074e6bef90d1ed8fb4da2afa408f3a51
Instruction Fuzzy Hash: 7F11A01590EB478AF7AA9B3884613796EE0EF46200F59C1FBC44DD61D2DC1DDC89C3A6

Function 00007FFAACFD1FD8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2520245845.00007FFAACFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacfd0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4312f447c646f787244f15348e266251a668a56984b03a5c026e57b78f556c7
Instruction ID: c7088b6a632a57738af7db25a32d92da59393fe6b790be85c14aaed52651641a
Opcode Fuzzy Hash: b4312f447c646f787244f15348e266251a668a56984b03a5c026e57b78f556c7
Instruction Fuzzy Hash: FC119361A19A458FEA89EF28C044B6977A1FF56304F0480B9C45ECB297DE39EC4AC7D1

Function 00007FFAACFD4700 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2520245845.00007FFAACFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacfd0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d98225c1b5c5147644bd06f94abd39f80281178c869f86c1c5a18900369970d
Instruction ID: 8b8bb52421ae0ea1fe3589e74ad891dd9057802c38eaa68823ad41843325b770
Opcode Fuzzy Hash: 0d98225c1b5c5147644bd06f94abd39f80281178c869f86c1c5a18900369970d
Instruction Fuzzy Hash: 7C01A13060CA084FEBD4EA28E858B7A77D1EF99315F54057ED84CC36A4DE16A885C740

Function 00007FFAACFD2041 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2520245845.00007FFAACFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacfd0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19407669f3799d1f4fad79b9bce43461a6ab4502335b72f50cc3ed88cc5c6594
Instruction ID: abce28fd2ea23c60ec906b62984a59ccd7d6b235894612a048c143ff2c81744b
Opcode Fuzzy Hash: 19407669f3799d1f4fad79b9bce43461a6ab4502335b72f50cc3ed88cc5c6594
Instruction Fuzzy Hash: 83116061A19A458FEA89EF28C044B6977A1FF5A304F0480B8C45ECB297DE35E84AC7D1

Function 00007FFAACFDBD3D Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2520245845.00007FFAACFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacfd0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 554a36293ba9d81de92a35ff10abbaa7596f8931d35c72766195a9915f5f72cf
Instruction ID: 86b98ba2e6babc6d1abb1956d0f1a18f7f60e40c647d014e47190dac2ac75951
Opcode Fuzzy Hash: 554a36293ba9d81de92a35ff10abbaa7596f8931d35c72766195a9915f5f72cf
Instruction Fuzzy Hash: A901526571EB0D8FF786FB3C945927826D2EBDE241714457AD00EC3296DD24E84A8380

Function 00007FFAACFD46E5 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2520245845.00007FFAACFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacfd0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0490901c00cfcd47170aafd307778c46512ff555b0351f34524da92d31c6ed4
Instruction ID: b35c84fa7c221d6f134881498e2abe2d85849e9e17daa818d601cdb92719193d
Opcode Fuzzy Hash: a0490901c00cfcd47170aafd307778c46512ff555b0351f34524da92d31c6ed4
Instruction Fuzzy Hash: D501F57150DB844FE7C6D73898682B57FE0EF97215B1801FBD88CCB5A2DE199845C391

Function 00007FFAACFDD09F Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2520245845.00007FFAACFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacfd0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db07e39915964d85c60c37766439864545468f724809a231db51237e8c680e36
Instruction ID: ca3e6576133634adee57ffa66e65db087df80fdd890cce97f3d377546d6d00bd
Opcode Fuzzy Hash: db07e39915964d85c60c37766439864545468f724809a231db51237e8c680e36
Instruction Fuzzy Hash: 9D012571D05A2E8EEBA4DB28888D7ECB3B1EB99305F1001FAC40DD7291DE345AC68B51

Function 00007FFAACFD0715 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2520245845.00007FFAACFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacfd0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dee09f49c5060e78b6db9788b27b567ff7e2d84be69828fe92dd06e733c8b10
Instruction ID: 16135adbdac94526bddcd505bf33ada05a4e7b6ae266aeb94e3c9b9893318272
Opcode Fuzzy Hash: 3dee09f49c5060e78b6db9788b27b567ff7e2d84be69828fe92dd06e733c8b10
Instruction Fuzzy Hash: 1EF0A42144E3D24FE35297B48CA66A47FE0EF47110B0E81FAD489CB4A3D54C588A87A2

Function 00007FFAACFDD250 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2520245845.00007FFAACFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacfd0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5bee30f9bcce05198020f6318b379bd72b75afb511e3a4908edd8aa306b79a1
Instruction ID: eb44824332a6084897782cafd066133884f044a5d07bd800cf843a12e45a2b56
Opcode Fuzzy Hash: f5bee30f9bcce05198020f6318b379bd72b75afb511e3a4908edd8aa306b79a1
Instruction Fuzzy Hash: BFE09BB114E50C6EA61CAA55AC079F7379CE747134F00111FE18E81002F552B5278795

Function 00007FFAACFD3D08 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2520245845.00007FFAACFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacfd0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a54a4e8c664f46915152271fa368bf800eae636ac417c35380b80c1740c6db61
Instruction ID: f5c07f32b8130267da49ff0866d6d94c822d308aa9e0f0979942482a33e9d20b
Opcode Fuzzy Hash: a54a4e8c664f46915152271fa368bf800eae636ac417c35380b80c1740c6db61
Instruction Fuzzy Hash: 10F0E93680C68D8FDB07DB74D815AD9BFB0EF12311F04028AD45DC70A2DA24D958CBE2

Function 00007FFAACFDC3CD Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2520245845.00007FFAACFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacfd0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3204b07e81bd009516bd5a89d9aa93a608d897b23c06f9c6e7b2d385c2521856
Instruction ID: b09026df18e9e6860960809052d4dffb637403c42b5d05fa7be70e3890240706
Opcode Fuzzy Hash: 3204b07e81bd009516bd5a89d9aa93a608d897b23c06f9c6e7b2d385c2521856
Instruction Fuzzy Hash: F4012874918A1D8FDB59EF28C8A97A9B3F0FBA4302F1045AEC00EE3251CF356985CB41

Function 00007FFAACFDC326 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2520245845.00007FFAACFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacfd0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a89f0a01047fa8a339514aea540d7d4189b98ae942e2ccdf0645016792a7d00
Instruction ID: 3351a865c5a1de48a13212fc0358299982b1e7a15079d076b578c5a9a7a883de
Opcode Fuzzy Hash: 2a89f0a01047fa8a339514aea540d7d4189b98ae942e2ccdf0645016792a7d00
Instruction Fuzzy Hash: C6F028628087889FF7869B3888086AC7FB0EF46200F5440E7D40CCB092DE24A54AC7D1

Function 00007FFAACFD3FF9 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2520245845.00007FFAACFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacfd0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e01ba3d32343c99afe16e8bfd10317d04b7b08f1880fd4abdb1f235966aee14
Instruction ID: 4d3d9b68b202f21aeb36d0642996fde0899602c8ec4f2e296ea90a64d6f27cc4
Opcode Fuzzy Hash: 5e01ba3d32343c99afe16e8bfd10317d04b7b08f1880fd4abdb1f235966aee14
Instruction Fuzzy Hash: 59F062B291D7494FD3166738C45A2A97F71FF45201F8840EED40DCA293EE28D9158791

Function 00007FFAACFD05B1 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2520245845.00007FFAACFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacfd0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fb981186a53986f09ea3d9fbcc9ddd851c636819fe4de221fa2bde0fd486fc5
Instruction ID: a5d79d2bc48def320466c512d8ae97984121ac2da1537a23be1d40e4fd58d472
Opcode Fuzzy Hash: 3fb981186a53986f09ea3d9fbcc9ddd851c636819fe4de221fa2bde0fd486fc5
Instruction Fuzzy Hash: 95E0D82041AB458FE74B573588A89E23FB0EE5721078900D7EC84CE0A3FE19C9D9C391

Function 00007FFAACFE510A Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2520245845.00007FFAACFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacfd0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b37193e643d88586852c09e8c2acce26468406fc6d98f336cd778480ec56ae2
Instruction ID: a69c9de416d73334662c4c831cdb74c6fb9f360dd3630ca095ca018fc4235e0e
Opcode Fuzzy Hash: 8b37193e643d88586852c09e8c2acce26468406fc6d98f336cd778480ec56ae2
Instruction Fuzzy Hash: F1D05B42B19D1D8BB9D4972C74492F802D1DB9916074541F3D40DC324EDD1CDC8703C1

Function 00007FFAACFD4A70 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2520245845.00007FFAACFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacfd0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d4c77b73cfcf4934822dd3db840436bdb4f39c13488fa45a5b52ef4dac1d8a4
Instruction ID: bb310cdef366190c6121222992ba88696ff11aa6e605118702e608a3e1fa4fea
Opcode Fuzzy Hash: 4d4c77b73cfcf4934822dd3db840436bdb4f39c13488fa45a5b52ef4dac1d8a4
Instruction Fuzzy Hash: 91E0C21685EA1382FABD2B35A4513BE64D4DF06305F4580FBA40DD50C1ED0CDD88C1E6

Function 00007FFAACFD20E0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2520245845.00007FFAACFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacfd0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfcb7bcd1773a1238bb2ab3956b20ec307dd4527e726c5d1d94678174b397ccd
Instruction ID: 7dc174f278688b84a1d2d67b1668b6ddf0ebf202042e2d02606fc711f4465f92
Opcode Fuzzy Hash: cfcb7bcd1773a1238bb2ab3956b20ec307dd4527e726c5d1d94678174b397ccd
Instruction Fuzzy Hash: 5BC09B14E0D616CEF546EF35C54527D11427F8B205B50D431D00DC51C6CD3CE506A181

Function 00007FFAACFD20FD Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2520245845.00007FFAACFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacfd0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ed2f7ab89c9b89f88a203b0e7ca3d3896c3cdacc7b0769b1328aa1a8196e655
Instruction ID: 3fd67aa9af2cf4a686be5db95a6787a31a9ac09915e19386cb6a70245833950f
Opcode Fuzzy Hash: 9ed2f7ab89c9b89f88a203b0e7ca3d3896c3cdacc7b0769b1328aa1a8196e655
Instruction Fuzzy Hash: BCB0922090E306CAFA5A9B31884827D1142AF8B219A51D432905E854918D29E60CF1A0

Function 00007FFAACFD1E22 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2520245845.00007FFAACFD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACFD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffaacfd0000_ScreenConnect.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9bf10c95366cd17921f3f8f02af1c22f9916b6c8cf4d1a0170ad7e8dc39ff70
Instruction ID: 1991e28f0df855313318f0f51b78bcd31f93bff75b9be20b304824827eb8085b
Opcode Fuzzy Hash: b9bf10c95366cd17921f3f8f02af1c22f9916b6c8cf4d1a0170ad7e8dc39ff70
Instruction Fuzzy Hash: 1FA00204E0EB26CAB4537724C20127E40414F47615A31D172D14D811DADD2CE54AA2D6

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	Drive: Drive Modification
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use hidden users to hide the presence of user accounts they create or modify. Administrators may want to hide users when there are many user accounts on a given system or if they want to hide their administrative or other management accounts from other users.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, User Account: User Account Creation, User Account: User Account Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Privilege Escalation

Compliance

Spreading

Networking

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.4cdd5988-935f-4255-9ab4-31eed42bc85e.1.etl

C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_BE4413523710330F97BEE5D4A544C42B

Windows Analysis Report
1C769A32-2CBF-4738-9013-480E0434BAEF_06182024030338389.exe

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre